A perfect storm: How COVID-19 has upped stakes for operational resilience in finance

This week’s outage at the Australian Securities Exchange shows how important it is to prepare for ‘when things go wrong’ in your IT resilience planning.

20 November 2020 - People who’ve experienced an upsurge in malicious emails and robocalls during COVID-19 should spare a thought for the bank executives who lie awake at night wondering just what would happen if one of their employees inadvertently activated one of them.

According to Hirun Tantirigama, an Associate Director in Protiviti’s technology consulting practice, the results for a bank or financial institution could be catastrophic. “Imagine opening your wallet, your bank account and your credit cards to a thief and saying ‘help yourself’,” says Tantirigama. “Now imagine doing that with the account details of 100,000 customers.”

The recent upsurge in sophisticated phishing emails and malware that can spy on users and exfiltrate company-sensitive data and customer details has the finance sector looking over its shoulder. The Australian Competition and Consumer Commission’s Scamwatch service reports a marked rise in phishing attacks in Australia this year – with nearly 35,000 cases by the end of October, compared with 25,000 in total last year.

Security researchers have seen a sharp rise in the number of “deceptive domains” that purport to be hosted by companies like Zoom, Microsoft and Google, while last week PayPal warned of another phoney email trying to elicit banking details from its 7 million Australian users. “You can have the best firewalls and encryption in the world, but all it takes is one curious employee or customer to open the wrong email and you can open a Pandora’s box of threats,” warns Tantirigama.

A changing landscape

During COVID, the risks associated with cyberattacks have risen exponentially, as demands for cloud-based services have grown steadily while entire workforces have moved home – where they continue to access confidential customer data through their own devices and networks. The Australian Prudential Regulation Authority, which oversees the licensing and regulation of the financial sector, has started cranking up enforcement of the strict cybersecurity regulations mandated by its CPS 234 standard – which also stipulates that banks maintain oversight of all third-party service providers that manage their information assets.

While most financial organisations have cyber frameworks built into their operational resilience plans, they’re often owned by siloed teams that don’t necessarily share information – let alone the findings of internal upgrades or reviews. This is critical, particularly with a business that deals daily with external providers such as banks, clearing-houses and credit card companies.

The upsurge of risks during COVID-19 has led many more companies to approach Protiviti and other consulting firms for help assessing how well they’re equipped to handle a range of tech and cyber crises – from the security of apps and business services, to outdated hardware and software, and the capabilities of staff to monitor and strengthen cyber-resilience.

Finding your ‘pain points’

While the ‘year of Covid’ has undoubtedly increased awareness of cybercrime, this has also come at the cost of our focus on other common IT challenges and vulnerabilities, including ageing systems that need patching or upgrading, defective coding, or poorly tested changes causing system failures or degraded performance.

The ASX outage on 16 November provided a dramatic example of how a glitch in a newly upgraded software system could shut down a third-party platform – in this case, the country’s most important share-trading platform. This occurred even after extensive testing and dress rehearsals and highlights the importance of not just preparing for ‘if things go wrong’ but ‘when things go wrong’ scenarios as part of broader operational resilience arrangements.

Protiviti has developed a robust Technology Risk Framework that simultaneously addresses a customer’s cybersecurity posture, third-party defences, and resilience capabilities. The framework combines top-down and bottom-up assessments to identify “tech pain points” or risk areas that may undermine your company’s core business services, processes and systems.

It typically begins by engaging with the senior management team to understand the business and technology environment, coupled with a review of risk documentation to identify high-risk areas that could threaten the viability of important business services. Protiviti consultants then undertake a mapping exercise to plot processes, technology, data and vendor dependencies across services that can fuel these risks – be they legacy systems that have not been upgraded in years, or third-party vendors that may implement faulty changes. This “front-to-back mapping” provides a comprehensive view of the company’s risk landscape, a platform for identifying actions, and a basis on which to build tougher governance and review mechanisms.

Protiviti has also seen more of its clients request cyber and crisis simulations, which enable leaders and crisis responders to stress-test different services during a series of adverse events. “In the old days, we might have looked at a crash in a back-office system,” says Tantirigama. “These days though, we’re more likely to look at a major cyberattack in the middle of a pandemic – with 25% of your workforce off sick, and the whole crisis response team working from home.”

COVID-19 has certainly changed people’s perceptions of what’s possible, and with it the need to extend themselves – physically, emotionally and technologically. “Before COVID, a major cyber-attack in the middle of a pandemic seemed such a remote possibility, it rarely made it onto your risk radars,” says Tantirigama. “But we’re in a new world now. Frontline and enterprise risk staff need to have provisions in place for such a perfect storm of risks – however unlikely it may appear.”