Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September 10, 2003 Hugh Kelly Special Advisor for Global Banking Office of the Comptroller of the Currency
Comptroller of the Currency Administrator of National Banks What is Electronic Security? Any tool, technique, or process that protects a system’s information assets from threats to confidentiality, integrity, or availability E-security is composed of: Soft infrastructure – policies, procedures, processes & protocols that protect the system & data from compromise Hard Infrastructure – hardware & software used to protect the system & data from threats to security from inside & outside
Comptroller of the Currency Administrator of National Banks Why is E-Security Important? Greater reliance on technology increases potential for & likely impact of e-security threats By 2005, online banking will be over 50% in industrial countries & 10% in emerging markets Growing global connectivity through distributed networks, broadband & wireless connections Most types of e-crimes are not new New dimensions of security threats due to networks & e-banking
Comptroller of the Currency Administrator of National Banks Changing Nature of E-Threats External: Speed & sophistication of cyber-attacks Hackers are smarter & better organized Blended threats & hybrid attacks Critical infrastructure reliance on Internet Cross-border nature of cyber-attacks Internal: Security not well understood by Board & management nor a high priority Misconfigured or outdated systems, mail programs or web sites lead to vulnerabilities Security holes in mobile & wireless networks Use of generic off-the-shelf software Just one naïve user with easy-to-guess password increases risk
Comptroller of the Currency Administrator of National Banks Possible Effects of a Cyber Attack Denial-of-service Unauthorized use or misuse of computing systems Loss/alteration/compromise of data or software Monetary/financial loss Loss or endangerment of human life Loss of trust in computer/network system Loss of public confidence
Comptroller of the Currency Administrator of National Banks Proactive & Multi-Layered Risk Mitigation Framework Need for broader adoption of proactive e-security risk mitigation processes Help identify & manage threats Meet business & customer expectations Preserve public trust Caveat -- E-security framework must be multi-layered & dynamic Changing risk profiles People, processes & technology issues
Comptroller of the Currency Administrator of National Banks E-Security Risk Control Progam Need awareness at Boardroom level Direct business impact Linkage to standards demanded by regulators, shareholders & customers Apply Basel EBG e-banking risk management principles: Active oversight by Board & management Robust e-security risk control policy/program Authentication & authorization Data access controls, encryption & recovery Intrusion detection, integrity checking & incident response procedures Consider operational risk impact
Comptroller of the Currency Administrator of National Banks Supervisory Actions Need more focus globally on enhancing e-security supervision & examination Many individual bank supervisors are developing: Modern e-security risk management standards for their banks Integrated IT/safety & soundness examination procedures Better incident reporting & analysis Business continuity/disaster recovery plans (public/private sector scope)
Comptroller of the Currency Administrator of National Banks Conclusion: What Can We Do Together? Enhance global supervisory cooperation on e-security issues Promote e-security risk management principles & best practices Information exchange on incidents, threat vulnerability assessments & risk mitigation needs Supervisory policy development, including examination approaches to cyber & IT risks Examiner training Public alerts & education