The advent of anti-fragile banking systems

Banking is always in the public eye, but the rise of digital operational resilience will mean the banks’ back-end systems will have to be as secure and reliable as the front-end.

Digital operational resilience describes an organisation’s ability to avoid customer service interruptions, recover quickly from incidents and fully appreciate potential vulnerabilities, said Mark Kenny, client director for retail banking, Expleo Group.

It is also necessary. Due to come into force in 2024, the Digital Operational Resilience Act (DORA) will introduce a comprehensive framework at EU level addressing the digital operational resilience needs of regulated financial entities, in addition to establishing an oversight framework for what will be deemed critical ICT third-party providers.

“A proactive risk mitigation strategy is fundamental to achieving resilience,” said Kenny.

As it is coming into force, banks and financial institutions in Ireland – and across the EU – will need to begin reviewing their digital operational readiness strategies and obligations sooner rather than later, he said.

“Fine tuning and digitally rewiring business operations now will help to deliver a more proactive risk mitigation strategy. This will help to avoid customer service interruptions in the near term and will ensure operational change can be enacted swiftly as the regulatory guidelines shift.”

Meeting customer needs

When it comes to banking and financial services, customers obviously want protection, particularly in the face of the rise and rise of cybercrime. Naturally, they also prefer as much responsibility as possible to be pushed back to the bank. From a customer viewpoint, the implementation of DORA will lead to more robust system interfaces with financial services providers, as more reliable cybersecurity is demanded.

Public-facing service systems tend to already be secure, and are continually updated.

“These systems would be in scope for any cybersecurity governance, risk and compliance (GRC) assessment. There are plenty of systems in this state, and the goal of DORA would be to ensure that controls are in place to monitor these systems and control access at every entry point utilising regular pen testing and SOC monitoring/remediation to ensure that new potential vulnerabilities are continually added to the regular tests,” said Kenny.

The trick, he said, comes into the attack surface when the perpetrator would use a back-end avenue to gain access, regardless of controls on the public-facing areas.

“This could be done by phishing and gaining access to credentials that allow the attacker to be a valid user on the system and lead to operational disruption. I’m sure these will be considered during the GRC assessment as well.”

Ready or not

Expleo recently commissioned research, alongside Reed Smith LLP and Account Payment Specialists, to get the views of traditional and challenger banks, asset managers, insurers, payment firms and other fintechs in the EU and Britain.

“The research was carried out by QA Financial, and the full results are available in a new white paper called Digital Operational Resilience: The New Heart of Operational Risk,” said Kenny.

It found 50 per cent of firms recognised an enhanced focus on digital resilience, driven by business demand for always-on access to systems and regulatory focus. However, only 20 per cent of the organisations surveyed are now preparing specifically for DORA.

“So, there is a significant amount of education and preparation still to be done in this area,” said Kenny.

Expleo has found that the greatest threats to resilience are risks associated with human error. For example, last year’s cyberattack on the HSE stemmed from the opening of an email in error, while the 2012 RBS IT problems, which severely impacted its payments systems, was caused by a human error during a software update.

“Human error poses risks both to a financial entity’s operational activities and to its customers, for example, by the inadvertent disclosure of confidential information through phishing scams,” said Kenny.

To date, solutions for [threats such as] smishing are based on filtering at the network level. However, Expleo is supporting a banking client with a solution that resides on the handset to complement the network filtering approach.

A major factor in complying with DORA, however, will be demonstrating resilience. Indeed, the Central Bank of Ireland has stated that it expects firms to be actively addressing operational resilience vulnerabilities.

“Digital resilience weaknesses will undoubtedly be an area of significant focus for both firms and the regulator,” Kenny said.

However, Expleo’s BTI 2022 research shows that ‘skills gaps and talent shortages’ are a challenge for business, with 52 per cent of all organisations surveyed selecting this as among their top issues.

“Furthermore, over half of firms also felt their internal IT teams were too stretched. When we combine these two skills-related issues, almost eight in ten firms appear impacted by technology skills pressures,” he said.

Long-term planning is needed, however, with many intending to turn to automation and AI or seeking new sources of skilled individuals. Kenny said this might include new recruitment policies from outside the traditional IT pools.

“For instance, by widening the recruitment net to include more diverse backgrounds,” he said.