Untitled Document

Monday, October 23, 2017 | MANILA, PHILIPPINES
Untitled Document
   banking report
Date posted: Monday, May 30, 2016 | Manila, Philippines

1st Quarter Banking Report (2016)

How banks can protect our money, post-heist

WHEN HACKERS break into a central bank and instruct no less than the Federal Reserve Bank of New York to move around funds -- and the Fed complies -- then the global banking community is in trouble.

That’s exactly what happened with Bangladesh Bank, which lost $81 million of its people’s money that was wired to four fictitious accounts in a branch of Rizal Commercial Banking Corp. (RCBC) at the Philippine financial capital of Makati. Within days, the money was funnelled to casinos, which remain outside the purview of the Philippines’ anti-money laundering agency.

According to cybersecurity firm FireEye, many banks in Asia remain vulnerable to cyber attacks using malware, which is a malicious software designed to gain access or damage a computer without the owner’s knowledge.

“Boards and CEOs need to improve their supervision of cyber security capabilities. Far too many organizations in Asia remain vulnerable to advanced attacks,” Bryce Boland, FireEye chief technology officer for Asia-Pacific, said in an e-mail to BusinessWorld.

In the case of the Bangladesh Bank cyber-heist, the hackers were suspected of stealing the central bank’s credentials for the SWIFT messaging system. So when the hackers sent the payment instructions, the New York Fed had no reason to doubt the authenticity of the fund transfer order.

Considered the backbone of international banking, SWIFT or the Society for Worldwide Interbank Financial Telecommunication is a cooperative society comprising more than 3,000 financial institutions whose network allows 11,000 banks in more than 200 countries and territories to process billions of dollars in transfers a day.

Leonard Ong, who is vice-president of the Information Systems Audit and Control Association, Inc. (ISACA), said 83% of IT professionals believe that cybersecurity is one of the top three threats to doing business.

The results are contained in ISACA’s 2015 Global Cybersecurity Status Report, which found that only 38% of the 3,439 respondents feel prepared for a sophisticated cyberattack.

Mr. Ong said hackers are no longer “lone wolves,” and instead work together to launch larger attacks, 80% of which are driven by organized crime rings sharing data, tools, and expertise.

In his presentation during last week’s BankTechAsia 2016 Manila Series, Mr. Ong cited the Internet of Things (IoT) as a cybersecurity threat in the next two years. Comprising smartphones and similar ‘thinking’ gadgets, IoT is host to sensitive information.

Amid all these threats, Mr. Ong underscored the role of a company’s chief information security officer (CISO).

“It is important for the CISO to have an airtime to present the board what is the latest in cyber threats and give them understanding what is going on,” he said.

Arijono Darmawan, who is advisory services business consultant for governance, risk and compliance for Asia-Pacific at Wolters Kluwer, agrees: “Technology risks -- including cyberattacks -- are not only the concern of IT department, but have now increasingly become a bank-wide risk management issue.”

Given this, banks should implement what Mr. Darmawan calls the TLD or three lines of defense: business frontline (risk and process owners, operations management), assurance providers (risk management function and other functions) and independent assurance (internal and external audit).

“Specific to the online scam/hacking issues, the TLD should provide (1) more assurance to management and board on the effectiveness of risk and control activities against cyberattacks, and (2) better coordinate risk response to increasingly complex technology risks and controls (including cyberattacks),” Mr. Darmawan told BusinessWorld.

But problems with hacking and scamming should be treated separately, according to Kaspersky Lab.

“Cybercriminals target the infrastructure of financial organizations as well as banks’ clients. In the first case, banks should enhance their IT security measures. In the second case, financial organizations should provide technology and advice to clients, to make sure that their financial operations stay secure,” the Russia-based security software company said in an e-mail to BusinessWorld.

Kaspersky Lab believes security strategy should have four directions to lessen the impact of breaches: prevention of common attacks like malware; detection of targeted attacks aimed specifically at a company; prediction of potential attack vectors; and effective response strategy.

“What is more relevant for banks is separation of mission-critical infrastructure. For example, a compromise of an office network should not lead to a breach of financial operations,” it added.

Wolters Kluwer’s Mr. Darmawan said a bank should have a sound and comprehensive risk and control assessment (RCA) or risk and control self-assessment (RCSA) programs conducted periodically.

“These RCA or RCSA programs must cover risks and controls related to technology, including the possible occurrence of cyber attack risk events. RCA or RCSA must be conducted periodically, at least once a year , but can be performed more frequently depending on the needs of each bank. Based on the RCA/RCSA results, a bank should be able to assess its vulnerability (and readiness) against cyberattacks,” Mr. Darmawan said.

In the wake of the Bangladesh Bank cyber-heist, the Bangko Sentral ng Pilipinas (BSP) announced that it was drafting additional rules to boost bank defenses against financial crimes. The new rules include requiring banks to immediately report attempts to breach their systems to ensure defensive response.

Kaspersky Lab said the problem with financial institutions is that it’s hard to distinguish malicious from regular activities -- something shared by 38% of respondents to a survey.

“The solution here is to provide banks with technology that protects their customers and provides insights that help spot a cybersecurity incident on the client side. Proper incident response capabilities is the key solution here,” Kaspersky Lab said.

Unfortunately, 80% of a company’s budget is spent on security prevention, leaving only 20% for other things such as threat prediction and incident response. “Apparently, many companies tend to overlook this important part of cyber resilience strategy... This leads to a lack of resources in case of a security breach: businesses don’t have the technology, expertise and work force to deal with such incidents,” Kaspersky Lab said.

*Send e-mail to Mark at mtamoguis@bworldonline.com or follow him on Twitter @MTAmoguisBW.

Other Stories