Risk management for financial institutions

Bank robbery may still be a popular theme for the movies, but reality is evolving to something different. No more men in black carrying gun or digging tunnel towards bank vault pose as much threat to banks as someone sitting miles away in front of computer and stealing all the precious resources a bank has. The high reliance on technology and increasing popularity of online transaction and cloud computing make financial institutions (FIs) highly vulnerable to cyber-crimes and cyber-threats. According to a study by the Ponemon Institute and HP Enterprise of 2015, the average money lost for cybercrime and financial services topped globally than other industries. The recent attempt to transfer of $951 million from Bank of Bangladesh using The Federal Reserve Bank of New York, one of the biggest financial institution, paints succinct, accurate, yet a sad picture of cyber threats.
Yet, it is not all about money. The liability of  financial institutions  goes further from protecting money. Financial institutes  hold financial and personal information including intellectual property like business secrets, research and development, trade secrets, business strategies and so much more.
Any compromise in preserving clients' information would be just the beginning of traumatic events for institutions, customers and may just initiate total collapse of the whole economic ecosystem. Interestingly, sometimes, the cyberthreat are not even be directed towards siphoning money or stealing information. It is just denying the services to FI's customers to blight the image of the FIs. It is imperative for financial institutions to reinvent careful approaches to immune itself from cyber thefts, else hours spent in calculating risk and multiplying will go in vain with just one major cyber security breakdown.
Despite the mounting cyber threat financial institutions  in Bangladesh have paid great deal of attention to protect money only from physical threat and devoted meager resources to avert cyber-threats. The use of cheap router in Bangladesh Bank is a glaring example of the common practice of using cheap technological product in Bangladesh. This router expedited access to bank's SWIFT.
The proliferation of the number, scale and intricacies of the cyber threats adds a new dimension of risk management for financial institutions. It is observed that while techies are preventing previous frauds from recurring, the new malignant attacks evade detection. Thus, IT's work under operation management of  taking care of hardware and software requirement for financial institutions does not suffice anymore. Unlike other customised risk management tools available to FI's to optimise operational efficiency, there is no such tool available that entirely eliminates or mitigate the cyber-attacks. Thus, FIs has to employ extremely talented IT security experts and resources to be able to gauge and predict the threats and be prepared if anything unexpected occurs. Cyber security is never a goal, but an ongoing process.
However, what is entirely and crucially important in term of Bangladesh to preclude cyber crimes is the change the mindset of different stakeholders of financial industry. Creating a cyber risk aware culture at the institution level and in overall industry is crucial. Increasing IT literacy among the members of the organisation even within customers is necessary to ensure that everyone understands the importance of cyberattack prevention, identification and remediation. While it is true keeping the data safe while not compromising customer convenience remains a challenge for financial institutions and their cybersecurity programmes and policies. It is usual to feel unwelcoming as a customer in the presence of excessive security measures. Yet financial institutions should formulate their integrated and complete cyber security plan that is welcoming enough not to lose any business or customer.
Additionally, introduction of cyber theft insurance is a prudent move considering probable monetary loss caused by a cybercrime. Moreover, In the event of a data breach, legal and liability expenses could mount up if the institutions is sued by customers. An insurance can at least give a momentarily cushion to the affected organisation.
Financial institutions must develop strategies collaboratively engaging all the related parties and share information among members of the group on security threats they face. This would help to resolve any such issue quickly and efficiently, rather than each organisation trying to win the battle by its own. Bangladesh government also must update ICT act to enable its law enforcement to keep pace with tech-savvy criminals. Moreover, a good number of financial institutions in Bangladesh often relies on third vendors and contractors for IT services. Thus, it would be imperative for the financial institutions to scrutinise their vendors to make sure they are thoroughly prepared to safeguard data as much as the institution itself.
Financial institutions and people have to take precautions. Nothing but thorough preparation can help to prevent the worse.

The writer is studying Master of Science in Economics at Portland State University, USA. He can be reached at md9@pdx.edu