Strengthening Digital Operation Resilience in Financial Services

 

 

Risk management is only getting more challenging with the rise of new technologies. But these same technologies are also presenting new means of risk management. This panel delves into the risks and charts pathways to shore up digital operation resilience in the financial service.

 

1. Emerging risks

Diana Paredes, Suade Labs, kicked off the conversation by highlighting two types of risks: internal and external.

  • Two types of risks
    • Internal risk: Maintaining reliability and uptime in payments, which is critical for customer satisfaction.
    • External risk: The rise of AI-powered fraud and increasing need for AI tools to manage it.
  • AI risks: Kenneth Siow of Tencent delved into the different ways AI can pose as a threat in cybersecurity
    • Deepfakes: Malicious actors can use deepfakes to impersonate individuals in video calls and perform fraud, such as simulating account openings in financial institutions.
    • AI-driven scams: AI is leveraged in scams (e.g., fraudulent SMS messages and automated calls) that deceive customers into clicking malicious links or providing sensitive information.
  • Third-party risks: Tobias Gondrom of UOB highlighted the security posture of third-party vendors as a major worry.
    • Businesses often rely on these partners but lack visibility into their security practices and vulnerabilities.
    • Transparency from third parties is crucial to ensure the safety of data and systems.

 

2. Bolstering cybersecurity

In response to growing threats, speakers highlighted the urgent need to strengthen cybersecurity for greater resilience.

  • Proactiveness: Financial institutions need to be proactive in staying ahead of potential threats. They can do so through:
    • Penetration testing and regularly testing security systems and endpoints are key actions.
    • Monitoring global trends to anticipate similar risks can help institutions prepare in advance.
  • Cyber threats & education: There is a critical need for broader education to help people understand online risks, particularly around AI-driven fraud.
  • Collaboration: We need faster and more open sharing of vulnerabilities across the industry.
  • Proactive regulation: Regulators must be up-skilled and adaptive to create new frameworks that address emerging risks.

 

Approaches to Third-Party Risk Management:

  • Regulatory and Company Actions: Third-party risk is being addressed at both the regulatory and company levels. In Singapore, regulatory frameworks have been introduced to assess third-party risks, and financial institutions are taking notice and working on improving their own risk management practices. Companies are also actively reviewing third-party risks, especially related to critical business services.
  • Comprehensive Risk Management: Financial institutions should approach third-party risk in a holistic manner, ensuring that their security posture is well integrated. This includes proactive testing, engaging with third-party penetration testing, and working with regulators to ensure full compliance with security and data protection standards. This holistic view helps prevent reactive or "band-aid" solutions after breaches occur.

Stress Testing and Liabilities:

  • Systemic Risk & Stress Testing: There is an emerging concern over the systemic risks posed by large companies in the technology and software sectors, which can have a far-reaching impact on smaller firms in the event of a failure. Stress testing and penetration testing should be more robust to identify these vulnerabilities in the ecosystem. The failure of large vendors like CrowdStrike and Microsoft showed how critical this is.
  • Vendor Liability and SLAs: The liabilities tied to cloud providers and vendors need to be more carefully considered. While SLAs (Service Level Agreements) might offer limited protection, cloud providers often have minimal liability in case of significant outages, which can leave companies exposed. This issue needs more open discussion about what compensation or remediation should look like in case of service interruptions or breaches.

 

Watch Full Session

 

 

Speakers:

  • Diana Paredes, Chief Executive Officer, Suade Labs
  • Kenneth Siow, Regional Director SE Asia & General Manager (Singapore/Malaysia), Tencent
  • Tobias Gondrom, Chief Information Security Officer, United Overseas Bank
  • Valerie Wagoner, Head of Product APAC, Stripe

Moderator:

  • Jo Ann Barefoot, Co-founder & Chief Executive Officer, Alliance for Innovative Regulation
 
 

Join the GFTN Network