Banks intensify investments in technology
Lenders brace for cyber threats and security concerns
PETALING JAYA: Banks are intensifying investments in technology infrastructure to brace for risks and disruptions from rising global cyber threats and security concerns.
Bankers and analysts view Bank Negara’s comprehensive Risk Management in Technology (RMIT) guidelines, which came into effect on Jan 1, as timely to safeguard the sector from surging global technology risks.
This will ensure continued sustainability and protection for the depositors and investors in the banking space, according to analysts.
The extensive guidelines also cover risks arising from digital banking operations. Recall that up to five digital banking licences would be issued once the country’s virtual industry banking regulation sets in.
The central bank is expected to finalise the policy document for digital banking by the first half of the year to invite applications to make their bids.
Central to the RMIT guidelines is the mandatory appointment of the chief information security officer (CISO) which reports directly to the board and may bypass the CEO and chief operating officer.
In adherence to the guidelines, banks have hired CISOS who would be responsible for the technology risk management and ensure the financial institution’s information assets and technologies are protected.
RHB Banking Group chief risk officer Patrick Ho told Starbiz the RMIT guidelines are an important step towards further strengthening the banking industry’s ability to manage technology risks.
He said the group had taken the necessary steps to identify areas of enhancement as part of its preparation to comply with the guidelines.
Ho said there is growing key risk is in the area of cyber security, which is recognised in the RMIT policy document through increased control requirements in this area.
“Awareness of this particular risk within the banking sector is increasing and we are seeing more collaboration to raise cyber security risk management capabilities among industry stakeholders including regulators, government agencies, banks and technology players.
“Another growing risk is technology vendor and third-party risk arising from the digitisation of products and services across the banking sector as well as non-banks resulting in the need for a robust evaluation process to assess the capability of the technology vendor and third party service providers,” he said.
OCBC Bank (M) Bhd country chief risk officer Thor Boon Lee said globally, ransomware attacks are increasing.
This is worrying to any industry, not only to the banking sector. The impact can be severe, resulting in business disruption. Organisations must have the necessary cyber security solutions to combat ransomware.
“Additionally, regular cyber drill exercises should be conducted to simulate the attacks, and test incident response and crisis communication processes.
“This is something we are vitally committed to alongside the other risks pertinent to the industry in general,” he said.
Thor said the bank is adhering to the guidelines via its robust risk management practices and also through its continual investment in infrastructure.
As the guidelines are far-reaching in scope, he said certain requirements would necessarily entail significant longer-term system investments as well, among others.
For continued sustainability and protection to depositors and investors as spelt out in the guidelines, Thor said, amid the rising volume and intensity of cyber threats, OCBC Bank has in place a cyber-security strategy and roadmap that is regularly assessed by its cyber security team and kept current with appropriate technologies.
“To strengthen our cyber resilience efforts, we have adopted a ‘defence-in-depth’ approach in implementing multi-layered capabilities and processes focusing on cyber defence, cyber risk vigilance and awareness, social engineering testing, incident response, crisis management and business continuity, as well as insurance protection.
“To further enhance employees’ vigilance in relation to cyber and information risks, we have implemented a cyber-risk management programme for the employees.
“We have also rolled out a new mandatory cyber and information e-learning programme and view these as important investments in our quest to quell the effects of cyber risks,” Thor noted.
RHB’S Ho added that the banking group would continue to invests in implementing measures and controls across the technology lifecycle to safeguard the integrity, confidentiality and security of our customers’ banking transactions and personal data.
They included strengthening technology and cyber security risk management through implementation of new systems, improved data centre operations, as well as in enhancing IT and Cyber Security protocols, he pointed out.
It has also put in place liquidity risk management plans to ensure continued protection for depositors and investors.
Commenting on the guidelines, Sumitomo Mitsui Banking Corp Malaysia Bhd deputy CEO Anthony Lim said the central bank has taken the right steps in setting up a framework approach in addressing technology risk in view of the the disparate banking risk management pursuits in the 1980s when credit, market and operational risks were managed separately without taking into account the inherent connectedness and hence, systemic nature of the potential hazards.
“The shift from the rule-based regulatory regime to principle-based regulations and risk-based supervision – the role and responsibilities of the board of directors and executive management in ensuring effective implementation of the Risk-based Supervisory Framework for the RMIT makes it a supervisory expectation for banks to go above and beyond regulatory guidelines.
“In short, it is more than just check-list box ticking now as the board and executive management are required to make attestations on the required control measures undertaken with the regular stress-tests and audits in ensuring its effectiveness and relevance at all times,” he said.
The country’s second largest lender by asset size, CIMB Group said it is supportive of Bank Negara’s efforts in all areas that seek to improve the Malaysian banking environment.
“The central bank’s goals in driving RMIT is in line with CIMB’S aspirations and something we had already begun.
“We are working closely with the central bank in ensuring that CIMB is in compliance with its requirements.
“In line with Malaysian banks, and banks globally, CIMB continues to ensure that it keeps abreast with current developments including in the area of banking technology. This is also done by working with our regulators such as Bank Negara and industry associations such as the Association of Banks in Malaysia (ABM),” a spokesperson from CIMB said.