Why financial sector needs change of tack in IT security

No one is immune from IT security-related risks anymore. In the financial services sector, the question is not if an IT security incident will occur but when, how and at what cost.

Over the last two years, sophisticated cyber adversaries around the world have launched powerful attacks on banks and other financial institutions, siphoning off billions of dollars from deposit accounts, stealing millions of payment card records and infiltrating many national stock exchanges.

Globally and in Kenya, financial institutions are implementing superior technologies to prevent, detect and respond to IT security risks. Regulators are taking a more active role as well.

The Central Bank of Kenya now requires banks to conduct ICT external audits at least once every two years. Technologies and regulations are important but the most effective approach to managing IT risk is to maintain a foundation of sound governance, operational processes and people skills.

PwC’s 2015 Global State of Information Security Survey of 758 IT professionals working for financial institutions showed that IT security-related incidents are increasing in volume and cost, with most incidents perpetrated by company insiders and suppliers.

At the same time, our respondents said IT security budgets are inadequate and the “tone from the top” — executive and board-level engagement) is often lacking.

An IT risk assessment is an opportunity to review sustainability, profitability and reputation in the context of IT risk.

Many organisations will seek initially to test one aspect of their IT risk security process or customer relationship management system only to find that they need to revisit their whole IT risk management framework.

Very often, the solution entails embedding IT risk management fully within the business’s strategy and ensuring consistent application.

Many of Kenya’s financial institutions are currently focused on content management. Different priorities require different approaches but in general, content management can help an institution to operate like an organisation and adopt a common platform that will cut across different product lines, creating more interactivity and a deeper understanding of customer needs.

Greater competition among Kenya’s banks and insurers, led by innovation and financial inclusion in the sector as well as new market entrants, has caused many institutions to revise their strategic orientation from product-centric to customer-centric.

An institution may have had a system in place that suited one product but is not suitable for an expanded portfolio of products.

A customer may require multiple financial services products, each with its own unique identifier. The institution needs one view of the customer as well as the ability to aggregate information about similar customers to better anticipate their needs.

An integrated application will serve different product lines, business units and customers on one platform.

Another challenge is a financial institution’s reporting mechanism. Service providers or agents may not have a record of services delivered. An integrated system will provide this information in real time, wherever the agents are located.

Greatest threat

These kinds of challenges are opportune times to holistically assess an organisation’s IT risk security framework. Just because an organisation has a cutting-edge approach to technology, content or customer relationship management does not mean that it will also have an appropriate IT risk management framework.

In fact, some of the greatest threats to IT security come from within the institution or originate with suppliers and other third-parties.

Finally, risk analysis, including IT risk, tends to be historical in nature among financial institutions. Analysis is anchored in historical fact.

There are no facts about the future, but financial institutions can shift to forward-looking analysis tools that are built around scenarios. Stress testing and sensitivity analyses are useful for managing IT risk in the present as well as potential risks and incidents in the future.

The aim of risk management, is two-fold: achieve sustainability and maximise the ability to capitalise on change.

As financial institutions in Kenya and globally become ever more sensitive to the complex interplay between risks and opportunities, they need to take a more holistic, long-term view of IT risk management.

Ms Aroi is a manager at PwC Kenya’s IT Risk Assurance Services practice.