With the recent coverage of the Australian Prudential Regulation Authority’s (APRA) release of its first prudential standard on cybersecurity for financial services firms, security in banking has been a much-discussed topic. Cybersecurity is a prevalent issue in the minds of senior managers, CROs, and CISOs across all industries. Arguably, none are more concerned about this issue than the banking sector. But what should banks be focused on regarding meeting regulatory standards and their overall resilience against cybercrime?
Banks are increasingly looking to improve the customer experience through innovation and digitalisation. Online banking, card-less withdrawals, wearable transactions, mobile credit card readers, connected ATMs, and banking apps are all examples of innovative technologies design to improve operability and gather more data on their customers. However, this pursuit of digitalisation also increases the risk to customer data and security.
The data collected by the banks assist them in assessing their customer’s needs and insights to provide more customised products and services. The banking system is built on maintaining the trust of its customers by keeping their data confidential and secure. Trust is not to be underestimated, it gives a competitive edge and will assist in gaining and retaining customers.
Banks need to develop a holistic approach to cybersecurity to establish and maintain this trust. Robust security frameworks, policies, and procedures should be implemented to enhance cyber resilience. These frameworks, systems, policies, and procedures need to be continually monitored and updated to allow for rapid response times and faster recovery. To develop an effective cybersecurity strategy there needs to be strict policies and guidelines in place to guide organisational culture and behaviour. There also needs to be pre-determined plans and procedures with allocated responsibilities in the event of a cyber breach.
Senior management is responsible for cyber risk management and ensuring that cybersecurity is treated as a business and strategic risk, not just an IT risk. Investing in staff cyber-awareness training, improved security software, intelligence gathering and sharing with government and industry peers, enhanced encryption, efficient use of reporting and metrics, robust frameworks and policies, and a risk-aware culture will lead to greater customer trust, increased profits, and a more stable industry for the future.