Internet Banking

1
E- Security Risk Mitigation A Supervisors
Perspective Global Dialogue World Bank
Group September 10, 2003 Hugh Kelly Special
Advisor for Global Banking Office of the
Comptroller of the Currency
2
What is Electronic Security?

• Any tool, technique, or process that protects a
  systems information assets from threats to
  confidentiality, integrity, or availability
• E-security is composed of
• Soft infrastructure policies, procedures,
  processes protocols that protect the system
  data from compromise
• Hard Infrastructure hardware software used to
  protect the system data from threats to
  security from inside outside

3
Why is E-Security Important?

• Greater reliance on technology increases
  potential for likely impact of e-security
  threats
• By 2005, online banking will be over 50 in
  industrial countries 10 in emerging markets
• Growing global connectivity through distributed
  networks, broadband wireless connections
• Most types of e-crimes are not new
• New dimensions of security threats due to
  networks e-banking

4
Changing Nature of E-Threats

• External
• Speed sophistication of cyber-attacks
• Hackers are smarter better organized
• Blended threats hybrid attacks
• Critical infrastructure reliance on Internet
• Cross-border nature of cyber-attacks
• Internal
• Security not well understood by Board
  management nor a high priority
• Misconfigured or outdated systems, mail programs
  or web sites lead to vulnerabilities
• Security holes in mobile wireless networks
• Use of generic off-the-shelf software
• Just one naïve user with easy-to-guess password
  increases risk

5
(No Transcript)
6
Possible Effects of a Cyber Attack

• Denial-of-service
• Unauthorized use or misuse of computing systems
• Loss/alteration/compromise of data or software
• Monetary/financial loss
• Loss or endangerment of human life
• Loss of trust in computer/network system
• Loss of public confidence

7
Proactive Multi-Layered Risk Mitigation
Framework

• Need for broader adoption of proactive e-security
  risk mitigation processes
• Help identify manage threats
• Meet business customer expectations
• Preserve public trust
• Caveat -- E-security framework must be
  multi-layered dynamic
• Changing risk profiles
• People, processes technology issues

8
E-Security Risk Control Progam

• Need awareness at Boardroom level
• Direct business impact
• Linkage to standards demanded by regulators,
  shareholders customers
• Apply Basel EBG e-banking risk management
  principles
• Active oversight by Board management
• Robust e-security risk control policy/program
• Authentication authorization
• Data access controls, encryption recovery
• Intrusion detection, integrity checking
  incident response procedures
• Consider operational risk impact

9
Supervisory Actions

• Need more focus globally on enhancing e-security
  supervision examination
• Many individual bank supervisors are developing
• Modern e-security risk management standards for
  their banks
• Integrated IT/safety soundness examination
  procedures
• Better incident reporting analysis
• Business continuity/disaster recovery plans
  (public/private sector scope)

10
ConclusionWhat Can We Do Together?

• Enhance global supervisory cooperation on
  e-security issues
• Promote e-security risk management principles
  best practices
• Information exchange on incidents, threat
  vulnerability assessments risk mitigation needs
• Supervisory policy development, including
  examination approaches to cyber IT risks
• Examiner training
• Public alerts education