Blog

Addressing Existential Cyber Risks in Financial Institutions

Digital plays a vital role in the maturity of financial institutions, but adopting new technologies comes with increased cyber risks. It is therefore likely no surprise that more than 50% of our survey respondents ranked cloud, technology knowledge gaps, and data & privacy requirements as the biggest cyber risks for their organizations.

 

How do you measure what ‘good’ looks like when it comes to managing cyber risks at financial institutions?

Yet despite having had several years to strengthen cybersecurity capabilities founded on a risk-based approach, our latest research found that many financial institutions such as banks, financial services, insurers, and payment providers are struggling to keep up with a moving target.

Data protection efforts remain a work in progress at many companies because of a changing threat landscape and the growing sophistication of cyber attackers. These are some of the conflicting demands facing CISOs and risk and compliance managers in financial institutions.

 

Future of Digital Risk Management for Financial Institutions

Beyond facilitating digital transformation, financial institutions must balance the needs of cybersecurity with other essential forces including risk management and regulatory compliance.

To get to the bottom of these challenges, SISA conducted a panel discussion Panel Discussion | Future of Digital Risk Management for Financial Institutions moderated by Mr. Dharshan Shanthamurthy, CEO at SISA, and panelists Mr. Arivuvel Ramu, Group CTO at TONIK, and Mr. Shivakumar Sriraman, Chief Risk Officer, South East Asia at VISA.

Our panelists echoed one another in terms of the existential digital risks, major cybersecurity challenges, and the best approach to mitigate and manage risks in financial institutions. Several broad themes emerged, which we’ll explore in this blog post.

Digital risks in financial sectors

Three-quarters (74%) of banks and insurers experienced rise in cybercrime since the pandemic began, and 56% of financial institutions have seen a rise in financial losses associated to fraud or cybercrime in last 12 months. The pace of digitization will only increase as the banking and financial industry moves forward, and therefore should equally welcome cybersecurity and digital risk management investments and capabilities.

“It is a good idea for banks to give the control back to the customers – which means it is all about features like e-kyc, automated account opening, immediate card issuance, etc. – but these involve a lot of risks, and prevention needs to be prioritized.”

Mr. Arivuvel Ramu
Group CTO at TONIK

 

Risks associated with digital transformation in financial sectors:

  • Operational Risks
  • Technology Risks
  • Regulatory Risks

Poll Result: 23% of the financial institutions reported that data & privacy requirements were the biggest cyber risk for their organizations. 18% of the respondents described technology knowledge gaps as a major cyber risk and 5% nominated cloud-based security challenge to be their priority. Given the potential operational damage, non-compliance penalties, and remediation expenses that could emerge from such cyber risks, it is justified that more than 55% financial institutions reported all such challenges to be important factors of consideration for risk management.

 

Addressing cyber risks in financial institutions

While it is important for financial institutions to have an adequate budget for cybersecurity, how a risk management program is structured and governed may be equally important for effective cyber risk mitigation.

Indeed, many financial companies with low cybersecurity budgets managed to achieve a highly mature risk management program, while others with high expenses on cybersecurity missed out on important regulatory security controls. This dynamic could, in part, reflect the level of cohesiveness in the cybersecurity governance plan of financial institutions.

Even though resources are available to address cyber risks, CISOs in financial institutions say that they are not able to combat high priority risks. Those we interacted with also commented that they scramble to prioritize risk areas while securing their digital landscape against emerging threats. Looking at the bigger picture, experts at SISA suggest a risk management model for financial institutions assessing cyber risks associated with their organizations.

 

Through this panel discussion, some executives in risk and compliance cited a challenge of audit fatigue due to the lack of standardization across regulatory standards. Many also indicated that they are in need of cyber risk metrics with industry-wide benchmarks.

“Organizations are still managing risk from a compliance-checklist point of view. It is more important to build trust with the consumers who will use the end products. And that’s how regulatory standards should be accepted.”

Mr. Shivakumar Sriraman
Chief Risk Officer, South East Asia at VISA

Audit beyond compliance

As one of our panel discussion participants put it, how might financial institutions get a better outlook of cyber risk management for their organizations? How might burdensome audit reporting requirements be managed to turn digital risk management into advantage for financial institutions?

It is a positive indicator; 31% of the respondents stated that they are currently formulating a formal cybersecurity governance plan for their organizations.

Audit must provide clear directions on ethical cyber practices and principles that communicate the ‘why’ and ‘how’ of compliance to financial institutions.

 

Such an integrated approach to risk management can be particularly effective when reporting the state of security and regulatory compliance to board members.

 

In the end, cybersecurity and risk management leaders in financial institutions must collaborate and cooperate to balance their needs. Only then will the risk management efforts serve as effective security controls against emerging cyber threats.