Technology is an indispensable component of the business process — perhaps even more so for the high-profile and technology-dependent financial services industry. This is evident from IT security remaining in the pole position in technology investment priority within banks, insurers, and financial markets. In fact, visibility and importance of IT security products in financial enterprises have all but increased dramatically within the past two years following the global economic malaise
Furthermore, security products and technologies are also more vital now than before as businesses evolve and start implementing new applications and IT architectures (such as Web 2.0, cloud computing, and mobile workforces), and financial institutions have to meet the challenges corresponding with these new technologies head-on.
With this growing visibility of IS risk comes a slew of interesting questions to be answered, such as: What are the leading reasons for investing in information security (IS) and which are the key initiatives? What are the barriers in ensuring adequate IS? Do financial institutions intend to invest in mobile security tools? What are their security concerns on the cloud environment? How will IT security budgets evolve the next year?
All these were addressed in our recent survey conducted with Asian financial institutions on their IS initiatives. Based on the series of findings from that aforementioned survey, it is encouraging to note that, for the most part, financial institutions have taken a proactive stance toward managing IT security risk. Nonetheless, we notice there still being variances between current implementations and best intentions, and between policies and practices in IT security.
Speaking on variances from best practices, I would like to bring particular attention to a fascinating, albeit disturbing revelation that - as an alternative cost-saving measure - almost 18% of respondents were prepared to accept that some vulnerable risk areas would not be protected.
This is not a wise decision! We advise financial institutions against doing so for the following reasons:
-- We live in an environment of heightened threats. The number of threats targeting financial enterprises continues to grow exponentially, and the speed with which these are escalating is already making it increasingly difficult for IT security to keep up. It behooves organizations to maintain a robust security posture rather than opt not to secure some critical areas in the hope that luck would be on their side and they would not encounter security malfunctions.
-- Institutions need to conform to regulatory requirements. While it may seem repetitive talking about the need to adhere to regulations, it is nonetheless a pointer worthwhile reiterating. Compliance is an inescapable reality, perhaps even more so within heavily regulated verticals like the financial services sector.
Each jurisdiction would have its respective regulations on the key principles and recommended sound practices in managing security risks (e.g., Hong Kong Monetary Authority's [HKMA's] Management of Security Risks in Electronic Banking Services, Monetary Authority of Singapore's [MAS's] Internet Banking and Technology Risk Management [IBTRM] guidelines).
Compliance to IS risk regulations require investment of time and resources. Establishing a sound and robust technology risk management framework would be an even more grueling task to achieve should IT security budgets be slashed.
-- Information security does provide business enablement. There are numerous potential business benefits from getting one's information system security right. For instance, up-to-date and secure systems are likely to be accurate and efficient, and better information systems help build customer confidence and oftentimes contribute to increasing the capacity of a business (e.g., a secure banking or insurance Web portal would boost customers' predisposition to conduct Internet banking transactions or purchasing insurance policies online).
-- And we all know too well that - the costs associated with security breaches can add up quickly! Quoting a regulator who spoke at our IDC Financial Insights' 2011 Asian Financial Services Congress, "Sacrificing the safety of technology risk for higher profitability is a fool's paradise. A huge IT debacle will wipe out the false gains of such a folly." He was, of course, referring to how severe and negative the consequences could be from security breaches. This included not just the instantaneous revenue loss but more devastatingly the reputational ramifications, loss of confidence from current and potential customers, and impact from legal liabilities.
A most recent instance of such a security breach was at National Agricultural Cooperative Federation (NACF) in South Korea, which suffered a systems outage in April, leaving customers unable to withdraw and transfer money or use credit cards for three days. This was supposedly an inside job from an employee in a subcontractor company and left the bank grappling with 310,000 customer complaints, nearly 1,000 compensation demands, and facing probes from the country's central bank and Financial Supervisory Service. (Interestingly, another suggestion was that this was the work of North Korean cyber terrorists to cause confusion and disorder within South Korea - but let's leave this for another discussion all together).
This was the second major glitch at a South Korean financial firm within the span of a month, the first being at Hyundai Capital (a financial arm of South Korea's top automaker Hyundai Motor Company), which had a hacker break into its computer system, steal personal information of 420,000 customers, and use it to blackmail the company.
So no; Opting not to secure some vulnerable areas just to save some dollars is not a great move. One can only speculate what the final cost — financial, reputational, regulatory, and so forth — would be for these two institutions.
For detailed survey findings covering fundamental issues around the evolving role of the Chief Information Security Officer (CISO); organizations' commitment toward information security; core IT security initiatives; security risk concerns pertaining to transformational innovation (including the emergence of mobile devices, cloud computing, and the embrace of social networking); how institutions are dealing with the perennial threat of fraud; and respondents' expectations around changes in IT security budgets going forth the next 12 months - please refer to: Business Strategy: 2011 Security Survey — The State of Information Security Within the Asian Financial Services Industry, Doc # FIN228028, May 2011).