Cyber security; one banker s perspective

By Mohammad Ibrahim Fheili / Risk & Capacity Building Specialist, +961 03 33 71 75 & mifheili@gmail.com
The promotion of Security Cultureto enable the
Communication of Cyber Threats to the
Boardand to Stakeholders
September 18th of 2019
MEA Riad Salamé Training & Conference Center
The5thAnnual Global Cyber Security Forum
A Banker’s Perspective on . . .

More Than A Perspective; A Deadly Communication Breakdown
CIO CEO
Information
Technology
Business
Development
“IT Thinking” must
be favorably
contaminated with
the Business
Development
mindset
In the era of Digital
Transformation, it is not
permissible for “Business
People” to be indifferent
about their genuine
knowledge about the nature
and potential of the “New
technologies”
This business
culture is at the
ROOT-CAUSE of ALL
EMERGING RISKS!
More Than A Perspective; A Deadly Communication Breakdown

Think About “IT” . . .
As IT organizations seek to automate and digitize, ill-planned
projects will cause significant cybersecurity challenges.
• Fundamental tensions arise between the business’s need to
automate (& digitize) and the cybersecurity team’s
responsibility to protect:
o The organization,
o Its employees, and
o Its customers within existing cyber operating models and
practices.
Cyber-security is
not an Information Technology Position!

A.I.
Almost all projects, anticipated/undertaken, are about deploying
“IT Assets” in existing processes resulting in:
1. Increasing Demands for IT skills,
2. Technical skills are favored over soft skills
3. Talent Development potentially disrupted and biased
4. etc.
Some call it
“Automate”,
and others call
it “Digitize”!
“IT Assets” in existing processes

 The Absence of adequate Technical Skills will:
o Reflect negatively on the success of the majority of projects,
o Introduce an element of heightened Risks in planned projects, and
o Result in misalignment of duties and responsibilities)!
A.I.
 Equally important, the over emphasis on technical skills will
drive organizations to overlook important personality traits
such as ethics, and values (over 35% of fraud is caused by
current employees . . . )

Banks use all kinds of sophisticated technologies and techniques to protect
critical business assets.
However, the most important factor in any cybersecurity program is TRUST.
TRUST represents the foundation of all the decisions executives make
about tools, talent, and processes.
Trust is generally lacking in many organizations’ cybersecurity initiatives, in
part, because of competing agendas:
• Senior business leaders and the board may see cybersecurity as a
priority only when an intrusion occurs.
• The chief security officer and his team view security as an everyday
priority.
Between Business & IT . . .
This is as good as Self-Destruction!
Cyber Security changes as often as Technology
does! Technology has been evolving daily!

Trust . . .
This lack of TRUST gave rise to common myths about
cybersecurity:
• The types of threats that are most relevant,
• The amount of spending required to protect critical data,
and
• Which data sets are at risk.
Perceptions became facts, trust eroded further, and
cybersecurity programs ended up less successful than they
should be.

We’ve Been
Growing Apart!
Myths
Reality

…and altered our understanding of What Makes An
Organization Strong!
Strength is measured . . . !

Unit
Resources
• Financial assets
• Physical assets
• Human resources
• Intangible assets
• Structural-cultural assets
• Organizational processes and routines
• Accumulated knowledge
• Actual work activities
Core
Competencies
Distinctive
Capabilitiesof each employee to get
to the entire Unit
Value-Creation Advantage
Performance Results
Unit
Capabilities
It must be based
on facts NOT
PERCEPTION!
…and changed the “Rules of Engagement” in the marketplace:
Today’s Technologies Helped Leveling The Playing Field. Thus the
need to have “Distinctive Capabilities”.

Increasingly banks are being
inspired to assist on:
• Crackdowns on illegal and
unethical transactions,
• Sanctions busting, and the
financing of terrorism,
• The collection of taxes.
Governments are demanding that
their banks comply with national
regulatory standards irrespective of
jurisdiction.
Regulations relating to Employment
practices, Environmental standards,
and Financial Inclusion could
eventually be applied in the same
way.
Banks’ behavior toward their
customers is under scrutiny:
• The terms and conditions of
contracts,
• marketing, and
• Sales Practices
Banks will probably be closely
examined for:
• Information Asymmetries,
• Barriers to switching banks,
• Inappropriate or
incomprehensible advice, and
• Non-transparent or unnecessarily
complex product features and
pricing structures.

