Last week Russia invaded Ukraine. The governments of the US and Europe responded with a slate of painful sanctions on Russian banks, access to the SWIFT messaging system for payments, and freezes on Russian central bank reserves.
With the fighting escalating, the risks of cyberwarfare are growing. This raises the question of the resiliency or fragility of the world’s financial institutions. Asia’s banks may be the most vulnerable.
The threat of cyber havoc comes on top of massive changes in banks’ IT environment. The Covid pandemic has traders and salespeople working from home. For commercial and consumer banks, it has also forced an acceleration of digitization, which in turn is creating a mountain of data that is difficult to manage.
From balance sheets to data
Guy Warren, CEO of London-based ITRS Group, a data-monitoring and management company, says the systemic risk in banking has changed. After the 2008 financial crisis, regulators introduced rules to protect balance sheets, such as raising capital reserve requirements.
“The next big worry is IT security and availability of data,” he said. “The concern used to be balance sheets, but now it’s an IT crash or theft of data.”
ITRS has released a survey of 305 global bank COOs and CTOs that suggest the industry is worried. It reports 79 percent of operations professionals say it is becoming increasingly difficult for banks to maintain their SLAs, or service-level agreements.
The response from Asia-based institutions was even higher, where the velocity of IT change has been greatest.
Data tsunami
In other words, bank COOs and CTOs are struggling to ensure the bank fulfils its promise to customers. But 88 percent of these people also worry that their budgets are going to the wrong priorities: short-term patches rather than work that enhances IT resiliency.
Looking at the survey, it appears the worry is that “digital transformation” is so focused on increasing the volume of data that it’s overwhelming banks’ ability to analyze it in real time, or store it. ITRS reports 65 percent of respondents say the volume of data is now too great to analyze in real time.
That leads to errors, which leads to outages: about half of global institutions report 24 hours a year of unplanned downtime; 21 percent of Asia-based respondents say downtimes can be longer.
Regulatory reaction
Regulators around the world are starting to take IT issues seriously. The UK is setting the highest bar: as of March 31 this year, the government will hold large banks’ chief operating officers, information officers and technology officers personally liable for an institutional failure. They can be fined, banned from the industry, and even jailed.
Warren says this is focusing minds and getting banks to double down on ensuring they don’t suffer outages.
Australia hasn’t gone that far, but its securities regular, ASIC, is tightening controls in the wake of prolonged outages at the Australia Stock Exchange in March 2020, amid the volatility caused by the outbreak of Covid. Importantly, ASIC has brought about common rules for all exchanges and market participants.
Singapore is now catching up with global standards. The Monetary Authority of Singapore has issued a recent consultation paper that draws from the Covid pandemic. MAS is likely to require banks implement end-to-end visibility processes, so they can spot potential breaches or faults before systems go down.
The Monetary Authority of Hong Kong, meanwhile, has determined its requirements are in line with international guidelines, but may issue guidance to help banks implement these.
Digital transformation slowdown?
These institutions are not yet taking the step of individual liability, says Warren, but they will keep an eye on the precedent.
Tighter rules will also impact digital-transformation agendas, as banks pivot more to information security.
Warren says the best thing banks can do is ensure they have a complete picture of their data and know how to spot, and report, breaches.
Large banks struggle with this because of inevitable business silos: IT people, networking people in charge of servers, the teams handling cloud vendors, and operations executives are usually not able to know what the others are doing.
Banks have already been addressing this problem by, for example, centralizing some activities around one data center. This was initially a cost-saving tactic, but may become a part of a new InfoSec need to monitor data.
KYC: Know your code
If banks do shift more to resilience, they will have to reconsider how they interface with fintechs, vendors, and the open-source community.
Digitalization has led banks to rely on more third parties: Software-as-a-Service businesses, embedded-banking partners, core banking tech vendors, cloud providers. Any of these can have compromised software.
“Financial institutions are the compound of other firms’ instabilities,” Warren said. If a provider has an outage, it can cascade into the bank’s operations.
The 2020 SolarWinds hack by Russian parties highlights how scary this can be: SolarWinds is a vendor widely used by big enterprises, and the hackers penetrated its own software. So then anyone using SolarWinds’ software was actually compromised and the Russian hackers had access to their systems.
This is a different threat from brute force hacks or denial-of-service attacks that seek to tie an enterprise in knots. It also raises the threat that open-source code can also be compromised.
The answer is for banks to be able to scan the code and possibly write it themselves. There’s a limit to this, of course: there’s no way banks can go without tech vendors, and open source brings its own community benefits. But banks may take a finer look at critical regulatory or cyber vendors.
Warren says the balance is about being able to check the code base of third parties, and be able to respond to problems quickly enough to avoid outages.
With the Ukraine invasion increasing the risk of cyber weapons on the loose, don’t expect regulators’ recent moves to be the last.