Cybersecurity considerations for banks in a digital world
In the wake of sudden and massive remote working environment accelerated by the Covid-19 pandemic, cybersecurity has been placed among the top concerns of banking executives. Ton Diemont, head of KPMG’s Cybersecurity practice in Saudi Arabia, shares several cybersecurity considerations leaders should keep in mind.
The cybersecurity landscape is rapidly evolving, and there are several key developments that are shaping cyber in the banking sector. In line with the acceleration of digitalization, the prevalence of cybercrime has increased during the Covid-19 pandemic. For banks, the threat is pronounced and growing.
Though better prepared than most sectors, the banking sector still lags behind the cyber threats landscape. Hackers will find opportunities to exploit flaws in the way banks currently fund, manage, enable, organize and implement their information protection capabilities.
Open Banking
Open banking is a practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions using application programming interfaces (APIs). It also allows for greater financial transparency for customers and uses open source technology to build the cybersecurity ecosystem. At each level, cybersecurity measures and policies will determine the success of open banking.
In a January 2021 policy paper, the Saudi Central Bank (SAMA) announced that it is developing an “open banking initiative” intended to help shape the rules around open banking and promote its healthy use as the fintech sector develops. SAMA plans to “go live” with open banking during the first half of 2022, after its design and implementation phases are complete.
As stakeholders in the Saudi Arabia develop their own open banking initiatives, they should recognize the importance of security. All third-party providers have to comply with regulator and bank data protection rules, which should be focused on customer privacy protection. The provider must inform the bank and the customer what data it intends to use and how it will use it, as well as how long it will remain within their system.
Internal Risks and Cyber in the Audit (CitA)
Cyber in the Audit (CitA) provides a framework and guidance for a structured approach and risk-based decision making for assurance. Traditionally, auditors have tested their clients’ general IT controls (GITCs). However, as risks evolve, so too does the role of the auditor. Just as an IT audit supports a financial audit by testing automated controls, CitA supports the IT audit by testing the cybersecurity measures in place to prevent an attack on bank’s IT system.
The emphasis for CitA is a forward-looking approach where the controls are designed to provide an assurance on the IT. Banks will have to better understand their data practices and the impact of new regulations on their business strategies and business models. dependencies that a bank relies upon. It gives insight into a bank’s cybersecurity controls and makes plans for, in case of a cyberattack or compromise, what steps need to be taken to respond and recover.
Data Privacy
Whether a bank started its privacy journey because of a regulation or as an initiative, privacy is now firmly a sector-wide priority. Banks must chart a plan that not only encompasses the immediate regulatory challenges, but also a plan for a shifting regulatory climate and consumer expectations of greater individual control of data.
In creating a sustainable and effective data protection strategy, companies should develop a solid framework of best practices and infuse those practices – both procedurally and culturally.
While data should be viewed as a valuable asset. It is what a bank does with its data that gives it value – like creating better customer experiences and offering customized products. Additionally, businesses that proactively manage and protect personal data the way users expect will come out ahead of their competition.
Banks will have to better understand their data practices and the impact of new regulations on their business strategies and business models. Waiting to the last minute is not a viable option, because the goal is building customer trust and loyalty.
Staying ahead
All in all, it is important for banks to stay ahead of the threat by testing what your defences are capable of. A good approach is simulating potential cyber attacks, for example from real attackers (including phishing and malware), testing the tactics, techniques and procedures (TTPs) and the overall incident response and threat management.