IT Solutions:
 ALM
 CAR
 Credit Risk
 ORM, MRM
 CRM
 eBanking
 P & L
 AML
 FATCA
 CRS
 GDPR
 IFRS9
 Etc.
Interface
With The
Core
Banking
Solution
Each one of these IT Solution is likely to have been
developed by a different IT Solution Provider !!!
Have You Asked, and Validated: Are All My IT Solutions
Speaking Correctly To One Another?
CORE If Yes, Your
undisputed
assurances are
coming form
where?
DATA

Possible Threats . . .
• Little time has been spent to identify
vulnerabilities created by interactions
between many IT Applications and
services, and
• …Must build and enforce standards for
appropriate developer access.
• …Must continue to maintain rigor in
application security as they transition
from waterfall to agile application
development.

Pain Points to watch for in Automation &/or Digital Transformation.
1. Model Use and Decision Making
• Failure at the human–machine interface
• Cybersecurity threats
• Slow detection of/response to performance issues
• Technology- environment malfunction
2. Model Implementation
• Insufficient training and skills
• Poor technology- environment design
• Implementation errors
Pain Points . . .

Pain Points to watch for in Automation &/or Digital Transformation.
3. Model Development
• Model instability or performance degradation
• Biased or discriminatory model outcomes
• Non-representative data
4. Data Management
• Other regulatory noncompliance
• Unsecured “protected” data
• Incomplete or inaccurate data
5. Conceptualization
• Insufficient learning feedback loop
• Potentially unethical use cases
Pain Points . . .

The Pain Points of Unplanned Automation!
The Introduction of any form of technology in a given production process or
the mere modification of an existing IT environment necessitates a number
of changes:
Staff Skills,
Workflows,
Policies & Procedures, and
a host of other changes.
Which reflects on individual and corporate
Performance…
Assessment
Failures
Model Risk,
IT Risk,
Cyber Risk
HR risk,
People Risk,
Risk Inter
dependency
Risks Related to
Data Collection,
Processing,
Storage, and
Loss

Curricula are as old as regulations!
Organizations are slow to adapt!

Because skill development is biased in favor of Technical Skills
To match the ever evolving digital technologies
Not emphasized in recruitment!

Increased
Usage of
Impersonal
Electronic
Services
Low Cost
Electronic
ServicesLower
Customer
Intimacy:
Clients Have
Been Digitized…
Reduced
Switching
Costs Between
Banks
Customers are
constantly
shopping for
better deals
Increased
Demand for
Transparency
Need to
Leverage all
Customer
‘Touch Points’Customer
Interest peaks
& falls rapidly
Less Time to
Know and
Influence
Customers
Proliferation of
Channels to
Service The
Client
Information Technology Changed The Rules of Engagement
With Clients.

subject to:
RISK , REGULATORY, Compliance,
Reporting, Etc. Constraints
RISK . . .
 Default, Liquidity, Maturity
 Others . . .
REGULATORY . . .
 Basel I, II, III, etc.
 Sanctions Rules
 USA_FATCA, OECD_CRS, EU_GDPR
Requirements
 AML, Etc. . . .
 IFRS 9 Impairments & Reporting.
Uses of Funds Sources of Funds
 Reserves
 Loans
 Securities
 Other
Investments
 . . .
 All Types of
Deposits
 Borrowings
 Other
Sources
 Equity
 . . .
Off-Balance Sheet
LEGAL ISSUES . . .
The Complexityof the … BANKS MUST Go D.I.G.I.T.A.L.?
MAXIMIZE PROFIT
Banking Model

The AML Compliance Landscape
The Classic
Areas of Anti
Money
Laundering
Parachuted
into The
World of Anti
Money
Laundering

Non-Identifiable Risk
Non-IdentifiableRisk
Financial Institution’s Risk/Data Population
What is Normally Used in
Risk Identification:
• CIP
• KYC
• DD
• EDD
• Complete and Up-To-
Date Credit File,
• Client Visits.
• Proper Follow Up
• Comprehensive &
Consistent Data about
the Market
• Etc.
Identified &
Identifiable
Risks
Collecting Data is not an
END; it is a MEANS to an
End.
The End is: The Effective
Identification of Risks;
Existing and Emerging”.
If risk is dynamically
changing, you need to be
continuously engaged in
collecting data to improve
your chances of capturing
emerging risks.
Technological Innovations Made It Impossible to Perform
WithoutComplete, Consistent, … Data
The More Data You Collect, The More Risks will be
identified, The better Understanding You will have, . . .

