Every business today is at risk of a cyber attack, but perhaps nowhere are the stakes higher than in the financial and banking sector.
Cyber attacks can cause substantial financial losses for banks and customers. Banks also stand to suffer significant reputational damage as a direct consequence of a data breach, leading to a progressive erosion in customer trust, competitive advantage and a narrowing of future sources of revenue.
How can banks better protect their critical IT infrastructure and, by extension, their customers’ data at a time when cyber criminals are becoming more resourceful, sophisticated and finding innovative ways to identify and exploit vulnerabilities?
This question was at the forefront of a recent workshop hosted by the UAE Banks Federation in Abu Dhabi to promote cyber security awareness among information security officers of its member institutions. The workshop sought to present a holistic picture of how banks can mount an enterprise-wide approach to cyber security.
The first step in the cyber security journey is to create a comprehensive policy governance framework, experts at the workshop said. The framework must not be riddled with high-level objective statements, but instead lay out the policy direction in clear, concise and granular details.
Management buy-in is crucial and the policy itself must be aligned with multiple considerations, such as applicable regulatory requirements, global best practices and an understanding of the evolving threat landscape.
A major priority for banks is adherence to compliance requirements. Building a unified compliance framework can significantly help to meet regulatory requirements. The policy can be mapped against various regulatory requirements and controls can be selectively implemented based on applicable regulations.
Real-time cyber security monitoring, which also involves the detection of security activities that are triggered by devices and applications across the bank’s network, has a major role to play in ensuring brand protection and integrity.
Application security, threat intelligence and vulnerability management programmes help identify potential weaknesses in IT and digital assets and reduce the overall cyber security risks to an acceptable level.
No less important is the need to put together a well-structured identity and access to a management and governance framework to manage identities that work on various business applications and support the bank in providing customer services.
This is pivotal for controlling user access and ensuring that only data that is necessary and relevant based on a job role is accessible to an authorised user.
Data protection and privacy is another key area. In the wake of stringent privacy laws enacted around the world, privacy has become an increasingly pressing concern due to data residency regulation.
For banks, protecting customers’ sensitive information is a fundamental, non-negotiable priority due to its inherent value. The success or failure of a bank can depend on how well it is able to manage data confidentiality.
Today, regulators are pushing the sector into open banking standards, which empowers customers by giving them access to their data not only through bank channels, but also third-party apps.
This brings in a new dimension of security and privacy concerns for customer data that flows from the institution to the app providers.
Cloud computing systems offer numerous benefits, such as work from home or remote working capabilities, which have provided cyber resilience to business operations. However, the migration of financial services to the cloud brings security risks and a major one relates to data residency.
A recent McAfee report found there were no less than 3.1 million external attacks on cloud user accounts in the fourth quarter of 2020.
It’s essential that information security officers at financial institutions put in place effective cyber security incident response, crisis management and business continuity plan that outline procedures to follow in the face of an unplanned disruption in critical service. The plan should also identify the processes and resources needed to build sufficient business resilience and capability for an effective response.
The important thing to remember is that each of these should be approached with a broad, long-term perspective. All systems and processes must be sustainable and amenable to scaling up to accommodate future requirements and keep pace with the increasing volume and velocity of cyber attacks.
Financial institutions are increasingly outsourcing operations for product enhancement, cost optimisation and to be quick to the market.
However, this creates third-party risk, or supply-chain risk. Trends in developed economies indicate that attackers often exploit vulnerabilities in supply-chain vendors to reach the target’s core systems. Financial institutions must, therefore, build controls around vendor risk management to handle these threats.
Cyber criminals are in for the long haul and our response to the threat they pose must be on similar lines. Financial institutions must develop people, processes and technology to assess risk and build controls that are commensurate with the organisation’s risk appetite.
Pillairkulam Parthasarathy is chairperson of UAE Banks Federation's information security committee.