Professional Documents
Culture Documents
Topic 11 Cropped&Printed
Topic 11 Cropped&Printed
Topic 11
Introduction
• Security mechanisms and control systems have been used for
centuries
• Increased use of IT has had lead to new security considerations
• Makes it easier to monitor and track activities
• Can detect and act upon security exceptions more quickly when they occur
• Increases the number of entry points that must be guarded
• Adds to complexity of processes
• Higher likelihood of design flaws and execution failures
Concepts
• Authentication
• Verifying the identity of customers and counterparties
• Examples
• Manual techniques
• Photo ID
• Passbook
• Credit card
• Signature
• Electronic techniques
• Username-password
• PINs
• Digital certificates
Concepts
• Authorization
• Rights to perform specific functions or access information
• Manual techniques
• Access lists
• Joint-signatory control rules
• “Permission to discuss” notation on accounts
• Electronic techniques
• Role-based permissions
• Access entitlement restrictions
Concepts
• Authorization
• Approaches for managing access
• Access control lists are good when
• There is a large number of roles and entitlements
• New roles and entitlement types are expected to be added in the future
Concepts
• Authorization
• Approaches for managing access
• Access matrices are
• Simpler and faster to process
• Less flexible
Concepts
• Confidentiality
• Restricting access to private or secret information
• Manual techniques
• Need-to-know access controls
• Locked filing cabinets
• Opaque envelopes
• Electronic techniques
• Data encryption
• Data access restrictions
Concepts
• Nonrepudiation
• Ensuring customers or counterparties cannot refute transactions
• Manual techniques
• Signatures and initialing
• Witnesses
• Electronic techniques
• Digital signatures
• Trusted third-party verification
Concepts
• Accountability – i.e. audit trails
• Support investigation of and forensics for cybersecurity events
• Help determine
• What happened
• When it happened
• Who was involved
• Should be write-only to prevent tampering
Cybersecurity Framework
• Identification
• Identify potential risks to relevant assets
• Data
• IT systems
• Operational processes
• Need awareness of all the things that are potentially at risk, i.e. asset
management
• Track the current state of
• Every networked device
• Software that is installed and running on those devices
• Information stored on those devices
• Who has access to those devices
• A prerequisite for risk analysis and mitigation
Cybersecurity Framework
• Security Risk Analysis and Mitigation Planning
• The resources to available to counter security threats are
limited by time and budget
• It is critical that security resources are applied most
effectively
Potential Known
Threats Vulnerabilities
Cybersecurity Framework
▪ Security Risk Analysis and Mitigation Planning
• People’s cognitive
biases can skew their
perception of risk
• It is best to use a
formal risk
assessment
methodology to
avoid biases
Cybersecurity Framework
• Security risk analysis
• Generates a list of potential risks and their overall
severity rating
• Ranks the list by severity
• Continues evaluating only the risks with the highest
ratings
Cybersecurity Framework
• Security risk analysis
• Analyze mitigation steps and their costs for top risks
• Produce a cost-benefit estimate
• Use to decide how best to allocate available resources
Cybersecurity Framework
• Protection
• Aim to prevent security incidents by implementing safeguards for critical
infrastructure and data
• Where prevention is not possible, protective measures will be designed to
limit impact
• Access control is a key means for protecting information assets and IT systems
• Physical
• Logical
Cybersecurity Framework
• Protective
technologies
for
information
security
Cybersecurity Framework
• Detection
• Helps minimize the damage in case of cybersecurity events
• Involves monitoring for unexpected events and anomalies
• Investigating potential security events can be time consuming
• Need to minimize false positives
Cybersecurity Framework
• Detection
• Aim to identify when fraud and security breaches occur
• Manual techniques
• Reconciliation
• Transactional audits
• Surveillance
• Electronic techniques
• Reconciliation
• Event monitoring and correlation
• Statistical analysis
Cybersecurity Framework
• Estimated cost of recovering from a security breach versus
how quickly it was discovered
$1,200,000 Source: Duran, R. E.,
Financial Services Technology,
Cengage Learning Asia, 2018
$1,000,000
$800,000
$600,000
$400,000
$200,000
$0
Near real time Within a day Over a week
Cybersecurity Framework
• Response
• Goal is to minimize the impact of an incident
• Response effort should begin long before any security incident occurs by
developing an incident response plan
• Incident response plans typically provide high-level guidance
• Need to interpreted in context of the specific event
• Identify what information needs to be captured and documented to provide
record of the incident and the response activities
Cybersecurity Framework
• Recovery
• Planning for and implementing steps to restore services to normal operation,
after a cybersecurity incident
• Assess
• Which IT systems could be potentially impaired by a cyberattack
• What steps would be required to restore those systems
• Important to estimate and consider the time and effort required for recovery
Security Operations
• Management and execution of security- related procedures
• Manual technique examples:
• Issuance of access cards
• Process audits
• Electronic technique examples:
• Granting access system functions
• Digital certificate generation and distribution
Security Operations
• Common functions
• Controlling access to information and system functions
• Managing signature records and digital certificates
• Investigating incidents and vetting of staff
• Identifying new potential threats
• Ensuring that procedures and polices are
• Adapting security procedures and policies where necessary
• Performing audits and reviews
• Training
Business Opportunities
• Provision of “secure” services
• Physical safety deposit boxes
• Virtual safety deposit boxes
• Leverage fraud detection capabilities
• Monitor corporate customers’ account activity for irregular or suspicious
patterns
Business Challenges
• Assessing the scale and scope of potential losses
• Deciding what costs should be borne to prevent them
• Indirect attacks on banks
• Hacking merchants’ point of sale terminals and databases
• Phishing scams targeted at end customers
• Weakness in outsource service providers’ security
• Educating bank business managers about cybersecurity, given all of its
complexities and technical nature
Process Considerations
• Security weaknesses may occur across functional or process
boundaries
• Explicit consideration and specification of security requirements is
critical
• Dealing with security superficially during requirements analysis and
design can lead to
• Major security concerns being identified during testing or deployment
• High cost and time delay to reengineer the solution to address newly
identified security concerns
Process Considerations
• Example of security requirements analysis
Architecture Considerations
• Layered security
• A.k.a.: defense in depth
• Multiple security layers ensure that no single point of failure will compromise
security
• Preferably, different types of security barriers are combined
• Example: to help prevent SQL injection attacks
• Layer 1: check for punctuation symbols
• Layer 2: verify no SQL commands
• Layer 3: do not interpret SQL, use stored procedures
Architecture Considerations
• Security tradeoffs and cost/benefit analysis
• The most secure IT system is one that that no one has access
to
• Not practical
• Security managers must work with architects and business
managers to find the optimal balance
• Have constructive discussions, not standoffs
• There is no universal security architecture
• Tradeoffs vary by institution and solution
Solution Considerations
• A number of security best practices have been defined and
documented
• Should be incorporated into design process
• Example: Open Web Application Security Project (OWASP)
• Provides guidance and tools for implementing secure web applications
Solution Considerations
• Security concerns for solutions have been affected by
• White labeling
• Creates exposure to other parties’ security risks
• Outsourcing/offshoring
• Exposes financial institutions to new personnel and system environment risks
• Dependent on the security provided by the service provider
• New channels
• Their security robustness may be relatively immature
• Expansion into new geographies
• Relative level of security varies from country to country
• Disincentives provided by legal prosecution will be less effective where the rule of
law is not strong
Introduction
• Operational and compliance risk is managed through
the design of processes and business practices
• Risks are identified and mitigating controls are put in
place to address them
• Controls increase the cost of processing and the
complexity of processes
• IT can be used to implement mitigating controls and
monitor of operations and compliance
• Technology can also be a source of operational and
compliance risk
Operational Risk
• The Basel II framework classifies operational risk losses into seven
event types:
• internal fraud
• external fraud
• employment practices and workplace safety
• products and business practices
• damage to physical assets
• business disruption and system failure
• execution, delivery, and process management
Operational Risk
▪ This chapter will focus on four areas of
operational risk
Business Execution,
Internal Fraud External Fraud Disruption and Delivery
System Failures Management
& Process
Unauthorised Systems
Theft and Fraud IT Systems
Activity Security
Transaction
Customer Intake
Source: Duran, R. E., Capture, Monitoring and Vendors and
Financial Services Technology, and
Execution and Reporting Suppliers
Cengage Learning Asia, 2018 Documentation
Maintenance
Operational Risk
• Types and Sources of Operational Risk
• Unauthorized activity
• Unauthorized activities, e.g. “rogue traders”
• Intentional mismarking of positions to hide losses
• Exception-based monitoring can help identify inconsistencies and
inaccuracies that result from unauthorized activities
• Knowing that effective monitoring is in place can provide strong disincentive
for unauthorized activity
Operational Risk
• Types and Sources of Operational Risk
• Theft and fraud
• A major source of operational risk for financial institutions
• Insiders are able to more easily bypass controls that protect against theft and fraud
• 75% of fraud is perpetrated or facilitated by insiders
• Customer information that has been leaked through data breaches enables external
fraud via account takeovers and identity theft
Operational Risk
▪ Motivations for fraud
For personal financial
gain and greed
Eager/”Because I can”
Organizational culture
driven
Meet targets/hide
losses to receive bonus
Meet budgets/hide
losses to retain job
Meet targets/hide
losses to protect the
company
Source: Duran, R. E.,
Financial Services Technology,
Cengage Learning Asia, 2018
Other
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Operational Risk
• Types and Sources of Operational Risk
• Theft and fraud
• Technology-based attacks have become an increasingly common avenue for fraud
• Technology has made it easier for fraudsters to attack financial institutions remotely,
often from foreign nations
• Technology is used to implement many of the controls that are used to prevent fraud
• Technology helps detect exceptions and anomalies that can be symptoms of fraudulent
activity
Operational Risk
• Types and Sources of Operational Risk
• IT systems security
• Operational risk related to hackers
• Denial of service attacks
• Malware that is designed to erase information or render IT systems unusable
• Fraud risks related to hackers
• Issuing falsified payment instructions
• Sabotaging IT systems that have direct access to cash, e.g. ATMs
• Stealing customer contact and account information
Operational Risk
• Types and Sources of Operational Risk
• IT systems resilience
• Failures and disruptions can occur at many different levels:
• Hardware
• Software
• Networks and telecommunications
• Power
• Redundancy of IT systems and communications mitigates the risk of failures
• Redundancy of skills and knowledge across operational staff is also necessary
Operational Risk
• Types and Sources of Operational Risk
• Information mismanagement
• Examples:
• “Fat fingering” data entry, e.g. adding an extra zero
• Data updated in one system but not another
• Stale reference data, e.g. SWIFT bank identifier codes
• Failed transfer of batch file inputs used for processing
• When designing IT solutions, it is important to think about the types of operational risk
that could arise related to information management
• Design and build in safeguards to help avoid that risk
Operational Risk
• Types and Sources of Operational Risk
• Vendor and supplier risk
• Dependencies on vendors and suppliers can lead to operational risk
• A potential outage at a service provider is an operational risk for the bank
• Recent technology trends can increase operational risk
• Third-party hosting, i.e. cloud-based services
• Use of remotely accessed third-party components via application programming interfaces
(API)
• Well-designed service level agreements and performance monitoring help mitigate
vendor risk
Operational Risk
• Operational Risk Measurement and Capital Allocation
• Basel II approaches for capital allocation to offset potential losses due to
operational risk
• Basic Indicator Approach
• Standardized Approach
• Advanced Measurement Approach
• Range from very simple to very complex
• Trend is moving to use Standardized Approach for all institutions
Compliance Risk
• Regulatory Objectives
• Common goals
• Protecting depositors and consumers
• Maintaining financial stability
• Ensuring that the financial system is efficient
• Protection of depositor funds from bank failures is a key concern
• Ensure that banks do not take excessive risks
• An efficient payment system underpins the banking services and the financial
markets
• Banking and other financial services should be provided at competitive prices
and high quality
Compliance Risk
• Regulatory Objectives
• Regulatory bodies in USA
• Several different government agencies that provide oversight
• Federal Reserve (Fed)
• Office of the Comptroller of the Currency (OCC)
• Federal Deposit Insurance Corporation (FDIC)
• Consumer Financial Protection Bureau (CFPB)
• State regulators oversee state-charted banks
• US banks that operate in foreign countries will also be supervised
by regulators in those jurisdictions
• Industry bodies may also regulate and supervise banks’ activities,
i.e. Visa and Mastercard
Compliance Risk
▪ Consumer complaints about financial institutions (CFPB)
Source: Duran, R. E.,
Consumer loan Financial Services Technology,
Cengage Learning Asia, 2018
5%
Other
7%
Credit reporting
Credit card 22%
12%
Bank account
or service Mortgage
12% 21%
Debt collection
21%
Compliance Risk
• Types of Laws of Regulatory Guidance
• Vendor management
• Banks rely on third-party service providers to execute business processes and implement
IT systems
• From a regulatory perspective, third parties need to be factored into banks’ risk planning
and must be effectively managed
• Vendor management programs define roles, responsibilities, procedures, and reporting
mechanisms for overseeing and managing the vendor relationship
• Banks face the challenge of having limited visibility into their vendors’ technology
operations and infrastructure
Compliance Risk
• Technology Solution Considerations
• Regulation of Payments in USA
• A wide range of laws and regulatory guidance apply to payments, examples:
• Processing of cheques: Uniform Commercial Code (UCC) and Expedited Funds Availability Act
(EFAA),
• Credit card payments: CARD act and PCI DSS
• Automated clearing house (ACH) payments: NACHA operating rules, UCC, Regulation E, and
Code of Federal Regulations
• All payments must comply with the Bank Secrecy Act
• Anti-money laundering (AML) compliance is a major area of concern for banks
Compliance Risk
• Technology Solution Considerations
• Trade reporting (a capital markets example)
• Implemented after the GFC to provide visibility into risks presented by use of OTC
derivatives
• Details of OTC derivatives trades must be reported to sanctioned trade repositories
• Each national jurisdiction has different requirements as to
• What asset classes need to be reported
• Which trade details needs to be reported
• The timeliness of reporting required
• Which market participants need to report