With the rise in technological penetration, businesses and companies in the financial sector are increasingly using cutting-edge technology to stay ahead of their rivals. Today, many services related to banking and finance—like internet banking, mobile banking, branchless banking, debit cards, credit cards and point of sales (POS)—are easily available to customers. But along with the proliferation of technology, new challenges are brewing, especially that of cyber crime.
Coping with cyber crime and technology risk management are two issues that will dominate the financial sector in the near future. The cyber security war is fought on the new frontiers of unregulated and insufficiently protected computers that belong to customers and businesses and the web applications that are used to carrying out transactions. Unfortunately, regular users of computer technology are at perennial risk of unwarranted and malicious hacking.
There have been numerous recent incidents that prove that cyber attacks are a credible threat. A few months back, a cyber attack caused the computer networks at major South Korean banks and TV broadcasters to crash simultaneously, paralysing bank machines and TV stations. Society like South Korea, that are heavily dependent on the internet, are especially vulnerable to cyber crimes. At a conference in China some time back, then premier Wen Jiabao stated that the nation needed to put more emphasis on the fight against cyber crime. According to various surveys, 38 percent of cyber crimes are targeted at financial sectors.
Though Nepal has yet to see any organised and large-scale attack like the one that occurred in South Korea, the recent credit card fraud that jolted Himalayan Bank and Nabil Bank should come as a revelation. It is time to ask the question: how prepared are our financial institutions to prevent computer fraud and attacks from hackers?
In the cyber battle, networks do not need to be breached as the keys lie with phishing sites, unprotected consumer devices, social networks and compromised credit cards. The tenuous division between corporate data and assets and those belonging to their customers and employees is convenient for security vendors but does not stand up to the harsh reality of an embedded and amorphous foe that is better equipped, highly connected and basically anonymous.
In the case of Nabil bank credit card fraud, two ex-employees used card information to steal away customer money. A similar method was used by an employee of the card unit at Himalayan Bank. Effective cyber crime prevention requires an integrated and layered approach to device and transaction security for the entire customer acquisition lifecycle. To achieve this, an enterprise needs two core capabilities—device identification, which is the ability to instantly differentiate between legitimate customer and employees and cyber
criminals using stolen identities and credentials; and malware protection, where the enterprise must be able to validate that the device being used is in a safe and secure state to guarantee the integrity of the transaction.
When a cyber crime occurs, the first few hours are crucial. It is important to react quickly and decisively, as the consequences of not doing so can be severe in terms of both financial and non-financial damages. Many of us expect that most financial sector organisations have a cyber attack response mechanism in place but surprisingly, very few of them do. Cyber crime is predominantly seen as an IT issue but in reality, the responsibility for managing cyber crime risks rests with the senior management. It is therefore essential that the management understand the potential risks and opportunities that the cyber world can present and ensure that there is clear responsibility and accountability within the organisation for dealing with risks and threats. Sophisticated service delivery, a regulatory environment and tough enforcement actions make the role of the senior management indispensable. The upper echleons of management need to focus on both preventive and detective methods of cyber crime control. While they seemed to have gained an understanding of the pivotal role of information technology in enabling the delivery of products and services, they should acquire insight into the vulnerabilities and threats inherent in the system. It is also vital that the responsibilities cut across business lines and operations so that cyber crimes are seen as part of corporate responsibility and not just an IT problem.
The financial sector continues to be a very attractive target for fraudsters. Financial organisations are concerned about the damage to their reputation that could arise from a cyber crime incident but have not done enough to prepare. With rapid changes in the delivery of banking services and our ever increasing reliance on technology for these very services, cyber crimes present risks that cannot be ignored. Embedded cyber security in routine procedures and a cyber crisis response plan are vital. Financial institutions need to take care to keep up with changing technologies while making certain that their impacts are fully accounted for. Additionally, regular fraud risk assessments need to be conducted to identify ever-changing risks and whistle-blowing activities and mechanisms must be promoted and supported.
Technology risks can be managed adequately through customer awareness campaigns and programmes. Since the ultimate end users are customers, hackers are always intent on using customers as entry points. So if the level of customer intelligence can be elevated when it comes to the risks inherent in technology, then on a certain level, we can mitigate risks. It may also be wise to devise a combination of risk management alternatives that are dependent on the bank’s internal resources and business strategy. The risk management and decision-making process will necessarily need to be dynamic and will need frequent review and calibration.
Mainali is Deputy Manager of Nepal Bank Ltd