SHARE/GUIDE RMiT Week: Tech Risk
What is technology risk and what is cyber risk? The Risk Management in Technology (RMiT) policy document is all about addressing financial organisations’ increasing use of technology and risks associated with it.
But it would be incomplete without clear understanding of this two types of risk, and what each risk, entails.
Maybank’s Head Technology Risk & Compliance, Devinder Singh, talked about the difference between the two and the challenges to segregate both risks during SHARE/GUIDE’s RMiT week in early August.
Speaking during the technology risk portion of the 3-day virtual conference, Devinder shared about the bank’s implementation of the RMiT policy document.
As the bank looked at tools, processes and people capabilities to support the organisation on their RMiT journey, it also began to explore the opportunities on cloud portion of technologies.
Devinder said, “Now we knew prior to RMiT being finalised, cloud offerings were most often not being easily receptive during engagements with the regulator.”
There would be explanations to address regulator concerns, for example the controls the bank would emphasise with the cloud provider, the steps to ensure no sensitive information was sent up to the cloud, and so on and so forth.
Piecemeal efforts did little to mitigate resistance, but over time and with multiple engagements with the financial industry, results started to emerge.
By the time the RMiT was announced, these efforts had developed a level of receptiveness on the part of the regulator, given that the policy document now includes considerations for cloud technologies and cloud service providers.
“They are evolving together with how the market & technology is evolving as well, off course without compromising the safety for both Customers and Financial Institutions.”
How do you draw the line between technology risk and cyber risk, so that the right approach may be employed for each?
Devinder described that both terms refer to risk from two different channels.
The cyber channel is in digital or electronic form, while the other (tech) is holding a position with physical presence, from something as small as a USB thumb drive all the way up to a data centre building, he explained.
However, as technology evolves and organisations rely more heavily on technology to increase their cyber presence, the boundaries of both channels start to overlap, complicating the process of drawing a clear line between the two.
“In order to position the right context for ease of reporting and setting risk expectations, first we have to identify what falls under the purview of cyber risk, he said. A few examples of cyber risk include malware, phishing, zero-day exploits and so on.
Examples of technology risk include access management risk, data centre risk, infrastructure components related risk and more.
This is where we segregate both types of risks, as much as we can, even though fundamentally, both channels are integrated and are equally important to an organisation (in order) to achieve protection of the organisation, assets and information.
When process and controls are looked at, they can possibly be shared across both channels.
However in RMiT, there is mention of separate frameworks for cyber risk and technology risk. Here is where Devinder shines a light on a potential knotty problem.
When one particular tech is used to offer one particular cyber services, do we say this technology falls under the ambiguity of cyber risk?
Some will say Yes, and others will say No, because this technology can serve both traditional server, PC-client applications (and be a technology risk), and also the total digital offering like an app (a cyber risk).
“This is where a lot of internal discussion needs to happen before we can actually establish a right technology risk framework, as well as a cyber risk framework,” Devinder pointed out.
Slice and dice – breaking it down to get different viewpoints
Devinder opined that the RMiT requires banks to do clear segregation of cyber risk and technology risk. “It won’t be easy, but banks have to start looking at how to slice and dice between both risks. Hence, the two separate frameworks.”
He observed that being able to do this segregation, would make moving forward thereafter, easier.
This online webinar session on technology risk was organised by Malaysia’s IT user association, SHARE/GUIDE as part of its RMiT Week offering, whereby speakers and panelists from its own members shared their experience, knowledge, products and services relating to RMiT for its members.