BOJ: Buck stops with bank boards in managing cyber risk
Noting that cyberthreats and incidents in the financial sector in Jamaica pose a serious hazard to financial stability, the Bank of Jamaica, BOJ, has issued a new consultation paper with guidelines indicating that the buck stops with the boards of banking institutions in relation to the containment of the risk.
The proposed guidelines on the ‘Management of Cyber Risks’ have been posted online by the BOJ for feedback that might be used to refine the document. They guidelines are intended to establish minimum standards on the management of cyber risk for banking licensees and will become binding once finalised.
The draft puts the onus on boards of directors for establishing the banking or deposit-taking institution’s cyber risk tolerance and overseeing the implementation of cyber risk management strategies, policies, procedures and controls that support the continuity of critical operations and core business lines.
Currently, bank fraud is an $800-million problem or thereabouts.
The management of the risks is expected to take into account interconnected factors associated with third-party dependencies, such as supply chain, procurement and outsourcing.
Cyber scams exploit vulnerabilities in offline point-of-sale transactions, credit card refunds, and customer personal information.
Proportionally, the size of the fraud is relatively small, but BOJ wants the banks to remain alert to dangers, in order to stave off seismic events. It wants board members to have adequate access to cybersecurity expertise, whether internal or external, and for discussions about cyber risk management to be given adequate time on the board’s meeting agenda.
Deputy Governor Jide Lewis reaffirmed on Monday that the BOJ was working with banks to ensure they have robust systems in place to manage cyber threats.
“We have also been speaking about corporate governance so that they know the buck stops with them,” said Lewis.
Still, he also noted that while the incidents are concerning, the fraud reported is relatively small compared to the size of the banking system.
“It is still quite small: banking is $3.5 trillion; fraud is between $500 million and $1 billion,” he said.
“This is a large amount for individuals, but is about $100 million on average for institutions,” the deputy governor added.
The central bank already conducts risk-based examinations of DTI licensees, each of which is expected to put an effective framework in place to manage the cyber risk exposures inherent in their operations, which could also result in significant financial loss, legal liabilities and reputational damage.
“It is important for deposit-taking institutions to understand and manage their cyber risk to protect their assets, operations and information entrusted to them by customers and stakeholders. This is to build trust and confidence, which are two of the most important attributes of a financial sector,” said BOJ.
“Cyberattacks are becoming more frequent, and they continue to evolve in terms of their complexity and sophistication. A successful cyberattack could have a debilitating impact on a DTI, which could cause a significant financial or operational impact on a financial institution.”
Cyberthreats include hacking, malware, phishing, and other types of cyberattacks; while cybersecurity refers to the systems, technologies, processes, governing policies and human activity that an organisation uses to safeguard its digital assets.
It’s the board’s responsibility to ensure that the cyber risk management plan not only includes a viable information technology operation, but also covers people, processes, data and facilities, the BOJ paper noted.
“The board must have full oversight of the institution’s framework for managing cyber risks. The board, individually and collectively, must understand the seriousness of the cyberthreat environment. It should ensure that it collectively possesses the appropriate balance of skills, knowledge and experience to understand and assess the cyber risks facing the DTI,” the central bank said.
“The board must have an ongoing programme to assess any gaps in the knowledge and expertise of the board and management, and to implement initiatives to address these gaps.”