DATA. This word is often used in the digital world. There is an increase in the consumption of data across all the world.
The digital economy is highly reliant on data as a constant source for information. But it is not enough to just have a large of pool of data. Financial Institutions need to understand their data and know how to manage it.
Banks need to be able to balance technology and risk. It is important to acknowledge that it is a tough balance for managing regulatory guidelines and the pace of technology.
This was the focus of OpenGov’s Breakfast Insight: Are you prepared for New Era of Technology Risk? held on November 21st at the Hilton, Kuala Lumpur, Malaysia.
Data Governance and Protection
With the environment becoming more stringent with new levels of data governance and it shifting to more digital business processes, the Financial Services Industry is under the pressure of these changes.
This in return introduces new, nimble competitors and empowers customers in new ways.
Mohit Sagar, Editor-in-Chief and Managing Director at OpenGov Asia said that good data governance and protection will allow for the continued success and survival of banking organisations.
As these organisations start to use data to their competitive advantage, it will allow them to better optimise their processes and better serve their customers.
Data privacy and protection are key assets in an increasingly complex environment. Having said that, data transfer has to be possible to be able to use artificial intelligence or analytics.
On the contrary, Governments have significantly increased “data localisation” measures where information is held in servers inside individual countries.
This is because cybersecurity is of a high priority to governments, with protecting sensitive data of citizens and ensuring citizen trust.
Ransomware has impacted organisations, including financial services, with losses estimating at 100 million of dollars.
There must be regulatory compliance in ensuring data governance and protection. Organisations should get to know their customers.
There is increasing adoption of cloud across the financial services industry as part of innovation efforts.
A data governance framework is crucial to ensuring that the organisation holds the right people, right process and right technology.
DevOps is one other approach that banks should adopt for gaining a competitive advantage. It can aid banks in managing the daunting task of improving software within a shorter time period while providing efficient services to their customers.
In the end, having trustworthy data will allow banks to make reliable decisions. Incorporating the use of data while adopting the right strategies will ensure that organisations stay ahead of the competition in the financial services industry.
Understanding Risk and Being Proactive
In the new era of technology risk, the landscape of risks has changed. The surface area to which organisations are subjected to risks has expanded.
Employee behaviour is such that there is a need to access data fast and quick- this comes with risks of its own.
KC Phua, Core Storage & Data Protection Lead, Asia Pacific at Hitachi Vantara shared on a risk management framework published by the central bank in Malaysia.
It covers the policy requirements and regulatory process. Some of these include cybersecurity management, governance, legal provision.
The framework is applicable to 8 categories of financial institutions: Licensed banks, licensed investment banks, licensed Islamic banks, licensed insurers including professional reinsurers, licensed takaful operators including professional retakaful operators, prescribed development financial institutions, approved issuer of electronic money, and operator of a designated payment system.
Risks can be effectively managed with the following steps:
- Governance
- Risk management
- Operations management
- Cybersecurity management
- Technology audit
- Internal awareness and training
It is important to be proactive, understand the surface area of risks and develop solutions for mitigating them.
Test the Foundations and Principals of Risk Management
Technology has evolved such that data/ information are all within our fingertips, with the help of our handy smartphones.
The impacts as a result of these advancements are seen in the evolution of data breaches. From malware where viruses infected millions of computers worldwide to ransomware where cybercriminals shift their focus to cloud systems and can target selected individuals.
The current topical areas of data protections are cloud security, material outsourcing, prudential requirements, system resilience, disaster recovery, and data privacy.
Rohan Wickremesinghe, Head of Technology Risk and Compliance/ Program Integration Leader- ALSL at TAL Australia, shared on the challenges with ensuring data protection.
There is a heavy demand for technical skillsets. Complex architectural designs are created across federated models. Adding to that, core systems are old and hard to replace. Organisations are afraid to break things.
Risk accepting has also become easier. There is significant pressure to reduce costs. Staff, especially risk teams, lack the relevant skills or are understaffed.
Rohan also provided an insight into the challenges faced in Australia. These include a lack of urgency, clear accountabilities, and complacency.
Some of the risks encountered in Australia include cloud data loss. This was a result of factors such as SOC reports not being reviewed and the failure to include cloud services to IT general controls.
As a result, the admin account got compromised via phishing, production data was deleted, and backups stored on cloud were also deleted.
Loss of functionality and vendor data breach were other encountered risks.
The key takeaways from these situations are the need for greater collaboration, understanding of end to end solutions, automation and data-driven techniques, and risk and issue prioritisation.
Rohan stressed that institutions need to figure out how to do their basics well with risk management. They should not rely on just policies. Testing the foundations and principals within the organisation is crucial as well.
Incorporate Data Protection into Data Governance Strategies
In the end, everyone is at different points of their journey towards managing risk.
Regardless, data protection must be incorporated into data governance strategies.
Tan Wooi Kwan, Country Manager, Broadcom, Malaysia emphasised that Recovery Point Objective (RPO) and Recovery Time Objective (RTO) must be constantly reviewed and tested to safeguard and make data available under all circumstances.
Most companies already have a clear strategy to protect structured data.
They now need to quickly identify and classify unstructured data that requires the same data governance and protection measures.
Where are Organisations at?
Most organisations see themselves at the beginning stage of governing and protecting data. They believe that data privacy is a key topic for their organisation as they are actively working on building the right architecture to ensure governance and controls.
Organsiations are concerned with the risk of ransomware attacks and have plans in place to implement relevant measures to prevent such risks.
They are also looking at better ways of managing unstructured data, which is the fastest growing data type among mobile adoption and IoT.
Most organisations are still evaluating cloud adoption and are experimenting on it with different options. But they do believe that the hybrid cloud model is the best option for their organisation.
DevOps is seen as another solution that still needs to be explored and experimented with. Data Operations, on the other hand, is a new concept to many of them and is also being explored upon.
All Flash based storage is a common data storage architecture that has been invested on.
Business continuity and disaster recovery are two common regulatory compliances that have been adopted by organisations for their mission-critical applications.
Key Takeaways
Culture and mind-set were some of the key takeaways of the session. There was an understanding that there needs to be a huge change in how every organisation, especially top-down management, has to think about the technology risks that are posed with the huge volumes of moving data.
The following were highlighted as 3 major points for ensuring data governance:
- Include Data Protection as a critical element of Data Governance
- Very precise and clear Data Classification
- Hybrid Cloud is for all if the two above are done well. Keep data on-prem first while identifying the front ends that can be consumed from the cloud models available
Data Classification was also identified as one of the major challenges that many business units face.
Unfortunately, the traditional methods will not help them until organisations index the unstructured data and enable AI & Deep Learning for better data management and governance.
Organisational efforts for data classification, governance, and management will simply collapse if organisations do not have sophisticated data protection technologies & security (be it Cyber or Physical Security) and process.
It is always important to have a Plan B for data protection and recovery, such as having a minimum of 2 Backup Software technologies to mitigate the risks.