Taking centre-stage at most digital businesses today is the issue of cyber and information security, which is increasingly becoming a subject of interest with far-reaching implications to various industries, such as healthcare, manufacturing and financial services among others. Undoubtedly, no digital business is immune to cyber-attacks.
Therefore, in response to the rising sophisticated cyber threats and attacks within financial services industries in particular, regulatory authorities around the world are implementing control measures through the issuance of guidelines and directives to combat the menace, minimise the impact and ensure safe, sound and secure cyber environments. In spite of comprehensive guidelines and governance structures implementation, some organisations are still susceptible to cyber-attacks due to compliance failures, challenges and gaps.
Highly-regulated industries like banking and other financial services industries face many security and compliance challenges, especially with monitoring and behavioural changes within cyberspace. These challenges are even more evident in businesses that have international affiliations. The reason is simple – a global business may be required to comply with directives of different regulatory authorities from multiple jurisdictions.
In addressing the challenges with respect to the globalisation and cross-border nature of cybercrime, countries across the continents of the world should be collaborating in order to have a good alignment of regulatory frameworks. This notwithstanding, it is important to note that the reinforcement of any organisation’s cyber resilience begins with compliance.
Regulatory directives and compliance in relation to cyber and information security helps organisations to improve and strengthen their security postures. This has become extremely important within the banking industry, because leaving the responsibility entirely for individual banks to set their own security controls may pose serious risks to the industry. Non-compliant banks and banking institutions, with less-robust cyber security, may serve as weak links in the cyber security chain; thereby exposing the other banks to various security threats.
Cyber and information security policies therefore place many demands and responsibilities on businesses to proactively establish the necessary structures, measures and internal processes, so as to adhere to the rules and protect the most valuable business assets and critical infrastructure from the ever-growing cyber risks. It however takes people, technology, processes and financial resources, among others, to comply with cyber and information security directives. Furthermore, the financial resource allocation decisions may be lengthy and time-consuming, posing the risk of cyber-attackers leapfrogging ahead of the regulatory directives even before countermeasures are put in place.
As long as cyber threats and risks are emerging faster than the mitigating rules, regulatory policies may become outdated, inadequate and ineffective with time. Therefore, the formulation of cyber and information security strategies and operating frameworks needs to remain a dynamic process. It is worth bearing in mind that cyber-attackers are not bothered about regulatory directives; as such, neither are they perturbed about how frequently the directives are reviewed and revised. What’s really important is strict enforcement of the directives and effective supervision by supervisory authorities to ensure regulatory compliance and reporting by the various industry participants.
It is a standard practice, however, for policymakers to employ punitive measures to deter non-compliance through the declaration and subjection of regulatory violations to specific penal actions. In order to avoid steep fines, penalties and sanctions, most banks are under immense pressure to comply specifically with cyber and information security regulatory directives. In spite of the regulatory pressures on today’s banking institutions, the need for cooperation between regulatory authorities and the banking institutions has become more important than ever.
This is largely attributable to the substantial cost and consequences associated with non-compliance. It is however a misconception to think of compliance and security as equal. The reality is that it is possible to comply with a regulatory requirement and overlook risk management. Thus, some banks – in an attempt to fulfil regulatory compliance requirements – tend to adopt the ‘checkbox compliance’ mentality by simply working toward the minimum compliance required to avoid sanctions, without paying attention to other risks outside the regulatory framework.
This is possibly the reason why some institutions which successfully passed security compliance audits are still vulnerable to security breaches. Therefore, to thrive in the digital future, institutions need to view their corporate strategies through the lens of cyber and information security regulatory frameworks and ethical culture. Without delving into the general philosophical distinction between ethics (relativism) and morals (emotivism), if there is any lesson to be drawn from this principle, then that lesson should be the quest to achieve security regulatory compliance with effective risk management, core values and ethical principles in which businesses need to:
- Embrace process automations to effectively respond to threats and to minimise errors
- Train and empower employees to be aware of their security responsibilities
- Follow organisational policies and procedures in line with business objectives so as to promote a culture of prevention, detection and responsiveness.
- Be ethically responsible for safeguarding the interest of customers and other stakeholders through continuous and sound risk management.
The ethical grounding of regulatory and supervisory frameworks which are largely prescriptive in nature brings to the fore the balance between principles and rules in doing the right things and in preventing attacks within cyberspace.
Ethics and compliance, in general, complement each other, and the failure of businesses to employ both, with particular reference to cyber and information security, could result in huge cost from security breaches. Cyber insurance, though vital in protecting businesses against these potential losses, is perhaps not the answer – but absolute vigilance from regulators, banks and their customers is crucial. To this end, modern businesses may consider the following points in addressing their cyber-threat landscapes and improving their cyber security vigilance:
- Though financial institutions need to involve all levels of the organisation – strategic, tactical and operational levels – in complying with security directives, the board of directors needs to take keen interest in cyber security, since the ultimate and pivotal responsibility rests with them.
- Regulatory compliance is the absolute minimum requirement to ensure good cyber hygiene. This suggests a need to consider the ethical elements in proactively adopting best practices to promote efficiency and preserve stakeholder confidence and trust.
- Achieving compliance in a regulatory framework is a continuous process that requires adequate planning and investment. Though it can be costly, compliance is far better and less expensive than suffering security violations and breaches.
It must also be noted that regulatory compliance directives in general vary from one country to another. With specific regard to the Ghanaian financial services industry, the cyber and information security directives issued by the Bank of Ghana are timely and serve as an appropriate regulatory compliance initiative with a strong ethics component to the increasing cyber-fraud incidents and a digital future. It stands to reason, then, that with the enforcement of these directives, cyber security compliance is no longer a choice but mandatory for all institutions within the financial services industry in Ghana.
Having established this discussion on the inextricable link between compliance and ethics, it is advisable for banks to strengthen their security compliance by translating ethical principles into professional and permissible behaviours, and properly incorporating them into systems to function at the very root of digital services.
The combination of a strong corporate culture of ethics and security compliance creates a business value of reinforcing customers’ trust. Trust, which is a critical business relationship element in organisations, can be promoted through the principles of data integrity and privacy; hence the need to consider these ethical principles in the design and development of digital transformation initiatives.
Finally, it is essential to understand that an industry is as strong as its weakest segment. Therefore, in order to protect cyberspace from threats of cyber-crimes, avoid any serious escalation of cyber risks and preserve trust and confidence within banking systems and economies as a whole, it is critically important for regulatory and oversight institutions to firmly exercise oversight of security policies, and closely monitor and promote compliance through consistent education, persuasion and other available regulatory strategies. On the other hand, regulated parties need to become more responsive and drive effective and resilient security culture through policy execution within an ethical corporate environment – while shifting the conversation beyond compliance toward digital ethics.
The writer is an ICT Management Professional
Disclaimer: The opinions expressed in this article are the writer’s own and do not reflect the view of any organisation(s) the writer may be affiliated to.