 |
| Technology Risk Management in Banking Sector |
Introduction
Bank risk
management operations would probably need to change significantly from how they
are now by 2025, with a particular emphasis on technology risk management. As
difficult as it may be to believe, risk management may undergo a greater change
in the coming ten years than it did in the previous ten. Banks risk being
overtaken by the new expectations and responsibilities they will encounter if
they don’t start to take action now and get ready for these longer-term
developments.
In light of cyberattacks, technology risk management has
become challenging. Due to the potentially catastrophic effects of these attacks,
most institutions have already prioritized defense against them as a major
strategic objective. This is partly because banks rely so heavily on software,
systems, information technology (IT), and data, but it’s also because these
attacks put at risk both the operations of the banks and sensitive client data. We anticipate cybersecurity to only grow in importance and need an
even bigger deployment of resources at the individual-institution level, as
well as a far greater level of cross-industry and industry-government
engagement, given the current geopolitical situation and its expected
evolution. To handle and monitor these developing risks, risk functions
(technology risk management) will probably need new capabilities and
procedures.
IT-data
infrastructure in technology
risk management
Although there are
many possible configurations for supporting IT infrastructure and data, the
most recent developments tend to favor “two-speed architectures” and
data lakes. A two-speed architecture separates the bank’s IT architecture into
a flexible, agile front-end that serves customers and a slower, more dependable
back end (such as the bank’s core IT systems, which are frequently outdated
systems). All sorts of data, both structured and unstructured, internal and
external, are collected and stored in a data lake. No specific guidelines must
be followed while entering data into the bank (as would be required of data
entering an enterprise data warehouse). Instead, when the data is extracted
from the lake, the users themselves set the rules. The data lake offers banks a
breakthrough that enables them to exploit their data for numerous purposes,
ranging from marketing to risk to finance, by combining this flexibility with
Google-like search capabilities. Banks can employ big data tools for
complicated data exploration and analysis because of the system’s flexibility
and range of capabilities. It is anticipated that large expenses will be needed
to achieve the target condition, particularly in terms of systems and
infrastructure. The cost pressures discussed above would likely make this task
a nontrivial issue, despite the fact that staying ahead of the competition is
likely to make such investments crucial. Because they can’t or won’t make these
investments, certain banks will most likely fall behind.
Banks operate in a dynamic environment characterized by increasing
consumer demands, a dynamic economic environment, a broader breadth and greater
severity of industry regulation, and the leveraging of technological innovation
while remaining alert to shifting IT threats. Additionally, the banking
industry must maximize shareholder value while maintaining the financial
stability of the global economy through fairer business practices and greater
transparency.
Due to the fact that IT risks supporting the business tasks provided
by banks, supervisors and regulators have continued to suggest ways to improve
international banking practices, such as governance and advice for IT risk
management.
Numerous clients of one of the biggest banks in Pakistan claimed
to have lost money as a result of unauthorized bill payments, internet
purchases, and bank transfers. The bank staff explained to the upset customers
that there were issues with their services and that the bank was working hard
to fix them. The following cyberattacks against Pakistani banks have been
documented in reports that have appeared in Pakistani media.
A cyberattack on the National Bank of Pakistan (NBP)
According to a statement released by the National Bank of Pakistan (NBP) on Saturday, the bank’s services have been affected by a
cyberattack but are expected to be restored by Monday as reported by the daily Dawn.
The statement read, “A cyberattack on the NBP’s systems
was identified in the late hours of the 29th and early hours of the 30th of
October 2021, which disrupted certain of its services.”
The affected systems were immediately isolated, and it was added.
No consumer or financial information has been exposed yet.
The bank stated that remediation activities were in
progress and were being supported by industry-leading subject matter experts
and, when necessary, worldwide resources.
While the NBP’s customer services are now interrupted, we are
working to rectify the breach and are optimistic that critical customer
services will be restored by Monday morning, according to a statement from the
NBP.
It said, “We appreciate our consumers’ patience
throughout this unique scenario… The State Bank of Pakistan (SBP) tweeted
that an investigation was ongoing after NBP reported a cybersecurity incident.
