Brilliant case from my current cyber risk management course

Cyber Risk Assessment at Safe Bank

Context

Safe Bank is a systemically important financial institution in Paradise[1]. In the last two years, Safe Bank has exhibited significant growth in its customer base. As a private sector bank, it has invested heavily in its technology and infrastructure and was one of the pioneers in digital banking, which led to its growth in its customer base. The Board and senior management feel that its information technology and information security functions are well run and resourced. The Board has praised the bank’s performance and the market capitalization of the bank is the largest among all the private banks. This has led the Board to decide to expand its services across the surrounding countries in the region, with a strategic decision to increase the number of branches and its IT operations. However, after a series of cyber security incidents the banking supervisory authority of Paradise has asked the Board for a comprehensive cyber risk assessment.

Lea is an expert at Safe Bank and was assigned to plan and run the project.

The IT at Safe Bank

Five years ago, Safe Bank has implemented a heavily customized modular core banking system called TetraFlex, based on a commercially available solution. TetraFelx handles a comprehensive range of retail and wholesale banking products, but many new products have been implemented in standalone applications because the difficulties encountered with TetraFlex development. These standalone applications are connected to TetraFlex to access/update client information and to do general ledger postings using a variety of interfacing methods.

TetraFlex has a real-time interface via middleware to InterSafe, the digital banking system that is fueling the recent growth of the customer base thanks to its comprehensive functionality and ease of use. The mobile banking app, which is a component of InterSafe, turned out to be particularly popular after a rushed implementation project fixed the annoying limitations of its predecessor. However, intermittent availability problems keep occurring. A security audit of InterSafe had been planned for last year but the CFO did not approve the budget extension.

New functionality has been added to TetraFlex regularly. The latest addition is a Private Banking module, the development of which saw repeated budget overruns and missed deadlines, resulting in Safe Bank losing market share in the dynamically growing private banking business. The CIO resigned last year amid turmoil in the IT Directorate caused by the troubled project and frustration over insufficient capacity to address operational challenges. The Head of IT Development is the acting CIO now. A search is underway to find a suitable CIO candidate.

The IT Directorate consists of 210 people and is split into IT Operations and IT Development departments, both having several divisions dedicated to specific operational and development tasks respectively. The IT Security Division comprised of 5 experts is placed in the IT Operations Department with the division head reporting to the Head of IT Operations.

The main data center of Safe Bank is a state-of-the-art facility that is approaching full capacity and thus considered an excellent investment by the CFO, who is very focused on the efficient use of assets. The backup data center is 2 miles away near the riverbank and has less physical space. The data centers are connected via a high-speed wide area network (WAN) link and TetraFlex runs in a fully redundant and load-balanced configuration. On a typical day, it runs at 90% of the total processing capacity of its servers. This is another great result of the focus on efficient use of assets, as the CFO has pointed out to the acting CIO in a recent meeting about next year’s IT budget plan.

The Information Asset Inventory was updated 5 months ago. At that time, 213 applications, 83 servers, 3550 workstations and 420 networking devices were registered.

There is a Business Continuity and Disaster Recovery Plan (BCP/DRP) in place, which was updated 9 months ago and is tested every year. The last test was done 3 months ago in the form of a tabletop exercise as usual and covered InterSafe recovery assuming a failure in the middleware. The test scenario was discussed and approved at the IT Steering Committee well ahead of the test and the results were discussed in the last meeting of the committee. According to the recollection of the Head of IT Operations, some recovery time objectives regarding the replacement of defective hardware proved to be unrealistic. The previous two tests were based on scenarios about the unavailability of a critical third-party service and a failure in the WAN, respectively. Written test debriefs are not available.

The Internal Audit (IA) department employs ten auditors, including one junior IT auditor who has just obtained her CISA certification. The department focuses on business process controls and works according to a yearly plan approved by the Audit Committee of the Board, to which the function reports. There is a slight delay in execution because the Chairman of the Board objected to the scope and the increase of the budget for third-party audits, which had to be sorted before approval.

The risk management function of the bank has been historically focused on credit and market risk, but?their strategy includes strengthening operational risk management by collecting relevant loss data beginning next year.

__________________________________________________

[1]?Paradise is a fictional country with pleasant weather year-round.