Compliance
ResourcesDeployed
DD
EDD
RBA
… the Bank to continue on serving the client, more data will be collected
and processed to identify, measure and manage RISKS (i.e., Comply).
Due
Diligence
Enhanced Due
Diligence
Risk-Based Approach to AML
Compliance
Enhancing Compliance Capabilities …
AMLCost
SkillsNeeds
Know-How
AMLAnalytics
NewClient
The Right Data Helps You, Your Team, and Your Manager Size Risks
and move away from Ambiguity, Ignorance, Uncertainty to Risk
Management . . .

Count the Number of Times the Letter “f/F”
Appears in all the Words inside the blue.
Finished Files Are the Result of Years of
Scientific Study Combined With Years of
Experience!
Count the Number of Times the Letter “f/F”
Appears in all the Words inside the blue.
Finished Files Are the Result of Years of
Scientific Study Combined With Years of
Experience!
Rate The
Complexity Of
This Exercise!
PLAYCompliance and the Complexity of Regulations!

Increasing Our Understanding of Potential Outcomes
(i.e., Impact)
IncreasingEvidenceonProbabilityof
occurrence(i.e.,Probability)
Ambiguity
Uncertainty
Ignorance
The Right Data Helps You Size Risks, and move away from Ambiguity,
Ignorance , Uncertainty to Risk Management . . .

Today’s Technologies Allowed Financial Institutions To Scale Up Their
Operations; and created tendencies to Trust Numbers Coming Out of an
IT Solution more than those provided by Humans!
IT-Intensive Operating
Environment rendered the time
the mistake is discovered very
critical:
• Just as it happened?
• Later?
• Much Later?
• Etc.
However, Mistakes
Remain Committed by
Humans (Individual
Employees) at any
touch point in the
process. Mistakes are
not committed by
Group of Employees
(Fraud is!), or by
Machines!

Spend Time To Identify, Acknowledge, and
Understand The Nature Of Your Mistakes.
Skill Based Slips
• Involuntary
Due to lack of attention, Distraction,
fatigue, Environment, work Overload,
Rule Based Mistakes
• Wrong action based on flawed rules
Due to wrong incentives, flawed
products, misleading instructions,
Knowledge Based Mistakes
• Wrong choice of action when
confronted with a new situation
Due to lack of training, weak knowledge
of the environment,
Active Human Errors
• Perpetrated by the operator
Results of an action
Latent Human Errors
• Invisible in the direct causes of
an event
• Only realized when certain
actions take place
Linked to poor design of controls,
flawed rules, erroneous
management decisions, or second
order mistakes (i.e., induced by
someone else’s error)
Active and Latent Human Error.
The more time passes before the error is
discovered, the greater is its impact!

The Risk
Taker
Oversight
Function
Would You Be Satisfied With 99.73% Accuracy In Your Work?
99.73% accuracy translates into the following:
 One hour of unsafe drinking water every month
 Two unsafe landings every day at Chicago O’Hare
Airport
 50 babies dropped at birth by doctors every day
 500 incorrect operations every week
 20,000 incorrect drug prescriptions every year
 22,000 checks deducted from the wrong bank
account every hour
With Technological Innovations, Risk Management Can’t Be
Approached The Same Way . . .!

If Cyberrisk is “Colorful”, Cyber-Security
Must Be Black-n-white!
The Language You Need To Effectively
Communicate With The Board of
Directors

• Cyber security is the state or process of Protecting and
Recovering networks, devices, and programs from any
type of cyber-attack.
• Cyber risk is an issue that exists at the intersection of
Business Risk, Regulation, and Technology.
• Organizations must factor cyber risk into their risk
appetite and explicitly define the level of cyber risk that
they are willing to accept in context of their overall risk
appetite.
Cyber s & r …

If cybersecurity team is to avoid becoming a barrier to business
development (through digitization, etc.) and instead become its enabler,
it must transform its capabilities along these dimensions:
• Improve Risk Management,
• Apply Quantitative Risk Analytics,
• Build Cybersecurity Directly Into Businesses’ Value Chains,
• Support The Next Generation Of Enterprise-Technology
Platforms.
Cybersecurity and The Business . . .

Only The Facts . . .
All assets in the organization must be protected the same way.
Not all data are created with equal value.
• A strong cybersecurity strategy provides differentiated
protection of the company’s most important assets,
utilizing a tiered collection of security measures.
• Business and cybersecurity leaders must work together
to identify and protect the “crown jewels”—those
corporate assets that generate the most value for a
company.

