As the financial data of consumers becomes increasingly digital-backed, the opportunity for cybercrime to occur has followed a close suit. However, it remains paramount to the interest and reputation of financial institutions that such sensitive data should be protected from every angle, and at all cost.
Ton Diemont leads the Cyber Security practice at KPMG in Saudi Arabia. Here he travels into the depths of the current levels of cybercrime facing banks and financial institutions during the global pandemic, whilst offering a practical solution to how such attacks on data can be thwarted.
In the wake of a sudden and massive remote working environment accelerated by the Covid-19 pandemic, cybersecurity has been placed among the top concerns and considerations for governments, corporates, and banks. Protecting the internal and external cloud-space is key in the pandemic impacted the cyber world. As cyber is a wide subject, we will focus here on cyber implications in the banking sector.
The cybersecurity landscape is rapidly evolving, and there are several key developments that are shaping cyber in the banking sector. In line with the acceleration of digitalisation, the prevalence of cybercrime has increased during the Covid-19 pandemic. For banks, the threat is pronounced and growing.
Open banking is a practice that provides third-party financial service providers open access to consumer banking, transaction and other financial data from banks and non-bank financial institutions using application programming interfaces (APIs). It also allows for greater financial transparency for customers and uses open source technology to build the cybersecurity ecosystem. At each level, cybersecurity measures and policies will determine the success of open banking.
SAMA Open Banking Initiative
In a January 2021 policy paper, the Saudi Central Bank (SAMA) announced that it is developing an “open banking initiative” intended to help shape the rules around open banking and promote its healthy use as the fintech sector develops. SAMA plans to “go live” with open banking during the first half of 2022, after its design and implementation phases are complete.
As stakeholders in Saudi Arabia develop their own open banking initiatives, they should recognise the importance of security. All third-party providers have to comply with regulator and bank data protection rules, which should be focused on customer privacy protection. The provider must inform the bank and the customer what data it intends to use and how it will use it, as well as how long it will remain within their system.
Internal Risks and Cyber in the Audit (CitA)
Cyber in the Audit (CitA) provides a framework and guidance for a structured approach and risk-based decision-making for assurance. Traditionally, auditors have tested their clients’ general IT controls (GITCs). However, as risks evolve, so too does the role of the auditor. Just as an IT audit supports a financial audit by testing automated controls, CitA supports the IT audit by testing the cybersecurity measures in place to prevent an attack on the bank’s IT system.
The emphasis for CitA is a forward-looking approach where the controls are designed to provide assurance on the IT. Banks will have to better understand their data practices and the impact of new regulations on their business strategies and business models. dependencies that a bank relies upon. It gives insight into a bank’s cybersecurity controls and makes plans for, in case of a cyberattack or compromise, what steps need to be taken to respond and recover.
Whether a bank started its privacy journey because of a regulation or as an initiative, privacy is now firmly a sector-wide priority. Banks must chart a plan that not only encompasses the immediate regulatory challenges, but also a plan for a shifting regulatory climate and consumer expectations of greater individual control of data.
In creating a sustainable and effective data protection strategy, companies should develop a solid framework of best practices and infuse those practices – both procedurally and culturally.
While data should be viewed as a valuable asset, it’s what a bank does with the data that gives it value – like creating better customer experiences and offering customised products. Additionally, businesses that proactively manage and protect personal data the way users expect will come out ahead of their competition.
Banks will have to better understand their data practices and the impact of new regulations on their business strategies and business models. Waiting until the last minute is not a viable option, because the goal is building customer trust and loyalty.
Conclusion – Best Precaution by Potential Cyber Attack Simulation
Though better prepared than most sectors, the banking sector still lags behind the cyber threats landscape. Hackers will find opportunities to exploit flaws in the way banks currently fund, manage, enable, organise and implement their information protection capabilities. Thus, it is important to stay ahead of the threat by testing what your defenses are capable of.
The best approach for banks will be simulating potential cyber-attacks, for example from real attackers (including phishing and malware), testing the Tactics, Techniques, and Procedures (TTP), and the overall incident response and threat management.