Risk Reward’s CEO Dennis Cox is a former Director of Operational Risk at HSBC Holdings and chief consultant to the development of the then proprietary OpRisk Modeller software and advisor to the development of the UK’s first Internet Banking, EGG. In this INSIGHT he discusses the latest EBA Paper offering early stage guidance for banks and financial institutions to prepare for compliance.

On 13 December 2018 the European Banking Authority published a paper entitled IT and Security Risk Management for consultation.   This timely guidance provides some standards for what is clearly one of the areas of risk which most concerns senior management.  The inability of most firms to function without internet and email compounded by complex It applications render this of prime importance.  As the unscrupulous become increasingly greedy and sophisticated all companies need to act to protect themselves, commensurate with their size and complexity.  In this article we set out some of the guidance even though it is not yet finalised.

Information and Communication Technology (ICT) Risk

In the paper they refer to ICT Risk.  They state that “This term recognises that the operational risks for payment services refers predominantly to ICT risks because of the electronic nature of payment services (over ICT systems). For this reason, these guidelines refer to ‘ICT risk’ instead of ‘operational risk’ to avoid confusion with wider operational risk issues such as conduct risk, legal risk or reputational risk. Furthermore, security risks for payment services may stem from internal processes or external events but ultimately it is their impact on ICT systems that is relevant for payment services.”

Payment systems are changing quickly with Bitcoin having been the catalyst for major change and resulting in faster payments globally.  Faster payments themselves create control issues resulting in greater use of technology to monitor and control money laundering and fraudulent transactions as well as tax transparency.  Faster payments, blockchain and some elements of cryptocurrency are here for the long haul even if Bitcoin itself may not be.

The Risks

The paper states that “cyber-attacks have some specific characteristics which should be taken into account in ensuring that the information security measures are adequate to mitigate cyber risks:

1. i) unlike most other sources of risk, malicious cyber-attacks are often difficult to identify or fully eradicate and the breadth of damage difficult to determine;
2. ii) some cyber-attacks can render common risk management and business continuity arrangements ineffective (e.g. disaster recovery procedure) and they might in some instances fuel the propagation of malware and corrupted data to backup systems;

iii) third party service providers, vendors and vendors’ products may become a channel to propagate cyber-attacks, therefore an interconnected institution having individual low relevance may become vulnerable and a source of risk propagation. Observing the weakest link principle, cyber-security should not only be a concern for major market participants or critical service providers.“

Another paper stated that intruders within computer systems are normally not identified for up to 6 months.  This highlights that surveillance and activity need to take account of the level of risk that the information poses to your firm which leads to greater encryption and use of bilateral key exchange.  The concerns over third -party vendors extends to software development firms and vendors as well as those that form part of the payments or data infrastructure.

Governance

The EBA paper states “The management body should ensure that financial institutions have an adequate internal governance and internal control framework in place for their ICT risks. The management body should set clear roles and responsibilities on ICT functions, on information security risk management, and on business continuity, including those for the management body and its committees.

The management body should ensure that the quantity and skills of financial institutions’ staff is adequate to support their ICT operational needs, their ICT risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body should ensure that the budget allocated to fulfilling the above is appropriate and sustainable. Furthermore, financial institutions should ensure that staff members occupying key roles receive appropriate training, including information security on an annual basis, or more frequently if required.

The management body has overall responsibility for setting, approving and overseeing the implementation of financial institutions’ ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT risks.”

Clearly this should appear on the agenda at Board meetings for firms with action plans and strategies being agreed and implemented.  Firms should ensure that this is embedded throughout the business with each business unit implementing suitable consistent solutions.  This needs to be monitored and audited, taking the issues seriously to protect your firm.

Third Parties

The Bank for International Settlements (BIS, Basel) published a paper on the Risks of Outsourcing some years ago which remains relevant and useful.  This paper states that “Financial institutions should ensure that contracts and service level agreements with the provider (outsourcing provider, group entity, or third-party provider) include the following:

1. a) appropriate and proportionate information security objectives and measures including requirements such as minimum cybersecurity requirements, specifications of financial institutions’ data life cycle, and any requirements regarding location of data centres and data encryption requirements network security and security monitoring processes;
2. b) service level agreements, to ensure continuity of ICT services and ICT systems and performance targets under normal circumstances as well as those provided by contingency plans in the event of service interruption; and
3. c) operational and security incident handling procedures including escalation and reporting.

Financial institutions should monitor and seek assurance on the level of compliance of these providers with their security objectives, measures and performance targets. “

What this will mean is that firms will need to look at their arrangements  and contracts with third-party vendors to ensure that these security measures have been adequately considered,  Indeed, if that agreement is more than a few years old it is unlikely to adequately cover this important subject.

