Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore

Future Proofing the Banking
Industry: Technology Risk
Management
Daryl Pereira
Partner,
Information Protection & Business
Resiliency
KPMG ASEAN Management Consulting

DRIVERS FOR ENHANCING TECHNOLOGY RISK
© 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
DRIVERS
Online Outsourcing
Channels
(ATM, credit
cards, internet /
mobile)
ASEAN’s
emergence as
a global
financial hub
System
Resilience
Increased off-shoring
of
business
processes, use
of cloud
computing,
consolidation of
local platforms
onto global
platforms
Rise of cyber
crime and cyber
warfare.
Increased
number of
sophisticated
attacks on online
systems,
internet, mobile,
payments, ATM,
websites
Trend of
tightening
regulations by
ASEAN
Regulators to
build-up and
maintain status
as financial
hub
Recent high
profile outages
have caused
business
disruption,
reputational
damage, and
increased the
regulator’s
focus on
resilience
MANAGEMENT (TRM)
© 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company
and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Impact
THE CYBER THREATS ARE REAL
INCREASING IMPACT AND FREQUENCY OF ATTACKS ON
FINANCIAL SERVICES INDUSTRY
Loss of trust and differentiation in
the eyes of customers
Time
December 2013
Standard Chartered
Customer Data Theft
from 3rd party vendor
June 2012
Draft MAS
Notice &
Guidelines on
TRM released
June - July 2014
DBS & OCBC
System Outage
November 2013
Target Network Breach & Credit
Card Data Theft
June 2013
Final MAS
Notice &
Guidelines on
TRM released
September 2014
Draft MAS Notice and
Guidelines on Outsourcing
released
January 2014
Korean Credit
Card Breach
July 2014
JP Morgan Hack
and Customer Data
Loss

Data
Protection
•Data stolen and re-routed,
giving attackers
the potential to use
information to profit on
rogue stock market
transactions
•Weak link - Hackers
entered inter-company
networks through a
vulnerable firm in order
to reach other companies
•Hedge funds linked to
brokers conducting
trades for them via
secure connections –
lower risk. Targeted by
phishing emails which
open virtual doors.
Board &
Management
Oversight
4
ANATOMY OF CYBER ATTACKS ON
THE FINANCIAL INDUSTRY
Technology
Risk
Management
System
Resiliency
Incident
Detection,
Prevention &
Reporting
IT
Outsourcing
Management
•Over past 2 years,
the computer
networks of dozens
of banks, funds
managers, and other
Financial Services
firms have been
infiltrated by hackers
from Eastern
European countries.
• Disruption to firm’s
high-speed trading
platforms, causing
loss of business
continuity and
resulting in
reputational
damage.
•Attacks often go undetected. Hackers stole passwords of CFO of US hedge
fund, then drained US$1.5M in under 2 minutes using 3 wire transfers – each
under $500K, the amount that would have triggered an alarm.

Key Change 1:
The Guidelines
and Circulars
within the Red
Box are
superseded by
the new TRM
Guideline and
Notice.
IT Outsourcing
Circular (July 2011)
Personal Data
Protection Act
(October 2012)
5
ONE REGULATOR’S RESPONSE – MAS
MAS recent
Technology
Risk
Management
Guidelines/
Circulars
Key Change 2:
Notices impose
legally binding
requirements
KEY REGULATORY THEMES
Outsourcing Online systems /
eChannels
Customer
information
protection
Resilience
MAS Notice 634
(May 2004)
Two Factor
Authentication
(November 2005)
End Point Security
and Data Protection
Circular
(March 2009)
Information Systems
Reliability, Resiliency
And Recoverability
(July 2010)
Guidelines on
Outsourcing
(July 2005)
Business Continuity
Management
Guidelines (June
2003); Further
Guidance on BCM
(January 2006)
Internet Banking and Technology Risk Management Guidelines (June 2008)
Technology Risk Management Guidelines (Final Released on 21 June 2013)
Notice on Technology Risk Management (Final Released on 21 June 2013)
Key Change 3:
Each type of FI
is issued with
separate
Notices , for
example:
• Banks
• Insurance
companies
• Security
exchanges
• Clearing
houses
• Capital
market
services
• Stored value
facilities
• Trust
Companies

