The fourth wave of the industrial revolution has shifted bank services to become more digital. This shift can become a double-edged sword when not followed by strengthening cyber security. According to the concept of Klaus Schwab, the disruption of the fourth industrial revolution does not only cover aspects of production. Disruption also occurs in aspects of management and governance, including cyber risk.
For some experts, “safe” in the context of cyber is a miracle. According to former FBI director Robert S. Mueller, there are only two types of companies globally. The first are companies that have been hacked, while the rest are companies that will be hacked. Former CEO of Cisco Systems, John T. Chambers, has another, more worrying opinion. Two types of companies in this world are those that have been hacked and those not aware that they have been hacked.
That last statement seems exaggerate. But in fact, it took an average of 191 days from the hack until the system owner realized the system had been breached. This figure is the result of research by Ponemon Institute LLC and IBM Security in the 2017 Cost of Data Breach Study. The study also suggested that the figure be reduced to below 100 days. The longer the system leak is identified, the greater the loss experienced by the company. For system leaks identified after more than 100 days, the average loss suffered is about 3.83 million US dollars. The loss rate is 37% greater than if the system leak is discovered before 100 days.
Losses to the banking industry can be more significant than the average because of the it has a direct financial impact. Last August, Cosmos Bank suffered a loss of $13.5 million in a cyberattack incident. The Indian Bank’s credit card system was attacked using malware. The perpetrator then copied the customer card data. With this data, the perpetrators made illegal transactions in transfers worth 2 million dollars and ATM withdrawals in 28 countries worth 11.5 million dollars.
The attack was the second such attack to have occurred in India this year alone. Previously, City Union Bank also suffered a similar attack with a loss value of about 2 million US dollars. Security experts believe that both attacks were initiated by a security flaw in the SWIFT payment system, which is also used by banking systems worldwide.
Stories like the above are not (or have not) been heard in the Indonesian banking world. However, based on the two statements at the beginning of the article, there are two possibilities: banks that will soon be penetrated or banks that have been penetrated but have not realized it. In dealing with such threats, simply being safe may not be enough. Every banks must develop cyber resilience.
Several things need to be considered by banks in developing cyber resilience.
First, bank management needs to realize that cyber resilience is not solely the responsibility of the IT division. The fourth industrial revolution pushes banks to open up limitless services. However, the decision to go digital must be accompanied by risk management readiness against attacks that also become limitless. Risk management is closely related to solutions and costs. Therefore, directors’ active participation in cyber risk management is very much needed.
Banks specifically need to have a Chief Information Officer (CIO) or even a Chief Information Security Officer (CISO) at a certain level. If this is not possible, the bank needs to have other solutions to increase the insight and attention of the board of directors on cyber risk. Banks can, among other things, provide training to the board of directors or recruit consultants who provide independent input to the board of directors.
Weakest Link
Second, the area perimeter that needs to be protected by bank expands along with the development of bank services. Meanwhile, the strength of a chain depends on the strength of the weakest link. Attacks on banks can be carried out by exploiting loopholes in the weakest link. In the case of India, the attack was carried out on an area not controlled by the bank: the service provider. Another example of the weakest link is in the recent horrendous case of ransomware. Companies can be struck by ransomware just because an employee clicks on a link in a received email.
This fact is in line with the 2018 Global State of Information Security Survey (GSISS) results by PwC. One of the survey results is related to the causes of cybersecurity incidents in the past year. In the financial services sector, 28% of incidents are believed to be caused by internal employees. More than half (53%) of the largest share is due to third parties: service providers, vendors, and consultants.
Banks must have a selection mechanism and third-party management mechanism, including their reliability in protecting bank secrecy. Periodically and continuously, banks must conduct a third parties review to identify areas exposed to risk due to these third parties. Apart from third parties, banks also need to attend to employees, including contract and outsourcing employees. Training and awareness programs need to be provided to employees following the complexity of the Bank and the business processes being carried out.
The third thing to note is the strengthening of the second line of defense. In large banks in Indonesia, having a quality assurance section in each unit is common, including the IT unit. Quality assurance and risk management, and compliance units are expected to provide inherent oversight to IT unit operations. For this reason, quality assurance needs to be strengthened with reliable human resources and technology.
Lastly, banks need to test their own cyber resilience periodically. According to regulations, it is customary for banks to test their business continuity plan (BCP) once a year. In addition to being tested, BCP also needs to be updated regularly to match the latest developments in threats such as ransomware. The bank’s BCP needs to include a business process recovery plan if the bank is attacked by ransomware.
To test its cyber resilience, the bank should hire a group of ethical hackers. This group, commonly called the red team, has the task of conducting regular penetration testing of the entire bank system. Security vulnerabilities found by this team can be fixed immediately before an incident occurs.
The pressure of transition during the fourth industrial revolution will make banks compete to issue innovative digital products. However, on the other hand, banks will also be exposed to greater cyber risk. Banks can remain relevant in the new era by making changes to both business sides, particularly business and governance.
Note: This article was published in the December 2018 edition of Integrasi magazine. Previously, this article won second place in the Article Writing Competition – OJK’s 7th Anniversary.