The SBP stated that “NBP has not seen any data breach or
financial loss,” noting that no other bank had made a similar report.
On November 1st, 2021, a different newspaper reported the very
same story. On Monday, some false information about cyberattacks on banks was
making the rounds, including some statements ascribed to SBP Chief Spokesman
Abid Qamar. On Monday night, the central bank issued a statement on its
official Twitter account saying, “According to these fake reports, 9 banks
have been affected by the attack, and that money has been withdrawn and data were taken.”
SBP rejects these rumors, it added.
On May 8, 2022, the News reported that just before Eid ul-Fitr, an
online debit card scam targeted customers from three private banks. The victims
complained to the FIA’s (Federal Investigation Agency) cybercrime division.
Hundreds of customers of one of
Pakistan’s largest banks reported that they had lost money through unapproved
bank transfers, bill payments, and online purchases. The bank staff informed the
irate clients that their services were experiencing problems and that the bank
was working hard to resolve the problems. Customers also stated that their
cards were disabled. So far, the affected banks and authorities have been
unable to pinpoint the cause of the data breach. It could be a technical glitch
or the result of online fraud.
The most likely explanation is
debit card fraud by bugging ATMs. When debit cards are entered into a machine,
the information on them is replicated. The card’s key pins are obtained using
key loggers. The cards are then utilized for internet-based transactions.
Saam news published another story about cybercrime on July 13, 2022. According to an examination by Pakistan’s Computer Emergency
Response Team, PakCERT, information from 19,864 cards belonging to clients of
22 Pakistani banks has been offered for sale on the dark web. Midway through
October, some Bank Islami customers received SMS messages warning them of
transactions (money withdrawals), which they didn’t complete. On October 27,
Bank Islami banned its foreign payment scheme after noticing irregular
transactions totaling Rs. 2.6 million. The Bank Islami payment network and the
global payment system were both vulnerable due to a well-planned cyberattack.
These transactions were carried out by hackers using bank-issued cards at
foreign ATMs. Following this occurrence, the central bank gave orders to all
commercial banks to safeguard the integrity of all national payment cards and
keep an eye on card usage, particularly for transactions outside of the
country. The data of almost 20,000 debit cards were compromised, according to
PakCERT’s investigation into the cyberattack; this may also account for the messages
some of you have recently received from your banks informing you that your card
has been blocked for international transactions for security reasons.
Boards’ risk-related responsibilities at financial services
companies
The performance of a financial institution is based on the
reliability and security of its technology. System outages can hinder a
business and its clients. The company depends on precise and timely data.
Institutions must make strategic decisions about which technologies to accept
and which to shun in light of the rapidly evolving technological world. Unauthorized
transactions or processing mistakes may result from technologies with poor
controls, especially in absence of technology risk management. And regulators around the globe continue to
focus not only on safety and soundness but also on compliance with
country-specific laws and regulations for better technology risk management.
The same rules that apply to other risks apply to boards’
oversight of IT risk as well. The senior executive team, which includes the
chief information officer (CIO), chief risk officer (CRO), and chief technology
officer (CTO), as well as a large group of responsible managers from across the
firm, are ultimately responsible for the efficient management and governance of
IT risk. Leaders in financial organizations must all be aware of IT risk and
the tools at their disposal to ensure it is properly addressed. This paper
outlines specific IT risks that boards of financial institutions should take
into account and offers tactics they may use to effectively monitor them.
Technology risk management framework
by the SBP
When technology usage and
dependence are not adequately managed, they may aggravate technology risks as
technology becomes an increasingly important component of the operations and
business of financial institutions. In order to keep up with the aggressive and
widespread adoption of technology in the financial services industry and
subsequently strengthen the existing regulatory framework for IT risk
supervision, SBP developed the framework for “Information Technology
Governance & Risk Management in Financial Institutions” with a vision
to provide baseline technology governance and technology risk management
principles to the financial institutions. The COBIT framework is the main
inspiration for the framework. The complete enterprise risk management
program for financial institutions must be integrated with this
framework. SBP anticipates that Financial institutions will be equipped with the knowledge and
abilities required to comprehend and successfully manage technology risks.
