Googling “banking cyber threats 2019” yields 25.4 million results in a matter of 0.57 seconds. Is that alarming or fantastic?
It’s fantastic because it suggests there is no shortage of people willing to talk about cyber threats any day of the year. It’s alarming because there is no shortage of people warning about the reality of the threat.
Kaspersky Labs warns that “the activity of cybercriminals in Indo-Pakistan region and South-East Asia is constantly growing: the immaturity of protective solutions in the financial sector and the rapid spread of various electronic means of payment among the population and companies in these regions are contributing to this. Now, all the prerequisites exist for the emergence of a new center for financial threats in Asia.”
Fintech Innovation spoke to Serkan Cetin, regional manager, Technology & Strategy at One Identity APJ, to take his view on heightened risks the financial services industry faces, the mentality that pervades leadership at these institutions, the blatant practice of ignoring risks in favor of new business models and innovation, and the role of regulation in keeping cyber threats at bay.
Are current risk management strategies and postures at financial institutions adequate to meet the heightened risk associated with cyber threats?
Serkan Cetin: While financial institutions have armed themselves with tools to prevent themselves from falling prey to malicious actors, the fact is that threat vectors are constantly evolving and probing our systems to find any possible avenue to infiltrate it. The current risk management strategies and postures may be robust at the point of implementation but they can also easily become obsolete if not updated to keep up with the evolving nature of the threats.
According to a recent study commissioned by One Identity, 14% the cybersecurity professionals from FSIs stated that they are not confident at all that their organization will not get hacked due to an oversight in the access control program. Privileged Access Management is one of the many aspects of security that companies have to be concerned about and a lack of confidence in this does not bode well for the organization in question.
In a similar vein, the Monetary Authority of Singapore has been making a series of cybersecurity mandates to ensure that Singapore-based FSIs are able to stand strong against attacks. Interestingly, two of the six conditions that FSIs have been required to abide by are the restricted use of system administrator accounts that can modify system configuration and strengthen user authentication for system administrator accounts on critical systems.
All of these measures point out the need to constantly enhance the security of FSIs’ systems in order to be ever ready for cyber threats.
Is understanding of risk awareness consistent across various levels of the financial organization – from board room down to field operations and back office?
Serkan Cetin: One surprising trend that we have noticed in our survey result was that in most cases, the management level had a bleaker outlook of their cyber hygiene practices than their executives, with 23% stating that they are not confident of not being hacked due to poor access controls while only 17% of the executives shared the same sentiments.
While it is a good thing that the decision makers view cyber security as a serious matter and are very concerned by it, the inconsistency in confidence can be a worrying element.
The first line of defense of any organization are the teams dealing directly with back-end or operations and a slip on their part can result in the organization paying a hefty price to the cyber terrorist. One example that comes to mind is the recent SingHealth breach which went undetected for quite some time due to the oversight of an employee who had failed to report the case earlier.
Another worrying trend that we have uncovered is that almost 80% of FSIs are guilty of providing access to privileged information to third-party vendors and contractors. Despite the slew of data breaches that are greeting us with such growing regularity, it is truly surprising to learn that such a huge number of FSIs are still being careless on this front.
Companies should make it a point to invest time and effort in educating their employees on better cyber hygiene practices to ensure that they do not fall prey to the next big bad data breach that would be fueling news for the next few days.
Name the biggest misconception about risk management?
Serkan Cetin: It would have to be that being compliant is sufficient in ensuring your system is safe from threats. While being compliant is a good starting point, it does not imply that your system has the necessary tools to defend itself against the evolving threats. While you are innovating ways to defend yourself, malicious actors are also “innovating” the next new strain of virus that could possibly be lethal to your system.
It is crucial for companies to be up to speed on the different cybersecurity solutions, to periodically check on their cyber posture and to be aware of and prepared for the latest threats to come knocking. All of these steps should also be part of the risk management practice and should be regularly reviewed to ensure their applicability. What we may think is enough a year back might become obsolete now due to the changing nature of threats.
Arming yourself with tools to keep track of changes is a vital aspect that many overlook as well – companies should invest in risk intelligence and benchmarking tools as the first line of defense. After which, they can invest in the right security tools to circumvent attacks from hitting their systems.
Do people in financial institutions in Asia know the difference between risk management and cybersecurity management?
Serkan Cetin: While most are aware of the differences, there are few cases where the lines get blurred but thankfully, those cases are far and few. In some instances, there are companies that are not fully aware of the different aspects of cybersecurity management and believe that having a risk management team is sufficient in ensuring that they are safe on the cyber front as well.
However, with the growing number of breaches and ransomware being reported on a global scale, more institutions are educating themselves on cybersecurity – in fact, in Asia alone, there have been numerous regulations being launched by governing bodies to safeguard FSIs from threats.
As cited earlier, the Monetary Authority of Singapore has been doing an excellent job on that front, and so are organizations such as the Reserve Bank of India.
With compliance regulations and numerous frameworks being launched on a national, regional and global level, there is definitely a growing understanding on the differences that these two as more are required by their governing bodies to do so.
Is cyber and/or IT risk management the same as enterprise risk management?
Serkan Cetin: Cyber and IT risk management are definitely a subset of Enterprise Risk Management (ERM) but ERM consists of many other aspects as well. To put it simply, ERM is the process in which the organization maps out its financial, operational and strategic activities in order to minimize the impact risks have on the companies’ bottom line.
Of course, cyber attacks are a crucial risk that is mapped under ERM but the scope extends to activities such as human resources issues – such as strikes, or operational issues – such as fire breaking out in the facilities.
Among financial institutions in Asia, are the people/teams in cybersecurity the same people/ team in risk management? Should they be?
Serkan Cetin: In most instances, the individuals in the cybersecurity team are not the same ones in the risk management team since the scope for the latter extends beyond issues surrounding cyber hygiene but there are a growing number of cases where individuals belong to both teams – which is a good sign!
The risk management team should comprise of members that are most attuned with a particular risk aspect – be it financial, operational, or cyber. Certain risks faced by the organization will also have a spillover effect on the other areas as well – for instance, if your IT risk management team has unraveled that your system has severe issues with access control program, this would hold risks for the operations and finance team as well.
In the case where a malicious actor has managed to enter your system using the poor access controls, they can inject a ransomware in the system that can essentially shut down the entire operation until a ransom has been paid.
In one go, they have managed to evoke the IT, financial and operational risks. By having experts from each of these fields in one team, the risk mapping will be much more robust, leading to a much more robust risk management plan as well – as clear win-win for the entire organization.