Cybersecurity risk management key to financial stability
In today’s rapidly advancing digitalized and globalized world, cybersecurity attacks are a question of ‘when’ not a question of ‘íf’ for financial institutions (FI) of all sizes in all markets across the globe. To build knowledge of best practices and raise awareness of the threats, IFC hosted a cybersecurity conclave for its financial institution clients in Mumbai on Dec 2, 2016.
With a flurry of recent attacks affecting the region, the event stressed that FIs need to act now to improve their cybersecurity postures. It highlighted that cybersecurity is no longer an individual FI risk management issue, it is a financial sector stability issue, and all institutions from large banks to small non-banking institutions are vulnerable; the sector is as strong as its weakest link. Ravi Kumar, Chief General Manager at Reserve Bank of India, observed that in regulating the stability of the financial sector, regulators have historically looked at “financial” soundness, but today “IT” must also be looked at as an area of focus. Speakers emphasized that IT is no longer an enabler, it’s the business; and cybersecurity risk management is a shared responsibility between the Business and IT.
Clients acknowledged that they faced formidable challenges in improving their security positions including a lack of strong board & management oversight; financial & human investments; combined with a need for fundamental awareness & knowledge. To highlight the magnitude of the problem, the speakers revealed alarming trends, such as today 75% of data breaches are detected externally through third parties or law enforcement; the average time to detect malicious activity stands at 170 days; and 84 million malware samples were released into the market last year.
The speakers also shared best practice approaches to strengthen cybersecurity postures, including the defense in depth method applying a three pronged approach: people, process, and technology. “It’s all about People, Processes and Technology to create true Defense in Depth; technology by itself cannot establish security,” said Shrimant Tripathy, Head of IT Risk & Security Advisory at the World Bank Group. The principle here is that it is more difficult to defeat a multi-layered defense system than to penetrate a single barrier.
In India, the RBI has taken cybersecurity risk management very seriously; looking at non-compliance in a focused manner; and investigating associating penalties in cases of violations. Mr. Kumar referenced some core practices that will be enforced including at the Board level at least one member will be required to be knowledgeable on the topic; the Board will be responsible for approving cybersecurity policies & procedures; and senior management will be required to be involved and informed about the institution’s IT and cybersecurity positions. “Senior management and the Board have a fiduciary responsibility to understand and oversee how their organizations are managing cybersecurity risks” said David Ray, Senior Officer of IT Risk and Security Advisory at the World Bank Group.
Overall, the event was very well received from participants, who valued IFC’s insights and encouraged further support in raising awareness & knowledge. Participants included senior IT Risk Managers from Indian and Sri Lankan financial institutions
To address current challenges, a near term action that Sharmila Hardi, Global Manager of Banking & SME at IFC’s Financial Institutions Group, recommended to the participants in her closing remarks to convene a forum to share information and leading practices at the national or regional levels by bringing together key stakeholders including regulators, bankers associations, financial institutions, and fintechs.
The cybersecurity event was supported by the government of Luxembourg.
Related Links:
News - New Age, Asian Age, bdnews24.com, banglanews24.com
Facebook - IFC South Asia: https://www.facebook.com/IFCsouthasia/
Twitter - @IFC_SouthAsia: https://twitter.com/IFC_SouthAsia