These institutions must use an integrated risk management strategy to
recognize, quantify, track, and manage risks.
Responsibilities of the Board of Directors
Approve overall Enterprise IT strategy, approve an IT
governance framework, ensure that effective IT risk management and internal
controls functions approve all IT Management and Information/cyber Security
policies, oversee a safe, sound, controlled and efficient IT operating
environment, review, approve and monitor IT projects, ensure maintenance of an
independent and effective IS audit function, review and approve the IT related
policies including Disaster Recovery and Business Continuity Plans, and ensure
resources gap (people, process & technology) identified by the management are
adequately and timely fulfilled.
Responsibilities of Senior Management
Implement the IT strategy approved by the BOD, establish
an efficient and effective IT organization structure and approve, ensure
implementation of IT risk management and internal control functions to achieve
security, reliability, resilience and recoverability, Implement BOD approved IT
Management and Information Security Policies, ensure that FI’s risk management
policy incorporates IT-related risks, monitor implementation of the IT
Governance program, ensure that risk management strategies are designed and
implemented to achieve resilience, such as the ability to effectively respond
to wide-scale disruptions, including cyber-attacks and attacks on multiple
critical infrastructure sectors, Periodically inform BOD on the latest
developments on cyber security action plan, its implementation status and a
summary report on major threats and attacks faced by the institution and their
possible impact on its operations on periodical basis, ensure that the
documented Standard Operating Procedures are in place and are effectively
followed in letter and spirit in all areas of IT Operations, ensure that
FI(s)’s physical infrastructure is adequate to accomplish the strategic plans
of the organization, ensure capacity building of the personnel to achieve
desired service delivery and operational excellence, select IT solutions that
can meet strategic requirements with minimum resources, ensure that IT projects
support business objectives and adequate resources are available to complete
these projects, ensure that risks related to IT projects are appropriately
managed, ensure that an effective monitoring mechanism is in place to evaluate
the design of IT projects and oversee the related operations and activities, monitor
implementation of outsourcing process to identify, measure, monitor, and
control the risks associated with IT-related outsourcing arrangements, develop,
conduct, document and maintain BCP and the testing program, identify resources
gap (people, process & technology) and take adequate steps to fill the
gaps.
Risk Management Process & Risk Identification
FI(s) shall determine threats and vulnerabilities to
its IT environment, which comprises the internal and external networks,
hardware, software, applications, databases, systems interfaces, operations,
data centers, and human elements. FIs shall execute quarterly software
vulnerabilities identification operations across the entire institution covering
all IT systems and supporting infrastructure assets (Networks, PCs, Laptops,
servers, operating systems, software, applications, and databases). On the
basis of threats and vulnerabilities, the FI(s) shall formulate a list of all
risks that may create severe harm and disruption to the operations of FI(s).
After risk identification, the FI(s) shall perform an
analysis and quantification of the potential impact and consequences of
identified and unidentified vulnerabilities and associated risks on the overall
business and operations. FI(s) shall develop a threat and vulnerability matrix
to assess the impact of the threat on its IT environment, which will also
assist the FI(s) in prioritizing IT risks.
FI(s)
shall develop and implement risk mitigation and control strategies that are
consistent with the value of the information system assets and the level of
risk tolerance. FI(s) shall give priority to threat and vulnerability pairings
with high-risk ranking, which can cause significant harm or impact the FI’s
operations. FI(s) shall assess its risk tolerance for damages and losses in the
event that a given risk[1]related
event materializes. When deciding the adoption of alternative controls and
security measures, the FI(s) shall also keep in view the costs and effectiveness of
the controls with regard to the risks being mitigated. FI(s) shall refrain from
implementing and running a system where the threats to the safety and soundness
of the IT system cannot be adequately controlled. As a risk-mitigating measure,
the FI(s) may consider taking insurance cover for various insurable risks,
including recovery and restoration costs.