Banks and other financial institutions (FIs) face multiple Information and Communication Technology (ICT) risks. These risks arise from failures or breaches of IT systems, applications, platforms or infrastructure, which could result in financial loss, disruptions in financial services or operations, or reputational harm to a financial institution.
Financial institutions face risk from misalignment between business and IT strategies, management decisions that increase the cost and complexity of the IT environment, and insufficient or mismatched talent. Financial companies’ technology may become obsolete, disrupted, or uncompetitive, with legacy systems hindering agility. Mergers and acquisitions can hopelessly complicate the organization’s IT environment—a fact that many management
teams fail to budget for and address. Meanwhile, technology-driven startups and disruptive
financial technology (“FinTech”) solutions are challenging the business models and processes
at the core of many institutions, making swiftness of response a requirement for ongoing
relevance and viability.
The reality is, ICT risks are also growing as there are more channels through which outside actors can influence FIs’ key systems, including financial technology (FinTech) innovations. The increase use of technology in the provision of financial services requires financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the increased vigilance and capability of financial institutions to respond to emerging threats. Critically, this should ensure the continuous availability of essential financial services to customers and adequate protection of customer data.
In a nutshell, ICT risk holds strategic, financial, operational, regulatory, and reputational implications. To address this, board members need not become experts in IT, but they do need to understand the IT landscape well enough to oversee and challenge management.
This course reviews the main types of ICT risks: availability and continuity, security (including cybersecurity), change, data integrity, and outsourcing; and covers the basic components of an ICT risk assessment, to be performed by the FI itself and reviewed by the banking supervisor as part of an ICT risk management examination. Available techniques to mitigate these risks will also be discussed. Taking a deeper dive into the troubling area of cybersecurity, the course will cover key cybersecurity risk; FI trends and changing threats, the risk management lifecycle; threat actors, patterns, and tools; common vulnerabilities; people, process, and technology controls; and how to pursue defense-in-depth.
To give the participants a basic understanding of the range of ICT risks, together with programs and supervisory tools designed to:
- Assess the framework management uses to manage ICT risks;
- Develop a practical and consistent approach in reviewing the operating model across all IT domains to identify, manage, and address risks;
- Examine the key drivers and business objectives of IT in financial services for example: enabling business growth, achieving technological innovation and agility, promoting cost reduction, supporting a customer and client focus, and solidifying effective risk and compliance management:
- Assess the operating model components required to support IT risk management across the company: governance and oversight, policies and standards, management processes, tools and technology, risk metrics and reporting, and risk culture; and
- Identify and assess key IT management domains for example IT strategy, data management, cybersecurity, service delivery and operations, and talent management.
The main emphasis will be on the need for every bank and other financial institution to have an ICT risk management system and strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. In this regard, SEACEN stakeholders are charged with safeguarding financial stability and protecting their economies from the costly effects disruption in financial system are required to develop the skills, knowledge and tools to evaluate the ICT risk management system in banks and other financial institutions.
The course targets bank supervisors who have some experience evaluating the level of banks’ ICT risk and the quality of ICT risk management. Participants should have experience either as supervisors of financial services firms (such as safety-and-soundness examiners or ICT examiners) or have directly worked in a technology-related area in order to gain the most from the course and be able to contribute appropriately to the discussions.