The looming threat of future technologies
It feels as though cyber risk has crept up on us without warning and with great intensity.
We have come a long way from the days when our palm pilots had to be hot-sync’d through a docking station and the occasional hazard was from viruses transmitted as email attachments. Over the years, we have embraced extreme connectivity combined with extreme automation in a never-ending drive towards convenience and cost-efficiency.
However, even as banks continue to nudge, cajole (and perhaps occasionally threaten) their customers towards impersonal e-channels, we learn about record amounts of losses from online fraud and theft. Furthermore, all of us -- not just the specialists -- are asked to act as conscription soldiers in the fight against this threat.
According to a report by Accenture, almost eight out of ten business leaders believe that they are adopting new technologies faster than they can address related security issues. It also estimates that nearly $350 billion of value could be lost by the banking sector to cybercrime in the next five years.
Publicly-known examples across various sectors include the NotPetya cyber attack on the shipping Group Maersk, the WannaCry attack on the British National Health Service (NHS), the theft of reserves from Bangladesh central bank via the SWIFT network, and the hacking of confidential data from Sony Film Studios.
With more of our devices integrated through “the internet of things” and more of our services provided by an assemblage of outsourced specialists, there are simply more points of entry for potential attacks or lapses. With a wide diversity of digital maturity, capability and habits of “cyber hygiene” amongst us, system resilience could be compromised by the weakest link. This was illustrated using a Bangladeshi cultural metaphor in a Dhaka Tribune article by Husna Siddiqi.
At the same time, the backdrop for international cooperation amongst authorities appears particularly bleak. Back in April 2009, at the height of the global financial crisis, governments of the G20 came together with a robust, comprehensive and effective plan of action. By contrast, with alleged state involvement in certain attacks, countries operate as “frenemies” with a guarded stance on issues of cyber.
There is a conflict between the need for the seamless sharing of threat-intelligence on the one hand, and the desire to localize data within national borders on the other. There may also be cultural differences in attitudes towards citizens’ privacy vis-à-vis the state. Finally, cyber threats appear to be highly dynamic as attackers and harness digital tools with great agility. It is possible, for example, for quantum computing to make it easier to break current encryption methods.
This landscape of a rough neighbourhood coupled with a seemingly underdeveloped security apparatus at the international level poses new challenges of risk management for the financial services sector. A cyber event could trigger a loss of confidence, possibly through compromising the integrity of data on which the flow of finance relies. It could in turn trigger bank runs, liquidity freezes, or jumps in market prices.
Quantifying cyber risk is difficult. Any rigorous process requires data (internal and external), assumptions and subjective estimates made by a risk committee. That is why, the qualitative aspects of the approach and framework are so important. As is the need to perform table-top war games.
Regulators expect that institutions would build systems that are “secure by design” with an emphasis on resilience against threats rather than compliance to a standard checklist. The roles and responsibilities of members of the board, senior management, and other key posts must be articulated explicitly and without ambiguity. Staff in cyber-related functions must have the required capabilities. Some jurisdictions have implemented specific cyber-certifications.
There is ample spotlight on the contractual framework and governance of outsourcing activities, seeking to ensure that nothing falls through the cracks. Regulators are also keen to calibrate the regulatory burden to the size and significance of the service provider so as not to discourage innovation by fin-tech start-ups.
For large traditional banks, the organizational design and cultural slant towards cyber risk is still work in progress. Should compliance officers sit with operations or the legal department?
Does the chief information security officer (CISO) have the required seniority or stature within the organizational chart?
Does he or she come from a technology, legal, or crime-enforcement background?
Do the board and senior management appreciate that new products, markets, or cost-reduction measures must be road-tested against their impact on cyber risk, or is that an after-thought?
How is information shared between banks and regulators? According to the BIS (2018), “full adoption of all types of information-sharing arrangements within a jurisdiction is still exceptional.”
Finally, banks need to refine their vocabulary of controls, risk classification, and indicators. There need to be detailed plans for response and recovery from cyber incidents, policy around password and encryption, and review of near-misses.
Unfortunately, cyber risk is here to stay. The sooner we can adopt a shared language, a convergent framework, and an elevated awareness of this risk including at the level of the board, the better prepared we would be to strengthen our defence and resilience to this risk.
Lutfey Siddiqi is an Adjunct Professor at National University of Singapore and a Distinguished Fellow at Policy Research Institute, Bangladesh. The op-ed is based on the remarks at the World Economic Forum Annual Meeting on Cybersecurity, held November 12-13, 2019 where he chaired two sessions.