The ICT Framework

The paper sets out what is expected for an ICT Framework as follows: “The ICT risk management framework should include processes in place to:

1. a) determine the risk tolerance for ICT risks, in accordance with the risk tolerance of financial institutions;
2. b) identify and assess the ICT risks to which financial institutions are exposed;
3. c) define mitigation measures, including controls, to mitigate ICT risks;
4. d) monitor the effectiveness of these measures as well as the number of reported incidents, affecting the ICT related activities, and taking actions to correct the measures where necessary;
5. e) report to the management body on the ICT risks and controls.“

Risk appetite or tolerance here is part of the value driven Board approved Risk Appetite Framework.  The impact of a breach is not difficult to quantify and indeed this should be done.  Remember risk appetite deals with the real world so is net rather than gross.  Again, if you require more information on this do contact us or refer to Risk Management in a Nutshell published by Business Expert Press.

Risk Identification

The paper states that “Financial institutions should identify, establish and regularly update a mapping of their business functions, roles and supporting processes to identify the importance of each and their interdependencies related to ICT risks.

Additionally, financial institutions should identify, establish and regularly update a mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, people, third parties and dependencies on other internal and external systems and processes, to be able to, at least, manage the information assets that support their critical business functions and processes. “

For many firms the level of business process mapping is not currently adequate to achieve these objectives.  Firms need to sponsor a program to identify where they have information assets.  One of the consequences of this is likely to be that less access will be afforded to critical information assets. 

Information Security

The EBA paper states that “financial institutions should establish and implement security measures to mitigate the ICT risks that they are exposed to. These measures should include:

1. a) independent information security function
2. b) logical security
3. c) physical security
4. d) ICT operations security
5. e) security monitoring
6. f) information security reviews, assessment and testing
7. g) information security training and awareness

It states that “the information security function should at a minimum:

1. a) be responsible for the information security policy for financial institutions and control its deployment;
2. b) monitor the implementation of the information security measures through key risk indicators;
3. c) report and advise the management body regularly, and on an ad hoc basis as needed, on the status of information security management and risks to financial institutions;
4. d) ensure that the information security requirements are adhered to when using third parties; and
5. e) ensure that all employees and third parties accessing information and systems are adequately informed of the information security policy, for example through information security training and awareness sessions. “

Whether this will be segregated will depend upon the size and complexity of the institution.  However again we are expecting new functions to be developed to meet these demands.

The paper also requires that “Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These procedures should, at a minimum, implement the following elements, where the term ‘user’ also comprises technical users:

(a) Need-to-Know, Least Privilege and Segregation of Duties: financial institutions should manage access rights to information assets and their supporting systems on a ‘need-to-know’ basis, including for remote access. Users should be granted minimum access rights that are strictly required to execute their duties (principle of ‘least privilege’) i.e. to prevent unjustified access to a large set of data or that the allocation of combinations of access rights may be used to circumvent controls (principle of ‘segregation of duties’).

(b) User accountability: financial institutions should limit, as much as possible, the usage of generic and shared user accounts and ensure that users can be identified for the actions performed in the ICT systems.

(c) Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising staff with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remote administrative access to critical ICT systems should be granted only on a need-to-know basis and when strong authentication solutions are used.

(d) Logging of user activities: privileged users’ activities, at a minimum, should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets,  without prejudice to the retention requirements set out in EU and national law. financial institutions should use this information to facilitate identification and investigation of anomalous activities that have been detected in the provision of services.

(e) Access management: access rights should be granted, removed or modified in a timely manner, according to predefined approval workflows involving the business owner of the information being accessed (information asset owner). In case of termination of employment access rights should be promptly removed.

(f) Access recertification: access rights should be periodically reviewed to ensure that users do not possess excessive privileges and that access rights are removed when no longer required.

(g) Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, the information or the process being accessed. This may include password complexity requirements and/or other authentication methods based on relevant risk (e.g. strong or 2-factor authentication for access that are fraud sensitive, allow access to highly confidential/sensitive information, or that could have material consequences for critical operations).

“Electronic access by applications to data and ICT systems should be limited to a minimum required to provide the relevant service. “

Nothing should surprise you here, but the level of detail you may consider surprising.  The paper continues in similar vein looking at the remainder of the issues.  All firms should look at this paper undertaking an initial gap analysis to ensure that they have taken these issues seriously.  This is a fast-changing environment and all institutions need to up their game to avoid becoming victims.

To reproduce or cite this article please contact Dennis Cox via email at DWC@riskrewardlimited.com