BOARD AND SENIOR MANAGEMENT OVERSIGHT
Risk
Identification
6
REQUIREMENT 1 – TECHNOLOGY RISK MANAGEMENT & IT GOVERNANCE
Risk Matrix
TRM Notice requirements:
• Establish a framework for
identifying critical systems and
information assets
TRM Guidelines requirements:
• Establish a Technology Risk
Management Framework to
manage technology risks in a
systematic and consistent manner
• Board of directors and senior
management should ensure that a
sound and robust risk management
framework is established and
maintained
Recommended Solutions:
• Board and senior management
ownership and oversight of IT
decisions covering both run-the-business
(RTB) and change-the-business
(CTB) activities
• Embedding IT risk assessment
process into governance framework
• Combination of business impact
analysis (BIA) and customer
impact analysis
Risk
Monitoring &
Review
Risk
Treatment
Risk Analysis
&
Quantification
Risk Assessment
Process for TRM
Framework
Critical systems
Risk Tracker
Major IT decisions

Q: Critical Systems – will failure cause
significant disruptions to operations OR
materially impact service to customers?
Routers &
Firewalls
Routers &
Firewalls
7
REQUIREMENT 2 – SYSTEM RESILIENCY
• Maintain high availability for critical
systems
• Maximum allowable unscheduled
downtime within 12 months shall not
exceed 4 hours
• RTO for critical systems should be 4
hours or less
• Perform yearly testing on RTO
verification
• Specific RTO and RPO should be
defined for IT systems and
applications.
• High availability (HA) infrastructure
(mirror production sites) for critical
applications. Across industry the 4
hour RTO is not easy to achieve and
requires increased investment
• Enhance Incident Management
process to track the resolution time
• Review DR plans to make sure the
RTO defined for critical systems are
end-to-end
• Decrease intervals between data
snapshots (more recovery points)
INTERNET
Application
Servers
Database
Servers
Production
Site
Application
Servers
Database
Servers
DR Site
Real-time
replica
Definitions:
RTO = Recovery Time Objective
RPO = Recovery Point Objective

8
What is your definition of “upon discovery”
When the incident
occurs/is detected in
the system?
When your technician
diagnoses the
incident?
When your management
“recognises” or
“approves” it as an
incident?
60 min
60 min
REQUIREMENT 3 – INCIDENT MANAGEMENT & REPORTING
• Inform MAS about IT security
incidents & system
malfunctions* within 60 minutes
upon discovery
• Submit Incident report including
root cause & impact analysis to
MAS within 14 days from the
occurrence of the incident
* That have severe and widespread
impact on the FI’s operations or
materially impacts the FI’s service to
its customers
• Establish classification /
identification/ reporting process
for security incidents and
malfunctions. This includes defining
of reportable and non-reportable
incidents.
• Use of automated monitoring/
reporting tools to facilitate timely
escalation to senior management
• Structured framework for root-cause
and impact analysis
I can’t remember my
password, tried 10 times
without success and the
account is now locked.
Is this reportable to MAS?

Published in July 2011 to guide the
Financial Institutions to evaluate and
manage IT outsourcing risks
9
A typical CIO dashboard will track
KPIs for management decision
making, as well as outsourcing
services and risk indicators (KRIs)
Where is the data stored?
?
?
?
?
The public cloud is "like
outsourcing your data to unknown
parties located in unknown places
with unknown intentions"
REQUIREMENT 4 – OUTSOURCING GOVERNANCE
• Establish a framework, policies and
procedures to evaluate, approve,
review, control and monitor the risks
• Establish a risk-based
outsourcing framework
• Conduct onsite visit / inspection
on the outsourced data centres
(both onshore and offshore) at least
annually.
• Establish SLA that specifies the
service metrics, KPIs, Key Risk
Indicators (KRIs) and reporting
procedures
• Assess the ability of service
providers to isolate and clearly
identify the FIs’ data while
engaging cloud computing services

REQUIREMENT 5 – CUSTOMER DATA PROTECTION & DLP
Internal
Conversation
Fax
Phone Calls
External
Interactions
10
Data Flow and Potential Risk Points
Copy
Archive
External
Interface
(Biz partners,
Govt Org etc.)
Snail Mail
Work @ home
or client
Dispose
Read
Download
Lost /
Stolen
Copy
eMail
Remote
access
Organisation’s Premises
Risk
Point
Risk
Point
Risk
Point
Risk
Point
Data
Warehou
se (CRM)
Print
Human
Interaction
s
Read
Data
Centre
Outsourced
Service
Providers /
Call Centres
Back up
/ Archival
Risk
Point
Risk
Point Paper
Documents
End user
Devices
Printer
Clients/Partners
Documents
Risk
Point
Risk
Point
•What and where is your “sensitive data”?
•Could the integrity or confidentiality of customer
information be compromised?
• Sensitive information stored on IT
systems, servers and databases
should be encrypted and
protected
• Establish Data Governance
Framework
• Define data classification policy to
identify critical data for protection
• Review the life cycle of critical
data to identify possible data
leakage risks (input ->
processing -> extracting/reporting
-> storage -> deletion)
• Implement controls to counter -
measure the Data Leakage
Prevention (DLP) risks

