It has been six months since the Central Bank of Malaysia, Bank Negara’s Risk Management in Technology (RMiT) policy came into effect. The policy requires banks and other Financial Service Institutions (FSIs) in Malaysia to demonstrate risk management practices and controls that are in line with the increased technology risks they are now exposed to in the current IT climate.
These risks include failures or breaches of IT systems, applications, platforms or infrastructure, which could result in financial loss, disruptions in financial services/operations, or reputational harm to a financial institution.
IBM recently organised a webinar to help banks and FSIs make sense of the policy and implement the right tools to meet these requirements. Several IBM speakers shared key considerations, capabilities and approaches that need to be addressed concerning managing technology risk.
In the webinar, IBM also shared how technologies related to hybrid cloud integration, data, operational risk management, fraud prevention and security can be applied to achieve the control measures outlined in the RMiT. Attendees of the webinar included several C-level executives, heads of department and IT managers from banks, insurance companies and other organisations in the related sector.
The webinar was moderated by Andrew Martin, AOPG group publisher, with four speakers from IBM.
Getting the Frameworks Right
According to Patrick KL Wang, Governance Risk and Compliance (GRC) solution expert, the RMiT policy implemented in January could not come at a better time as it allowed FSIs to be organised before the COVID-19 pandemic.
Patrick said that the pandemic situation saw financial institutions scrambling to digitise their services, which had to be done immediately. With FSIs already having heaps of regulatory hurdles to cross, the RMiT certainly helped as it allowed them to have that common target to meet and address specific requirements among all the different regulations.
As there are different frameworks to regulations, technology allows FSIs to streamline their processes and have a common view on all the risks. It’s getting much tougher to do everything manually. Banks and FSIs need a system that is not only automated but able to provide advanced analytics with AI capabilities.
“Today, we are seeing more FSIs leveraging on AI such as to read regulations and suggest obligations and automatically map controls within a financial institution. If your organisation has not modernised and is still relying on Excel spreadsheets, it would not be a sustainable operation. In order to survive in this situation, you have to reinvent and accelerate some of your technology acquisition programs and business processes to automate and ensure compliance across the board”, Patrick commented during the webinar.
Technology Operations Management
On technology operations management, Eddy YC Liew, cloud and cognitive solutions country technical leader, IBM Malaysia, explained that the RMiT requires FSIs to look at a variety of technology capabilities or technology platforms.
“Having a strong application deployment to ensure customer experience is not affected is important. We have been helping banks have the right approach when it comes to online services. Be it data centre operations or cloud services; we have been helping banks look at areas where they have had increased transactions in the last couple of months”.
Increased merchant transactions over the last couple of months have seen banks busy ensuring all processes and transactions run smoothly, which is where data resiliency is vital. Banks need full resiliency when it comes to a surge in such incidences.
Eddy added that the common challenges FSIs want to focus on are:
Service Level Agreements (SLA) – For example, four hours on a rolling 12 months basis and a maximum tolerable downtime of 120 minutes per incident;
Governance of the Software Development Life Cycle (SLDC) - Automation for software development, testing, software deployment, change management, code scanning and software version control;
Data Centre Resiliency - Active - Active Data Centre Resiliency projects / SPOF (Single Point of Failure) design / real-time pre-emptive monitoring, centralise log management;
Security and protection of cloud services; and
Access control management and proper Performance Testing.
Risk Management and Cyber Resiliency
Interestingly, Glen McFarlane, threat management leader, IBM, said that humans are terrible at risk management, which is why it is essential to have technology capabilities in place. Glen believes organisations should make the most of the current situation to be prepared for future crises. He explained that companies should leverage the spending in a crisis to expand or accelerate particular projects. In this case, Glen recommended using RMiT and how it can work with COVID-19 responses to the business.
In dealing with cyber attacks, Anurag Kuthiala, executive solutions leader, Europe/AP/Japan/GCG, IBM Resiliency Orchestration, pointed out that IBM’s Cyber Incident Recovery solution allows customers to have:
A secure repository of data;
Validated copies of data recovery;
Reporting and visibility;
A reduction of detection time for pre-emptive action;
A reduction of exposure time with one click remediation; and
Lower RPO and RTO.
Organisational Needs vs Meeting Regulatory Compliance
After the four panellists concluded their presentations, a poll was conducted with the attendees to ascertain their areas of interest or focus with regards to the themes discussed during the webinar. Half of the respondents said their organisations are focused on cybersecurity management, while another 33% focused on technology risk framework management. None of the attendees said their work prioritised on a cyber resiliency framework management.
When asked what attendees felt was the greatest obstacle to achieve RMiT compliance, the results were distributed between updating infrastructure (42%), understanding the framework (31%) and ongoing compliance monitoring (27%).
For the question on the areas that organisations are needing help, 36% said they were looking at operational risk management, while the rest all need assistance in fraud and security, data operations management and hybrid cloud integration.
The panellists felt that prevention is better than cure despite organisations having a robust security strategy. Anurag said that companies need to ensure they have cyber resilience to prevent problems. Companies cannot just get by with what they have whenever they experience a cyber incident but focus on improving their cyber resiliency.
Glenn commented, “Some organisations let the government tell them what’s the next thing they should do, but there are not a lot of governments on the forefront of policy development in security. Organisations need to understand their risk and how the management can manage risk and apply that to cybersecurity”.
The panellists felt this is where organisations need to focus on when it comes to having the right cybersecurity framework. RMiT is allowing them to do so, and they need to ensure they can leverage the right technologies and make the right decisions.
As Patrick put it, “Compliance and regulations will drive the security strategies for FSIs. The key thing for FSIs is to understand what is important for them and how to assure regulators they are complying”.