Welcome to Banking Quest

Agenda

• Overview
• What’s IT Risk? 
• Why Care About IT Risks?
• How to manage IT Risks?
• IT Risks in Banks, Issues, Impact
• IT Risk Management strategies
• IT Security breaches & their impact, some examples
• Threat & Incident Management - Challenges
• IT Risk Governance
• IT Risk and ERM

 IT Risk - Importance 

• Few years ago, information technology (IT) risk occupied a small corner of operational risk – the opportunity loss from a missed IT development deadline, downtimes due to failures etc. 
• Today, the success of an entire financial institution may lay on managing a broad landscape of IT risks. 
• IT risk can cause a potential damage to an organisation’s value, resulting from inadequately managing processes and technologies. 
• IT risk includes the failure to respond to security and privacy requirements, as well as many other issues such as: human error, internal & external frauds, obsolescence in applications & machines, reliability issues, mismanagement. 
• The World Economic Forum ranks a breakdown of critical information infrastructure among the most likely core global risks, with 10-20 % likelihood over the next 10 years and potential worldwide impact of $250 billion. 
• IT risk management is more than using technology to solve security problems

 Why Care About IT Risks? 

• Organisations heavily depend on IT to run business
• IT drives the business in every field
• Increasing threats in using technology and IT enabled services / products
• Severe need to understand types of Risks in IT
• Important to put in place the Risk Management practices
• ITRM is crucial in managing the exposure to risks
• Improves overall business operations and decision making

 Difference between Cyber Security and Information Security

• While Information Security focuses on protecting confidentiality, integrity, and availability of information,
• Cyber Security is the ability to protect or defend the use of cyberspace from cyberattacks.
• Cyberspace is nothing but interconnected network of information systems or infrastructures such as Internet, telecommunications networks, computer systems, embedded processors and controllers and many others systems.

 Regulatory/Supervisory concerns

• Disruptions
  • Impact on the economy due to disruptions
  • Loss to organisation due to disruption of critical services and frauds
  • Loss of public confidence & image of the Bank
• Payment and settlement disorders leading to failures in settling obligations among banks & other institutions

 Structure of RBI Guidelines on Cyber Security Framework

 RBI Guidelines on Cyber Security framework focus on the following three areas:

01. Cyber Security and Resilience

02. Cyber Security Operations Centre (C-SOC)

03. Cyber Security Incident Reporting (CSIR)

 Characteristics of IT environment

• High volume and complexity
• Low visibility, location or distance is immaterial
• Fast IT-related changes
• High level of reliance on specialist knowledge
• Low level of human intervention
• Audit environment is different and complex
• Auditing requires both functional and reasonable computer skills
• Likely impact due to compromising of controls would be very high 

 IT related Risks/Issues

ILLUSTRATIVE LIST :

• System failures/disruptions
• Data integrity issues
• Unauthorized access/disclosure to data/information
• Inadequate oversight/governance of IT
• Inadequate alignment with business requirements
• Inadequate segregation of duties
• Malicious activities like hacking/frauds, DoS attacks
• IT Project time and cost over-runs or project failures 
• Social engineering attacks to gain access to systems
• Lack of or inadequate audit trails
• Inadequate authentication/authorisation to systems
• Inadequate response to IT related incidents
• Inadequate user training/awareness

 IT Risks Control

• The domain of IT Risk can be described in four areas:
  • Asset
  • Threat
  • Impact
  • Control

 What are the impact of IT Risks

• IT Assets
  • Information
  • Infrastructure (IT)
  • Business Processes (Oper,SW)
• IT Threats
  • Confidentiality – Data Breach
  • Integrity Compromised
  • Availability - Disruptions
• Business Impact 
  • Operational
  • Legal
  • Reputational
• IT Control
  • Preventive
  • Detective
  • Limitative
  • Corrective

 Risk Management and frauds in ATMs

• Skimming Fraud:- In such cases a particular ATM machines is compromised by putting skimming devices in place of the debit card slot which reads data from the debit card. There is also a small camera set up with its foucs at the ATM machine so that the fraudsters can come to know the PIN number entered by the users.
• The information of card and PIN number so obtained is loaded on a dummy card and then make unauthorized transaction using the cloned card.

 Risk Management and frauds in Mobile Banking

• Risk due to Mobile Technology

• Malware Risk 

• Other Risks Associated with Mobile Banking

Risk Management and frauds in Internet or Online Banking

• Phishing
• Vishing
• Brand Spoofing
• Cyber Mugging

How to deal with internet threats and challenges

• One Time password by mail/sms
• Always login to Personal Internet Banking site by entering the official URL directly into browser’s address field instead of selecting an URL prompted by the system
• Banks provide 
  • Virtual key board
  • Periodic password changes
  • Adding an extra against customers mistakes, from forced log out or suspension of service, use of security questions etc
  • Regular customer education

 Some Examples of IT Security Breaches

 What can go wrong

• Operations failure
• Data Leakages
• Data Damage, Lost
• System Failure – HW / SW / Network
• Data Theft - Insider / Internal Threats
• Data Theft – Breaches / External Threats

 UCO Bank Fraud

• A fraud of Rs. 820 cr. involving unauthorised transactions into accounts at UCO Bank.
• Two support engineers from a private company engaged by UCO Bank to develop and maintain its mobile banking app initiated lakhs of immediate payment service (IMPS) inward transactions from over 14,000 accounts across seven banks into 41,000 UCO accounts in three days between November 10 and 13.
• These engineers  allegedly changed settings on UCO’s IMPS server, causing 853,049 transactions to be credited to UCO accounts without actual debits from originating banks being posted.
• In other words, the money reflected in both accounts — the destination (UCO) one and the originating accounts.
• UCO Bank’s app uses an intermediary tool called Connect24, which interfaces with the core banking system (CBS) that banks use to exchange information about fund transfers.

 Rouge & Unauthorised Trading

• UBS:
  • 2011: Rouge Trader has caused an estimated loss of €2 billion, stunning the banking industry that has proven vulnerable to unauthorised trades.
  • Financial Loss: €2 Billion
• SOCIETE GENERALE
  • 2008: The Trading loss incident for breach of trust, forgery and unauthorised use of bank’s computers.
  • Financial Loss: of €5 Billion

 Data Leakage

• SONY:
  • 2010: Worldwide electronic leader had to interrupt its gaming network for 23 days, due to hacking resulting in data leakage of 100 million client accounts, 58 claims. 
  • Financial Loss: €130 M 
• ZURICH:
  • 2008: Failing to properly manage the risks associated with the security of customer information, in the context of an outsourcing program in South Africa. 
  • Financial Loss: €2 M

 Information System Failure

• DBS BANK:
  • 2010: One of Singapore’s largest banks, suffered a major IT system crash affecting the bank’s commercial and consumer banking systems. The bank was blamed by the Monetary Authority (MAS) for insufficient oversight of the maintenance, functional and operational practices and controls employed by its provider IBM
  • Financial Loss: €135 M 
• DOWJONES:
  • 2010: Industrial Average of one of the G8 countries plunged about 1000 points (around 9%), only to recover flash crash losses within minutes, due to unusual sell of E-Mini S&P 500 contracts and high-frequency trades.
  • Financial Loss: US stock market Flash Crash

Data theft and Insider threat

• HSBC:
  • 2009: Personal details of 24000 Bank clients were stolen and given to the French tax authorities by Herve Falciani, an IT specialist. FINMA has reprimanded the bank for deficiencies in its internal organization and IT controls
  • Financial Loss: Unknown 
• HSBC:
  • 2008: Bank lost a CD containing 1.8L customers’ information and was fined by the FSA more than £3m for failing to protect confidential details from being lost or stolen. Lack of Training, lack of IT Security (no data encryption) have been highlighted as the main issue. 
  • Financial Loss: €3,5 M (FSA Fine) 

 Data theft & breaches (2020-21)

• NPCI: BHIM app data breach exposed data of over 7 million users
  affecting personal records. 409-gigabyte data leak included personal information such as Aadhaar card details, bank records etc. 
• Juspay: Juspay Data Breach affects Amazon, Swiggy And Many Others. The compromised information of 10 crores (100 million) Indian cardholders was up for sale on the dark web; leaked information was from a Juspay data servers 
• Solarwinds Breach: Solarwinds breach has emerged as one of the biggest ever targeted against the US government, its agencies, and several other private companies, called a ‘Supply Chain’ attack
• Reserve Bank Of NZ Data Breach: Criminals hacked a third-party hosting partner of the Central Bank resulting in data breach as the data stored at a third-party hosting provider was accessed by the hackers.