REQUIREMENT 6 – SOURCE CODE REVIEW
For in-house developments, we can embed Source Code
Review into the SDLC
SDLC Requirements
“LIVE”
11
Design Development Testing
A CIO of local bank was disappointed with a J2EE web-based
system offered by a prominent vendor ...
“We were shocked because their understanding of information
security standards didn’t meet our expectations at all. Serious
security breaches and weaknesses in the system were
discovered during the testing phase: someone could have easily
executed an SQL injection into the database, for example. That
caused a lot of problems in rolling it out, and we suffered
tremendous delays.”
Source: CIO Asia,
Jan/Feb 2006
Security
Requirements
Security
Design and
Architecture
Review
Source Code Security Review
Risk
Assessment
Network
Penetration
Testing
Application
Security Testing
Security
Training
Application
Network
Systems
Policies &
Procedures
IT Security Controls Review
Host
Security
Assessment
Periodic
Assessment
Secure Software Development Life Cycle
What about softwares developed by third party vendors???
• Exercise due diligence in
ensuring its applications have
appropriate security controls
• Enforce source code
requirement within the
SDLC cycle for internally
developed software.
• Perform due-diligence (e.g.
source code escrow, review
3rd party reports over the
SDLC process) for the
software acquired from third
party software vendors

REQUIREMENT 7 – TECHNOLOGY REFRESH PLANNING
Operating systems no longer supported or reaching end-of-life
12
Products Released
Lifecycle
Start Date
Mainstream
Support End
Date
Extended
Support End
Date
Service Pack
Support End
Date
Windows 2000 Advanced Server 3/31/2000 6/30/2005 7/13/2010
Windows 2000 Datacenter Server 11/13/2000 6/30/2005 7/13/2010
Windows 2000 Professional Edition 3/31/2000 6/30/2005 7/13/2010
Windows 2000 Server 3/31/2000 6/30/2005 7/13/2010
Windows XP Professional 12/31/2001 4/14/2009 4/8/2014 8/30/2005
Windows XP Professional x64
4/24/2005 4/14/2009 4/8/2014 4/14/2009
Edition
Source: http://support.microsoft.com/gp/lifeselectwin
Mainstream Support phase: paid support, security update support
, Non-security hot fix support, incident support, warranty claims, design changes and feature
requests
Extended Support phase: paid support, security update support
Qn 1: Do you have a Software Asset Management
(SAM) tool to assist you with tracking your
complete list of software inventory?
Qn 2: Are there any designated staff to monitor the
patch levels and end-of-service systems based on
the software inventory?
Qn 3: Is there a risk assessment process and road
map to patch software (applications, databases,
operating systems, etc) and retire old technology?
• Establish a technology
refresh plan to replace
systems and software that are
end-of-support (EOS)
• Establish an IT application
and platform roadmap to
define system lifecycle and
upgrade requirements
• Maintain an IT hardware and
software inventory using
Software Asset Management
(SAM) tool to monitor the
patch status and EOS
systems

Lost / Stolen
Copy
eMail
Remote
access
REQUIREMENT 8 – END USER DEVELOPMENT
13
Where are your End User developed applications
(EUC) and how are they protected?
Qn 1: Do you know if
any staff are using
EUCs? Is there an
inventory?
Qn 2: Are there
EUCs used by
management to
make important
decisions or for
reporting purposes?
Qn 3: Where are
these critical EUCs?
Qn 4: Are these
critical EUCs well
protected?
Data Flow and Potential Risk Points
Copy
Archive
Internal
Conversation
External
Interface
(Biz partners,
Govt Org etc.)
Fax
Phone Calls
External
Interactions
Snail Mail
Work @ home or
client
Dispose
Read
Download
Organisation’s Premises
Risk
Point
Risk
Point
Risk
Point
Risk
Point
Data
Warehous
e (CRM)
Print
Read
Data
Centre
Outsourced
Service
Providers /
Call Centres
Back up
/ Archival
Risk
Point
Risk
Point Paper
Document
s
Human
Interactions
End user
Devices
Printer
Clients/Partners
Documents
Risk
Point
Risk
Point
• Implement access and data
protection controls for
critical end user developed
applications
• Establish an overall
framework to define and
manage End User developed
applications/ programs
• Risk assessment and data
classification to identify
critical EUCs to be
protected