The more we spend, the more secure we will be!
• There is no direct correlation between spending
on cybersecurity (as a proportion of total IT
spending) and success of a company’s
cybersecurity program.

External hackers are the only threat to corporate assets!
• Threats from outsiders are a huge concern for cybersecurity
teams, but there are significant threats inside corporate walls
as well (43% of data breaches are from insiders).
• The very people who are closest to the data can often be a
weak link in a company’s cybersecurity program.
o When they share files over unprotected networks,
o Click on malicious hyperlinks
o Act in ways that open up corporate networks to attack.

The more advanced our technology, the more secure we are!
• Most companies are not dealing with military-grade hackers.
• It is true that cybersecurity teams often use powerful,
cutting-edge technologies to protect data and other
corporate assets.
• However, many threats can be mitigated using less-advanced
methods.
• More than 70 percent of global cyberattacks come from
financially motivated criminals who are using technically
simple tactics, such as phishing emails

Bridge The Gap . . .
Re-educate the C-suite about best practices in cybersecurity spending:
• A tiered approach to cybersecurity may be more effective than blanket
coverage for all.
• The budget cannot grow and shrink depending on whether the
company recently suffered a system intrusion.
• Cybersecurity must be considered a permanent capital expenditure,
and allocations should be prioritized based on a review of the entire
portfolio of initiatives under way.
• Business and technology professionals must work together to manage
the trade-offs associated with cybersecurity.

Bridge The Gap . . .
Weak communication accounts for much of the lack of trust between
business leaders and members of the cybersecurity Team.
• Finding a common vocabulary is important not just for ensuring
clear communication between the C-suite and the cybersecurity
function but also for raising awareness about potential
cyberthreats and risks among employees throughout the
company.
• Members of the cybersecurity Team should schedule frequent,
regular check-ins with staff at all levels to educate them about
relevant cybersecurity topics.

Structural hurdles to addressing cybersecurity . . .
 Executives must accept a certain level of cyberattack risk.
o In order to protect themselves without limiting their ability to
innovate, companies have to make sophisticated trade-offs between
risks and customer expectations.
 The implications of cybersecurity are inescapable.
o Cybersecurity touches every business process and function, not only
in operations but also in:
• Customer care, Marketing, and Product development,
• Procurement,
• Human resources, and
• Public affairs.

Structural hurdles to addressing cybersecurity . . .
Cybersecurity risk is difficult to quantify.
o There’s no single quantitative metric for
cybersecurity, making it much harder to communicate
the urgency to senior managers and Board to engage
them in decisions and oversight.
It’s hard to change user behavior.
o The biggest vulnerability lies not with the hardware
but with the people.

Companies may well have a state-of-the-art firewall and the latest malware-
detection software. And they might have well-tuned security operations
and incident-response processes.
But
• What about third-party suppliers, which might be the weakest link of
a company’s value chain? Or
• The hotshot design studio that has access to the company’s
intellectual property (IP)?
The entry point for cyber attackers can be as trivial as a Wi-Fi-enabled
camera used to take pictures at a corporate retreat.
Addressing Cybersecurity Value Chain . . .

 Lack of structure.
o Boards and committees are swamped with
reports, including dozens of key performance
indicators and key risk indicators (KRIs).
o The reports are often poorly structured, however,
with inconsistent and usually too-high levels of
detail.
Many board members are dissatisfied with the reports
they receive.
Fact-Based Cyber Risk Management . . .

 Lack of clarity.
o Most reporting fails to convey the implications of risk
levels for business processes.
o Board members find these reports off-putting—poorly
written and overloaded with acronyms and technical
shorthand. They consequently struggle to get a sense
of the overall risk status of the organization.
Many Board Members find risk reports too technical.

 Lack of consistent real-time data.
o Different groups in the same organization often
use different, potentially conflicting information
to describe or evaluate the same aspects of cyber
risk.
underlying data are often too dated to be of use in
managing quickly evolving cyberthreats.

Accurate Risk Sizing is dependent on a few basic inputs:
 A business perspective of the institution’s key assets and
the top risks that could affect them,
 Realistic up-to-date assessments of relevant threats and
threat actors, formulated appropriately,
 A consistent and accurate definition of risk appetite for the
organization as a whole.
A well-prioritized risk profile, efficiently focused on reducing disruption or slowdowns.

