By Esther Uyor
Against the background of rising cyber threats, stakeholders in the banking sector have sought the adoption of a more comprehensive approach that addresses the challenges in tackling cyber risks and ensure safety of the online banking space.
Managing Director, Polaris Bank Limited, Mr. Adekunle Sonola, said there was need to address the fundamental issues of human capital, technology and third-party stakeholders to ensure security of the internet banking space.
He outlined that the issues of skill gaps, information sharing, and effective engagements with law enforcement agencies and regulators on speedy conclusion of investigations, apprehension of suspects and prosecution of those found culpable are also important in achieving a safe and sustainable financial services sector.
Sonola was the keynote speaker at the 54th quarterly meeting of the Association of Chief Audit Executives of Banks in Nigeria (ACAEBIN) at the weekend in Lagos.
The theme of the meeting was: “Cybersecurity threats and the challenges of building a sustainable financial sector: The way forward”.
He noted that cyber risks represent major threat affecting the banking industry today and thus the need for the chief audit executives and other stakeholders to rise up collectively to the challenges.
According to him, a consequence of pervasive adoption of technology is the increase in sophistication and frequency of cyber incidents with cyber threats everywhere and always changing, making it appear, in many instances, almost impossible to prepare for all threats, or to keep up to date with best practices in cybersecurity.
“Cyber security risk is the real pandemic of modern times. It is ever present, increasing like a virus, and we cannot inoculate ourselves against it. The fact is that the increasing connectivity results in greater security risks and hackings are becoming more frequent from a greater variety of actors,” Sonola said.
He noted that with the increase in frequency and sophistication of cyber-attacks, the task of building a sustainable and resilient financial institution is becoming more challenging; from the high cost associated with maintaining an efficient cyber security programme to the issue around attraction and retaining skilled technical resources, managers in financial services industry face hard choices.
He identified three broad categories of risks facing the financial services sector to include the people factor, third-party risk factor and technology factor.
According to him, at the top of the cyber threats that the financial services industry is facing is human capital issue as people are responsible for both the threats and security of the system.
“If we talk about phishing attacks, people are the delivery medium. If we focus on malware, people are largely the execution factor, if we talk about weaknesses in systems configurations that allow an attacker to succeed in compromising systems; people are responsible for maintenance of such systems. If we take a look at insider related frauds and irregularities, we will see that people are at the centre of them all.
“The people factor remains a formidable threat agent for the survivor of any organization and its cyber resiliency. An emerging issue around people is the current high rate of staff attrition occasion mainly by “japa” syndrome and the attendant difficulty in resourcing to fill human capital vacancies,” Sonola said.
He pointed out that the third party risk has also been amplified by open banking with increasing interconnectivity in the financial services sector and the growing global concept of open banking, making banks and other financial institutions increasingly susceptible to cyber risks.
“Financial services currently rely heavily on the use of APIs to facilitate business-to-business connectivity. No matter how well protected an organization is, if a third party is weak, collectively the entire financial services industry will be weak because a chain is as strong as its weakest link,” Sonola said.
Sonola, who was represented by Mr Segun Opeke, Executive Director, Lagos Business of Polaris Bank, added that technology and innovation are also a major risk factor for the financial services industry as the same cutting edge technologies such as artificial intelligence and robotics that are available to run businesses are also available to hackers and fraudsters who are using them against organizations.
He said the financial services industry must brace up and be prepared for more sophisticated attacks in the years ahead facilitated by cutting edge technologies.
He underscored the importance of continuous capacity development for chief audit executives of banks because they sit at a vantage position with oversight and assurance functions on information technology (IT), information system security, internal control and other areas of the organization.
He outlined that in managing cyber security risks and their related threats to financial services, audit function can no longer remain analogue and gathering loads of files and documents to review transactions and events after the fact, to be relevant and truly add value in this digital age, audit professionals must begin to build and acquire IT and digital skills.
“We have to move the audit function to the cutting edge of technology and begin to speak languages like machine learning, AI, cloud computing, IoT, as core levers of your trade. When technology solutions and applications are being conceived to meet operational or business needs in our institutions, the audit function must be actively involved in that process and ensure that audit capabilities are built into technology solutions in a manner that satisfies audit objectives,” Sonola said.
He said there was the need to close the gap between audit and risk management functions while still maintaining the independence of internal audit function.
According to him, given the dictates of digital transformation, audit function must become more proactive and less reactive as the speed at which technology drives events and transactions, and the associated scale of damage, require the auditors to become not only proactive but also online and real-time in delivery.
He noted that with the pace at which technology is changing the banking landscape, coupled with the interconnectedness of the financial system against the backdrop of open banking, audit partnership among financial institutions must lead the frontier of collaboration.
He added that banks must effectively collaborate in data gathering, information and knowledge sharing as undue and adversarial competition could further strengthen cyber threats and weaken banks’ ability to check these nefarious activities.
“Effective training of staff even up to the board level to continuously create necessary awareness around cyber security risks and to enhance cyber resilience. When people are well trained, they can easily identify cyber threats and take steps to prevent cyber incidents.
“Effective management of the current high rate of staff attrition in the technology related functions. Can we consider a recruitment pipeline for fresh graduates to take positions under the supervision of experienced hands. Another approach is to consider formulating remote work policies and a way of retaining the services of very experience hands who may be willing to continue rendering services to the organization under a remote work arrangement,” Sonola said.
He emphasised the need for effective management of third party risks by having a strong service level agreement and contract with third parties, conducting regular onsite and offsite assessment of the third parties to ensure they have or maintain minimum security standards, conducting cyber-security awareness training for third parties based on the risk assessment you have conducted on them and deploying relevant technologies to protect the connections one might have established with third parties.
He also underscored the importance of effective management of technology risk through constant investment in technologies as modern cyber security programme rely heavily on cutting edge technologies such as artificial intelligence (AI), robotics and others.
“Furthermore, cyber risk is constantly changing and evolving, security solutions implemented in the past may have become obsolete and in-capable of handling current threats. It is therefore necessary for you as auditors to continue to draw the attention of your management towards sustaining investment in cyber security solutions for the protection of our information assets,” Sonola said.
Citing global tech data, Sonola pointed out that technology continues to grow at a steady rate with the information technology one of the fastest growing sectors in the world adding that global statistics underscore the importance attached to cyber risks and the need for a holistic approach to handling them.
Chairman Association of Chief Audit Executives of Banks in Nigeria (ACAEBIN), Mr Felix Igbinosa, said ACAEBIN will continue to seek ways of enhancing the existing relationships through constant engagement and collaboration with all stakeholders.
He commended all stakeholders and regulators for all their efforts at regulating and improving the banking space for the overall good of the economy.
He lauded the continuing support of Polaris Bank for the programmes and activities of the association, assuring the bank of the association’s commitment to continuing to collaborate with the bank in the collective effort towards a healthy, safe and secure banking environment.