Digital Risk Management

If Covid has taught us anything, Cyber Security has been a challenge over the last eighteen months — Cybercrime cases accounted for 43% of crime in Singapore during the Pandemic of 2020. That was supposedly a 2020~2021 phenomena but As banks open up and revert to more Normal Business practices, Financial Institutions should be careful not to drop their guard when it comes to the management of Cybersecurity.

DIGITAL TO STAY

Infrastructure for payments in a society moving towards cashless transactions reduces costs, increases efficiency and improves overall accessibility for retail banking clients — The Global Digital Banking market is estimated to grow at a CAGR of 15.7% | BusinessWire

Mr Rehn | Governor of the Bank of Finland [LINK]

Beyond Digital Banking, the influx of new IT related banking products including but not limited to Crypto Currencies, BlockChain, Smart Contracts and Peet to Peer Financing platforms opens up an array of product related security challenges and new channels for the emergence of obscure risks that bankers are not going to be familiar with identifying or treating.

The Bank for International Settlements perceives Cybersecurity to be that big a problem they have taken to rewrite their famous Principles for the Sound Management of Operational Risk to include Cybersecurity. In fact, Cybersecurity is heavily featured in the guideline where as in the first release of the document, I am not even sure such language was used at all.

Cyber Security

The Bank For International Settlements also has guidance on what it labels "Cyber-Resilience" Range of Practices that don't just look at Cybersecurity from the perspective of Transactional Processes and Banking Products but summarizes the need to develop a Cyber-Security Workforce and for bankers to construct a Governance Process that can assess Third Party firms banks are working with and outsourcing business functions to, construes a major risk threat.

The BIS Publication also highlights that Global Practices are relatively immature, that Information Sharing isn't common and "no standard set of metrics has emerged yet". This year coming Causal Capital will work to develop a set of metrics that can be used to monitor Cybersecurity.

SAMPLE FRAMEWORKS

If we put the criticism from BIS to the side for a moment; there are a few Cybersecurity Frameworks out there which might be insightful including NIST that leaves a lot to be desired. COBIT is better and this is ISACAs contribution to what surmounts to the entire Management of Enterprise-Wide IT from a governance perspective and then there is ISO 27001.

The ISO community has also been evolving the Cybersecurity discipline through a subcommittee SC27 so that it can be more specific or as these people put it "maximize resources to deal with combatting real-time cyber threats".

One link worth taking a look at is the Top 25 Cybersecurity Frameworks published by Security Scorecard which goes out and lists the key features of twenty-five different framework publications.

CENTRAL BANKS

Perhaps a favorite guideline for me would be the recommended practices from the Saudi Arabian Monetary Authority with its roll your sleeves up approach to capture everything from Asset Management to Cybersecurity Architecture and even BYOD Policy. Actually, if you want to get down to it quickly and learn what's in scope for a comprehensive Cyber Security program, the central banks are a good place to start with your research.

Here are the guidelines from the Monetary Authority of Singapore — you could take three or four different regulatory documents and merge them into a master document for a super policy guideline on Cybersecurity. Why not develop a Best of Breed guideline from collaging regulatory briefs together by extracting the emphasis and unique focal points each regulator is asserting.