A DASHBOARD that summarizes the entire risk-management terrain:
o The evolution of the relevant threat landscape and its implications,
o Overview of recent cyberrisk events, incident development, and key
countermeasures taken,
o Top cyberrisk s as defined in cooperation with the business units and
measured through clearly defined key risk indicators
o Risk assessments in light of clearly defined risk appetites, with
recommendations on the assets in need of prioritized attention,
o A detailed plan of the counter-risk initiatives in place, with relevant
accountabilities, implementation status, and actual impact on risk
reduction

Cyber Security Risk Management is the process of
managing emerging risks as a result of changes in
the information technology environment. It involves:
• Identifying,
• Assessing, and
• Treating
risks to the confidentiality, integrity, and availability of the
organization's assets.
Thus the importance of Risk Management…

Risk
Security
Cyber and the Board
of Directors

• Cyber Risk Management
should not be viewed as a
specialized corporate
function, but instead should
be treated as an integral,
enterprise-wide component
that affects how the company
measures and rewards its
success.
• The assessment of risk, the
accurate evaluation of risk
versus reward and the
prudent mitigation of risk
should be incorporated into
all business decision-making.
Tone at the Top and Corporate Culture

• Cyberrisk needs to be treated as a risk-
management issue, not an IT issue.
• Cyberrisk is much like any other complex,
critical, nonfinancial risk.
• Companies need to put in place an
organizational structure and a governance
approach that bring transparency and
enable Real-Time risk management.
The Board of Directors’ Oversight . . .
Real-Time risk management
Cyberrisk

• Risk Oversight is defined as the Board of
Directors’ supervision of the risk
management framework (and processes).
• The Board must understand the Risks, and
all related issues: Risk Identification,
Assessment, Appetite, Mitigations, etc. . .

Key elements of Cyberrisk Management
include:
• The prioritization of relevant threats,
• The determination of a company’s risk
appetite (its willingness to accept some
risks), and
• The definition of initiatives to minimize
risk.

• Companies must address cyber-risk in a
business context.
• Technical experts cannot solve the problem
without understanding the underlying
commercial and organizational
requirements.
• Companies tend to over-invest in Technical
Gadgets, and under-invest in complexity
reduction. The result is an inefficient
system.

• Companies must seek out and mitigate
cyber-risk on many levels:
Data,
Infrastructure,
Applications, and
People (who are exposed to different
threat types and levels.)

• Cyber-Risk changes as often as
technologies change! We all admit that technologies
[outside] are evolving daily. How is Your Technology [inside]
changing?!
• Risk appetite and Tolerance need to be
high on any Board's agenda and is a core
consideration of an enterprise risk
management approach.

• Companies should take advantage of automated
tools to catalog their assets to focus on those at
most risk.
• Adaptation is essential! Sooner or later, every
organization will be affected by a cyber-attack.
• A company’s organization, processes, IT, OT, and
products need to be reviewed and adjusted as
cyber-threats evolve.
• Companies must fine-tune business-continuity
and crisis-management structures and processes
to meet changes in the threat level.

Cyber Risk Management should be tailored to the specific company, to:
1. Adequately identify the material risks that the company faces in a
timely manner
2. Implement appropriate risk management strategies that are
responsive to the company’s risk profile, business strategies, specific
material risk exposures and risk tolerance thresholds
3. Integrate consideration of risk and risk management into strategy
development and business decision-making throughout the
company
4. Adequately transmit necessary information with respect to material
risks to senior executives and, as appropriate, to the board or
relevant committees.
Recommendations for Improving Risk Oversight

 Risk & Capacity Building, and Organizational Transformation
Specialist.
 Lecturer in Risk, Risk-Based Performance & Compliance
 University Lecturer: Economics, Risk, and Banking Operations
 Currently serves in the capacity of Chief Consultant with M.I.Fheili
& Associates – Risk, Capacity Building, and Organizational
Transformation Specialists.
Served as:
 Executive (AGM) at JTB Bank
 Senior Manager & Chief Risk Officer at Group Fransabank
 Senior Manager at BankMed
 An Economist at the Association of Banks in Lebanon
 Mohammad received his college education (undergraduate &
graduate) at Louisiana State University (LSU), and has been
teaching Economics and Finance for over 25 continuous years at
reputable universities in the USA (LSU) and Lebanon (LAU).
 Finally, Mohammad published over 25 articles, of those many are
in refereed Journals (e.g., Journal of Money Laundering & Control;
Journal of Operational Risk; Journal of Law & Economics; etc.) and
Bulletins.”

Cyber security; one banker s perspective

More Related Content

What's hot

Similar to Cyber security; one banker s perspective

More from Mohammad Ibrahim Fheili

Cyber security; one banker s perspective