Reducing cyber risk of banks by M. R. Khan
In the blockbuster film Terminator II, a young John Connor (played by Edward Furlong) steals money from an ATM using his laptop. The film was released in 1991, however, the story was set in 1995. While in 1991 the technology used by John Connor in the film seemed cleverly 'new', in reality, by 1995, hackers were way ahead of the game.
But back then such threats did not seem real in Bangladesh. Why? Possibly because our banking and financial institutions were not as connected to each other and with the world as they are today. We depended on manual processes, not as much on technology. In other words, the hackers' playground was not quite ready yet. Now, on the other hand, Bangladesh is now a fertile soil for cyber predators.
The risk management and insurance industries worldwide knew well that this was a long time coming. Incidents such as the ATM hackings and embezzlement of US $100 million are the early manifestations of the new risk landscape in Bangladesh. As far as cyber security, cyber terrorism, and internet based risk exposures are concerned, we have learned painfully that life can, in fact, imitate a movie.
Similar to computer viruses, treatment towards internet viruses and cyber related threats, including cyber terrorism, are a 'lagging' process; that is, the people involved in such criminal activities are always ahead of the game. Those involved in fighting the crimes are simply reactively learning and fixing the loopholes by putting up fences (anti-viruses, fire-walls, etc). This is not new to the world – the West has been actively fighting the cyber war since the 1980s. It is not by accident that cyber security is one of the most important industries in the modern world today. It has been a steep learning curve for the Western countries, where cyber criminals have pretty much done it all - starting from stealing credit card details, thefts from ATM, transfer of funds through hacking private and corporate accounts, to shutting down major utility services across nations.
The banking industry has been a locked target for hackers since the inception of the internet. Individual banks and/or their branches have significant exposures in terms of high-frequency / moderately low-severity. However, central banks, which handle large transaction values between a limited numbers of participants (primarily other banks), are exposed to losses that are less frequent but when they do happen, are colossal. Such was the case of Bangladesh Bank. While branch and private bank level heists mostly go unreported (primarily due to lower loss amounts), it is usually impossible to contain information regarding thefts, burglaries and cyber crimes at the central bank level due to their significantly higher loss amounts, such as the $87 million reported losses at the Tanzania Central Bank due to fraud, $70m robbery at the Brazilian Central Bank in Fortaleza, attempted fraud involving a €20bn transfer from the UAE Central Bank, and several other cases, including, of course, the most recent attempted heist of $1bn and actual heist of $100m from Bangladesh Bank.
To counter these issues, several international standards have been promulgated and adopted by the financial industries within the international community. In June 2006, the Basel Committee on Banking Supervision issued a revised framework on the basis of a compilation in June 2004. Risk-based capital adequacy of banks under Basel II Framework was adopted and came into force on January 1, 2010 in Bangladesh. Its section 677, under the Advanced Measurement Approaches, (AMA) states that “a bank will be allowed to recognise the risk mitigating impact of insurance in the measures of operational risk used for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20 percent of the total operational risk capital charge calculated under the AMA.” Basel Committee recognises the fact that the best of standards and security may not be able to prevent or deter the treats that banks are exposed to. And as such, the industry must transfer some of the residual risks to insurance. Bangladesh Bank, a party to Basel II framework by adoption, needs to mandate the statutes of Section 677 and 678 within the banking industry. In the digital and globally connected environment, it is vital for today's institutions to have modern security systems and risk management controls in place supported by sophisticated insurance products.
Guidelines on Internal Control & Compliance for Banks were issued by the central bank on March 8, 2016, which recommended the commercial banks to take insurance as a risk mitigation measure. Such insurances are not over-the-counter products, and must be customised as per each bank's unique exposures. All of this is likely to take some time to put together. However, we need to move fast since we remain exposed and vulnerable in the meantime.
The most typical insurance product to protect the banks' interests is the Comprehensive Crime Policy, which should consist of Bankers Blanket Bond + Computer Crime + Internet Banking. This insurance indemnifies the bank against losses incurred or sustained to itself (first party), and covers employee fidelity, external fraud & theft, and computer crimes, among several other features. Additionally, banks must also protect themselves against the claims arising from the customers (third party). The typical product covering third party exposures are Professional Liability and D&O (Directors & Officers). These protect both the clients and the goodwill of the bank, and allow the bank to settle customers' claims and recover the loss through insurance.
Comprehensive Crime and Liability Insurance products are designed to counteract unforeseen catastrophic loss and aid balance sheet protection following an insured event. To assure that such insurances will, in fact, respond adequately in the event of a catastrophic loss, a few key features must be adhered to: (1) refrain from non-disclosure or withholding material facts regarding past losses. Remember, an underwriter can and usually will do a simple Google search on your bank, which should not tell a different story than what has been noted in the proposal form. Any non-disclosure is likely to prejudice a claim; (2) insufficient policy limits – insurance is not meant to pay for small and day-today (attrition) losses. The small losses can easily be retained (self-insured) by the banks. Insurance should in fact cover significantly large losses over and above the banks' own retention capacities which are likely to bring financial hardship to the institution. Saving insurance premium costs through under-insurance is the oldest trick in the book, and surely not a risk management strategy; (3) security – in other words, the claims paying ability of the insurer and reinsurer. Basel II Section 678 rightfully recognises the fact that a minimum of A' rated security is imperative to substantiate the effectiveness of insurance. While the local insurance companies are not rated by S&P, AM Best, or other international agencies, it is imperative that the reinsurance is backed by A' rated securities.
In the current scenario, the central bank should strictly enforce the statutes it adopted more than five years ago (Basel II framework, sections 677, 678) and make it mandatory for all the commercial banks to accurately assess the Capital Requirement (Capital Charge) against credit risk and operational risks and buy adequate insurance which covers comprehensive crime, professional liability, and D&O. Furthermore, the Bangladesh Bank should avail the same for itself to mitigate its risk exposures and set an example for the industry to follow – this applies to insurance as well as other measures of risk management and security.
One of the best advice I received on risk management was from my brother, a veteran investment banker in the US, who would tell me that it's cheaper to learn from other's mistakes. There is certainly much truth and wisdom in that saying. There is in fact enough information, data, and strategy out there in the cyber world to learn from. Our future resilience will depend on how well we learn the lessons from not just our own failures, but from the failures and successes of others around the world, and swiftly act upon it.
The writer has worked in risk management, insurance, and reinsurance for over 20 years.