There is need to understand ‘internal and external’ threat landscape
Barely a fortnight after the biggest cash heist in the Zambian financial markets this year involving a Barclays Bank vault custodian that fled with cash in excess of $400,000, another bank the Zambia National Commercial Bank (ZNCB) has been hit with both a cyber incident (involving card cloning on its Xapit product) and a mini cash heist involving its staff fleeing with K59,000 drawn on a clients savings account. This is not the first time the latter bank is experiencing cyber hacking this year, the first being after its internet banking portal was compromised and hacked into exposing thousands of clients accounts.
It is about a dry point of construction that in all the cases experienced thus far, weaknesses in controls, are the key focus areas. Suffice to say, these incidents reveal the need for the commercial banking industry to align their risk management postures with a skew towards understanding not only the external, but the internal threat landscape which has been overlooked. What stands unique across the banks affected, is that the heists are perpetrated by insiders. So then the question in any analysts minds is – do banks really understand their internal threat landscapes? To what extent is conduct risk tracked? Do banks take actual keen interest in life style audits?
The $0.4 million cash heist can be traced to a lavish lifestyle pattern, that could have been proactively been tracked on social media when ‘Pamela Gondwe’ (the Barclays offender) travelled the world; which ideally she could not have afforded on her monthly remuneration.
The card cloning or duplication incident at Zambia National Commercial Bank reveals weaknesses in internal controls in card production processes which allowed an opportunistic resource to draw on a client account exposing the financial institution to value at risk of K59,000. As if this was not enough, the banks Xapit product was hacked into after clients compromised their personal identification numbers (PIN) granting fraudsters, access to client deposits.
These incidents signal weaknesses in controls, lack of staff rotation or growth in roles breeding demotivation or outrightly weak risk management and operational risk supervision on the part of the central bank.
Commercial banks need to reflect the basics of banking which is not only to offer clients savings platforms but embed security and safety in all its products. Robust penetration tests are critical for the security of products that banks roll out.
RECOMMENDATIONS
Highest integrity expected from bank staff
All banking resources need to adhere to the highest tenets of diligence accountability and honesty. Bankers owe clients a fiduciary duty. However there is need for understanding of the internal threat landscape to assist management of risks in-house.
Increased resilience and vulnerability tests
Whereas central banks should do stress tests, it’s incumbent upon financial institutions to increase their resilience to different risk types especially operational in nature.
Banks to keep up with morphing fraudster mindsets
Fraudster minds are persistently morphing to find ways of circumventing the system and as such commercial banks should invest more in staying ahead of the curve through engaging in cyber resilience programs and understanding threat landscapes.
Card cloning has been a global problem which has been curbed with chip and pin technology and EMV compliance. However understanding threat landscape for those involved in card production is key in managing card risks. There is need for banks to revisit process flows for card production and pin management.
Physical security controls are key
In addition to cyber security, physical security is very key in banks especially to server and cctv rooms. Access to the cctv rooms needs to be controlled through tightened Logical Access Management (LAM).
DAVID AND GOLIATH RISK MANAGEMENT THEORY (COMMENTARY)
The lapses identified in the recent incidents not only threaten erosion of profitability but weigh shareholder value or return on equity (ROE). Irrespective of how small the value at risk may be, the vulnerabilities expose the banks to potential losses that threaten capital. Cyber issues in light of a “David and Goliath” theory of small vulnerability leading to big impacts in operational losses. It takes one entry point to cripple systems in cyber space. And the fact that these vulnerabilities have been identified in a sample of banks doesn’t exempt the remaining 17 commercial banks from exposure. However it is an opportunity for the entire industry to check their postures in security, cyber and people risk. The strength of chain is measured using the weakest point as such no matter how tight the risk and controls environment is, people issues are the biggest threat to the effectiveness of the Risk architecture. Peoples lifestyles and conduct risk postures are critical. These items of issue reflect on not only the risk management function but human capital architecture. Peoples behavioral patterns are critical in understanding threat landscape.
Compiled by Mutale Chewe an Economist and Rhodes Scholar.