REQUIREMENT 9 – DATA CENTRE PROTECTION
Is your data centre protected against the
following?
14
Data Centre – Common Areas of Focus for Threat and
Vulnerability Assessment
• Obtain and assess the Threat
and Vulnerability
Assessment (“TVRA”) report
of the service provider’s Data
Centre facility on a periodic
basis
• For new outsourcing, perform
TVRA at the feasibility study
stage
• Identify Data Centres that
host applications which
process/store Singapore
customer data, both locally
and overseas
• FI or Data Centre service
provider to engage specialists
to perform a TVRA review for
these identified Data Centres,
and submit the report to
MAS

Common TRM challenges KPMG has
identified across FS industry
15
Group & Localised IT Risk Management Framework & Governance structure
Critical System Assessment process (Business Impact + Customer Impact)
System resiliency against single point of failure risk
Business continuity: RTO =/< 4 hrs critical applications per 12 month window
Timely response and reporting of security incidents and system malfunctions,
i.e. with 60 minutes upon discovery
Assessment of security risks (e.g., DDOS, MITMA and skimming) on internet
banking, mobile banking and payment cards
Restrict access to privileged user accounts and monitoring activity
Encryption of sensitive data - both data in motion and data at rest
IT Outsourcing Framework with HQ and 3rd parties, SLA monitoring KRIs
IT Control Maturity Level
LOW HIGH
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
Self-Assessment for Common TRM challenges
1 2 3 4 5
1 2 3 4 5

16
Next steps to address IT Risk Management
Increase investment
in HA Infrastructure
to ensure continuity
of business services
in the event of an
incident.
Refine business/IT
end-to-end recovery
process
Group-wide detailed
assessment of all
systems to determine
list of Critical
Applications. Include
vendor provided
systems
Embed an IT risk
assessment process
into your governance
framework, and use
this to oversee
Management
decision-making
concerning strategic
RTB and CTB
Establish incident
management process,
including outsourced
processes.
Define escalation
structure to smooth
decision-making
around reporting of
incidents to Regulator
Critical Systems
Assessment
Framework
Board &
Management
oversight
of Technology
related Risks
System Resiliency /
High Availability
Incident
Management
Process
Conduct a detailed gap analysis between management policies / control environment
versus MAS TRM. Establish action plan to remediate gaps.
Gap Analysis
Implement appropriate policies, procedures, controls and tools/systems to remediate
gaps in system resiliency, customer data protection, cybersecurity, Remediation and outsourcing.

17
How KPMG can help you?
Our service offering to help you to addressing technology risks
With a deep understanding of the regulatory guidelines and circulars on technology risk management, complemented by a
rich experience in providing regulatory compliance advisory works, KPMG can elevate you towards the next level of
compliance with optimised cost.
Design Technology Risk
Management framework and
governance structures
Gap Assessment based on existing /
new technology risk management
regulations from Regulators in
Singapore and other locations
IT Outsourcing Framework and
vendor assurance review
IT Security strategy & governance
Critical System Assessment process /
IT Risk Assessments (new / current
business initiatives)
Incident Management process for IT
security incidents and system
malfunctions
Develop IT policies and procedures
(including resiliency, technology re-fresh
plan, data classification & data
governance, IT security roadmap,
Data Leakage Protection &
encryption)
IT Assurance and Controls Review
Training on technology risk
management & regulatory
compliance
Source code review, penetration
testing, SIEM configuration, system
vulnerability management
Follow-up on MAS inspection
reports / audit findings
IT risk monitoring
Industry / market wide Business
Continuity Management &
Disaster Recovery exercises

18
THANK YOU
DARYL PEREIRA
PARTNER,
INFORMATION PROTECTION &
BUSINESS RESILIENCY
darylpereira@kpmg.com.sg
KPMG MANAGEMENT CONSULTING
RISK & REGULATION | COST &
EFFICIENCY | CUSTOMER & GROWTH

Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore

Similar to Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore (20)

More from Knowledge Group

More from Knowledge Group (15)

Recently uploaded

Recently uploaded (20)

Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore