Cyber Risks: What the Board Needs to KnowClifford Chance's Ng on Why Singapore Banks Need New Strategy
Because of commercial and governmental pressure to increase the use of electronic banking, cybersecurity risk is now the biggest challenge facing Singapore's financial institutions, says Lena Ng of consultancy Clifford Chance.
See Also: Case Study: The Road to Zero Trust
"While the financial institutions of the region are aware of their vulnerability to cyber attacks, what they don't realize is these attacks can damage their businesses, and can raise legal and regulatory issues that need to be anticipated," says Ng, Singapore-based counsel and consultant at the risk management firm.
"While the FIs are guided by the technology risk management guidelines prescribed by the Monetary Authority of Singapore, there is no legal binding to adhere."
Unlike in U.S. or Europe, where regulatory bodies enforce stringent actions against firms whose systems are deficient, Singapore works differently, Ng says.
One way to address this, she says, is to take a top down approach in handling cyber risks, making it a board-level discussion. "It is important to enable the security teams to map board's risk agenda and make it binding to comply with the regulatory guidelines," Ng says.
In this interview with Information Security Media Group, Ng discusses why senior management must now be involved in cybersecurity, and how a risk mentality should be instilled across all levels in the organisation. She shares insights on:
- Changes in approach to address cyber risk;
- State of data breach disclosure in the region;
- Third-party risk management challenges.
Lena Ng advises financial institutions on licensing requirements, exemptions, conduct of business and other regulatory requirements. In addition, she advises on custody, collateral, netting and clearing issues, data privacy, cybersecurity, as well as cash and credit risk management.
Cyber Risk and the Board
GEETHA NANDIKOTKUR: You have been advising financial institutions on the regulatory, data privacy and risk matters. What are the changes required in the current scenario?
LENA NG: One of the biggest challenges that FIs face when dealing with cybersecurity is the impact of making systems more accessible. Institutions are under commercial and governmental pressure to increase the use of electronic banking. We need to look at cybersecurity risks from a different perspective in Singapore. In the U.S., cybersecurity is a national priority. There is an array of regulators approaching the issues. Two fundamental aspects come to my mind, enabling the teams to map risk agenda and adhere to the technology guidelines to combat cyber threats. The change is a top down approach.
Institutions all over the world are exposed to operational, reputational and legal risks. For FIs this means:
- Board-level engagement is critical;
- Risk assessments should be proactive not reactive;
- Monitoring arrangements should be in place.
I see visible changes as cybersecurity is becoming a board-level discussion across FIs. Two-thirds of board members recognise that increased scrutiny by social media have increased their exposure. I see a greater alignment between security teams and legal and compliance to address cyber risks.
While ensuring that risk oversight at the board level marks a commitment of senior-level attention, boards are ensuring that the risk function does not lose its independence as a check on executive decision-making, and that a risk mentality is instilled across levels and functions in the organisation.
Data Breach Disclosure
NANDIKOTKUR: What is your take on data breach disclosure status in Singapore - the risks and the danger of unreported breaches and the legal implications? How do enterprises handle this?
NG: The first assumption would be the systems are getting hacked on a daily basis, both internally and externally. The institutions should adhere to MAS guidelines. While the guidelines are not legally binding, the degree of observance by the FI is an area of consideration. Unlike the U.S. or Europe, where regulatory bodies like Securities and Exchange Commission and FINRA want disclosure from victimised firms, and also have brought enforcement actions against firms whose systems were deficient, Singapore works differently.
The institutions are expected to report any breach to Singapore's Personal Data Protection Commission, which would take action and guide the firm. MAS works with PDPC in determining the risk and put in place regulations that facilitates disclosure of information that consumers could rely on in making financial decisions.
NANDIKOTKUR: What is your advice on managing third-party risks and its legal implications?
NG: Third-party risks are posing a big challenge for FIs due to IT outsourcing and unclear laws, involving the provision of IT capabilities and facilities by vendors located in Singapore or abroad. I suggest senior management's involvement in understanding risks associated with it.
One of the key aspects is to ensure is that the contractual conditions governing the roles of all parties are in written agreements. The requirements covered in the agreements would usually include performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery capability and backup processing facility.
On termination of contract, the FI should have the contractual power to remove data stored at the service provider's systems. Security teams need to compel service providers to implement stringent policies.
Cybersecurity Risk LessonsNANDIKOTKUR: What are the best cybersecurity risk management lessons this region needs to learn from the west?
NG: Cybersecurity is critical for this region. Despite the fact that institutions are aware of their vulnerability to cyber attacks, they need to follow policies to both defend against, and respond to, lapses. The vital aspect is who should be considering these risks, and where the responsibility should lie. It is important to emulate the best practices established by the U.S. and UK, in the form of the National Institute of Standards and Technology (NIST) Framework and UK's Data Protection Act, which implements how secure data should be and how organisations should respond to incidents.
The key aspects that practitioners need to take into account include that the perpetrators of cyber attacks fall into one of four categories:
- Criminal - involving the fraud and/or theft of valuable data;
- State-sponsored - involving governments accessing military secrets or sensitive commercial information, or causing disruption;
- Hacktivism - by individuals or groups, the threat by anonymous to shut down banks' social media pages;
- Insiders - involving current or former employees, either stealing corporate assets or breaching confidence.