Most bank boards ignorant of cyber risks, finds study

Only 3.0pc CROs charged with managing exposures


Mehdi Musharraf Bhuiyan | Published: July 29, 2017 09:54:42 | Updated: October 22, 2017 08:07:42


A significant section of the country's banks and their governing bodies are not sure about what their major cyber threats are, a recent industry-wide survey on cyber risk governance has revealed.

The survey also found that 45 per cent of the bank boards do not know what the single biggest technology or cyber security vulnerability is, while 42 per cent of the banks do not know what their largest potential cyber risk exposures are.         

Around 76 per cent of the country's banks do not explicitly know legal implications of cyber risks for their institutions.

Even though cyber risk is included in the Risk Management Framework (RMF) of around 82 per cent of the banks, further insight reveals that such integration remains largely 'on paper'.

The findings have emerged during a cyber risk governance survey conducted recently on the Chief Risk Officers (CROs) of the country's banking institutions.

Leading banking research body 'Bangladesh Institute of Bank Management (BIBM)' conducted the survey.

It was found from the survey results that 58 per cent of the bank CROs responded with either a 'No' or 'Sometimes' when they were asked ' Is Cyber Risk considered explicitly as distinct Material Risk Type' in their institutions.

"This shows that although cyber risk is integrated in risk management at a policy level, in practice, this is perhaps often not the case", said Sajib Azad, Senior Advisor of BIBM.

Mr Azad, who brings with him experience of working with the European Central Bank and the Bank of England, conducted the survey along with Director General of BIBM Dr.Toufic Ahmad Choudhury.  

"Additionally, the 'Sometimes' response also tends to indicate that when cyber risk is discussed, it is discussed largely in terms of incident management or on an ad-hoc basis", he added.

Analysts also observed that the responses of the survey indicate the lack of depth in the overall cyber risk management of the country's banks.

For example, it was found that only 3 per cent of the CROs are charged with managing cyber risk exposures.

This probably shows that cyber risk is seen 'merely as a technology or IT risk' in our banks, experts said, which makes it challenging for the banks to identify the real business risk it poses.

Previously an overlooked topic in Bangladesh's banking industry, cyber risk issues are now gradually gaining attention after the US$ 101 million central bank heist of last year.

The survey on the Chief Risk Officers, however, shed a new light on the cyber risk framework and related governance issues within the banks.

The findings of the survey are set to be shared during the next Chief Risk Officers' forum of BIBM scheduled on August 30.   

When asked what is the most substantial challenge in improving cyber risk management in the banks, most of the respondents pointed their fingers to the 'limitations of the current system'.

In addition, 'access to the requited technical know-how' and most notably, 'senior management's interest' have also been identified as major obstacles.

"Perhaps lack of senior management's interest is a result of seeing cyber risk as an IT issue rather what it is: a critical business issue", said Dr. Toufic Ahmad Choudhury, Director General of BIBM.

"The fact that 48 per cent of the respondents do not know which systems not to bring back-up quickly further supports the theme that cyber risk is viewed narrowly as in IT risk and has limited traction with the wider bank and governance elements", he added.

As a way-out for the prevailing condition, experts called for developing greater awareness across the banking industry as well as developing a culture of taking pre-emptive action against cyber risks within the banking institutions.

"The first step in this regard is to develop a cyber security policy and crisis management plan", Mr Azad said adding that this needs to be collectively understood, taken seriously and enforced by the leadership.

"The critical thing is to create cyber security awareness among not only IT personnel of the banks but among all employees of a financial institution", Toufic Ahmed Chowdhury said.  

     mehdi.finexpress@gmail.com

 

Share if you like