Threat & Incident Management The Challenge: Visibility and Traceability

• IT Threats’ visibility and traceability challenge the IT Risk & IT Security professionals due to the complex IT environment and evolving attacks. 
• Understanding how the Workstations, Servers, Network and Applications are used, having a consolidated view and dashboard of the overall IT Risk posture, is not an out-of-the-box tool. 
• Knowing threats and risks to the infrastructure, requires a detailed, structured and/or correlated Information System’s log analysis. 
• Business-critical visibility into specific behaviours by end users for effective remediation by Security and Operations teams, is mandatory to ensure a reliable incident management service.

 Threat & Incident Management 

The different type of tools:

• External Threat:
  • Firewalls
  • Intrusion Prevention Systems (IPS)
• Internal Threat:
  • Antivirus Solutions
  • DLP Solutions (Data Leakage Prevention)
  • Desktop monitoring (Active Directory)
• Incident: Fraud & Investigation:
  • SIEM Solutions (Security Information & Event Mgmt)

Forensics (Encase)

 Technology & Security Issues 

• Security policy, duly approved by the Board, should be in place 
• Segregation of duties between Information Security section & Information technology section
• Logical Access controls like User id, passwords, biometrics etc. should be introduced for access to data, systems, application software, communications line etc.
• A Network & Database Administrator to be designated with clearly defined roles

 Technology & Security Issues

• All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be reported and followed up.
• Usage of SSL which ensures server authentication.
• All unnecessary services / programs on the servers such as FTP, Telnet should be disabled. 
• The email server should be isolated from the app servers.
• The Information Security Officer and the Information System Auditor should undertake periodic penetration tests (VAPT) of the systems.
• Physical access controls should be strictly enforced. 
• (SSL- Secured Socket Layer, FTP- File Transfer Protocol)

 Technology & Security Issues

• Business Continuity (BCM) should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically (DR Drills).
• Security infrastructure should be properly tested before using the systems and applications for normal operations
• Organisation should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions which give better security and control.

 Cyber Risks - IT and Changing Banking Environment

• Levels of computerization - major technological developments
• Changes in the business processes facilitated by technology
• E-banking channels
• Ever evolving Payment Systems
• Expanding e-commerce universe
• Complex environments for processes & controls
• Increased IT outsourcing
• Sharing of resources like ATM networks
• Cloud, Digital wallets, APIs, BYOD
• Regulatory guidelines

 Cyber Risk

• Cyber risk can manifest itself across several dimensions, making it difficult to detect, measure and control
• Sources of cyber risk : 
  • Internet attacks, Hacktivism, Hackers, Country attacks, Advanced Persistent Threats, Insider data leakage, social engineering etc.
  • Internal origins of cyber risk : E-mails, Digital banking services, Electronic payments, electronic trading, Outsourcing, dependence on third parties, Data Exchange with external agencies, technology infrastructure etc.
• Most of the security breaches are due to improper implementation of the controls and processes and more importantly not being aware of the same, as mission critical activities are outsourced.
• Responsibility, accountability and ownership rests with the bank

 Precautions - Best Practices for Users

• Be cautious while opening email attachments received from unknown sender/domain
• Be sure before clicking URLs provided in email contents
• Avoid sharing personal information (password, PIN, card details etc.)
• Enforce strong password and regularly change your password, PIN etc.
• Preferably keep a backup of your data at a protected location
• Install Anti-virus and anti-malware software and regularly update the same
• USB flash drives (pen-drives) not to be used in PCs at Bank’s network
• Do not connect to internet from systems which are connected to Bank’s network.
• On suspension, transfer or retirement, Login-IDs, Digital signature should be revoked.
• Do not install unauthorized software e.g. Freeware, shareware etc.
• Maintain clear desk and clear screen policy.

 DO’s & DON’T’s

 DO’s

• Always log out of application and operating system when leaving desk.
• Check that Anti virus is updated in the system and system & removable media in use are regularly checked.
• Check Exception Transaction reports.
• Always work as normal users on your computers. Do not work as administrator or its equivalent user.
• Always take note of the messages on the screen. 
• Avoid visiting unknown web sites.
• Check the genuineness of the sites you are visiting especially when entering User-ID and passwords, Card data information etc. 

 DON’T’s

• download/install any unauthorized software.
• share your password. 
• write your password on piece of paper
• Type your password in front of others
• Do not connect any USB drive into your system.