Risk Assessment of E

8/7/2019 Risk Assessment of E

1/15

Risk Assessment of E-Banking

y Sunday, November 23, 2008, 15:20y Disaster Recoveryy

5,805 viewsy Add a comment

Share

Executive Summary

Electronic banking groom with speed that no one expected, industry growth is awesome in a

little span oftime. E-Banking offer number ofservices and productsthat was unpredictableduring the manual banking era banks has limited boundaries and the source of competitiveadvantage is very difficultto obtain. Man power wasthe only weapon to get advantage overthe

benefits.

E-Banking benefits cant be denied but on the other hand the risks are on high side. The banksrequire keeping the balance of benefits versus risk. The marketed offerings welcome the huge

customer base butto retain the customer lot of homework need to be done by the banks.

The risks related to E-banking are categoriesto define it more specifically in orderto develop

risk mitigation strategy. The reach ofthe customeris both nationally and internally and banks

have to face beyond the national boundariesto resolve their customerproblem. The open andclose network of E-banking increasesthe complexity; close ended channelsinclude all thedelivery channels offered by the bank on the other hand open ended networks like internetis

subjected to security and reputational risk.

The risks related with E-banking are needed to identified, manage and control. The rules andregulation should be define by the central authority and share it with all the banking organization

in orderto reduce the level of risk. The risk can be measure on both quantities and qualitativeway.

The risk management cant be same for every bank, and its very difficultto apply same rule to

every banking organization because change in technology is unpredictable, size and theinfrastructure ofthe bank matters. This report will discussthe risk managementstrategy based on

some basic characteristics of E-Banking.

In many ways, e-banking is not unlike traditional payment, inquiry, and information processing

systems, differing only in thatit utilizes a different delivery channel. Any decision to adopt e-banking is normally influenced by a number of factors. These include customerservice

enhancement and competitive costs, all of which motivate banksto assesstheir electronic


2/15

commerce strategies. The benefits of e-banking are widely known and will only be summarizedbriefly in this document.

E-banking can improve a banks efficiency and competitiveness, so that existing and potential

customers can benefit from a greater degree of convenience in effecting transactions. This

increased level of convenience offered by the bank, when combined with new services, canexpand the bankstarget customers beyond those in traditional markets. Consequently, financialinstitutions are therefore becoming more aggressive in adopting electronic banking capabilities

thatinclude sophisticated marketing systems,

Remote-banking capabilities, and stored value programs. Internationally, familiar examplesinclude telephone banking, automated teller networks, and automated clearinghouse systems.

Such technological advances have brought greatersophistication to all users, commercial andthe man in the street.

A bank may be faced with different levels of risks and expectations arising from electronic

banking as opposed to traditional banking. Furthermore, customers who rely on e-bankingservices may have greaterintolerance for a system thatis unreliable or one that does notprovideaccurate and currentinformation. Clearly, the longevity of E-banking depends on its accuracy,

reliability and accountability. The challenge for many banksisto ensure thatsavings from theelectronic banking technology more than offsetthe costs.

Scope:

This report discussesthe types of risk associated with E-banking, methodsto assessthe risk and

finally management of risk with respectto BCP /DR .

Console of General Electrics commercial ERMA.

In 1950, the Bank ofAmerica (then the largest bankin the world) asked SRI to assessthepossibility of developing electronic computersthat could take overthe labor-intensive banking

tasks of handling checks and balancing accounts. The creation of branch offices and the rapidlyincreasing number of checks being used by a growing clientele threatened to overwhelm the

existing manual processing and record keeping. Atthattime, no large-scale electronic machinefor any bank was under development existing computers were used mostly forscientific

calculations. They were unreliable, and had extremely limited input and output capability. In


3/15

spite ofthis, SRIs feasibility study, issued in May 1951, wassufficiently encouraging fortheBank ofAmerica to authorize a major multi-year development effort.

We now take for granted the many waysthat computers assistindividuals and businesses. The

50-plus-year-old project briefly described here provided a vision of what business could expect

from the application of data-processing machines, and illustrates how and why some ofthe keycapabilities were invented, including bookkeeping, optical character recognition (OCR orscanning), and robotic documentsorting. The automated teller machine (ATM) isthe natural

descendant ofthis work, and illustratesthe progression away from paper checkstoward allelectronic banking.

E-banking is defined asthe automated delivery of new and traditional banking products and

services directly to customersthrough electronic, interactive communication channels. E-banking includesthe systemsthat enable financial institution customers, individuals or

businesses, to access accounts, transact business, or obtain information on financial products andservicesthrough a public orprivate network, including the Internet. Customers access e-banking

services using an intelligent electronic device, such as a personal computer (PC), personal digitalassistant (PDA), automated teller machine (ATM), kiosk, or Touch Tone telephone. While the

risks and controls are similar forthe various e-banking access channels, this report focusesspecifically on Internet-based services due to the Internets widely accessible public network.

Accordingly, this report begins with a discussion ofthe two primary types of Internet websites:informational and transactional.

Impact of e-banking on traditional services:

Before talking aboutthe issues of risks and responsesto E banking, we would like to spend alittle time considering the wider question of whatthe e-banking revolution might mean forthe

future. we take Eto mean anything electronic whetherit be Internet, television, telephone orall three.

One ofthe issues currently being addressed isthe impact of e-banking on traditional banking

players. After all, ifthere are risksinherentin going into e-banking there are other risksin notdoing so. Itistoo early to have a firm view on this yet. Even to practitionersthe future of e-

banking and itsimplications are unclear. It might be convenient neverthelessto outline brieflytwo viewsthat are prevalentin the market.

The view thatthe Internetis a revolution that will sweep away the old order holds much sway.

Argumentsin favor are as follows:

E-banking transactions are much cheaperthan branch or even phone transactions. This could turn

yesterdays competitive advantage a large branch network into a comparative disadvantage,allowing e-banksto undercut bricks-and-mortar banks. Thisis commonly known asthe beached

dinosaur theory.


4/15

E-banks are easy to set upso lots of new entrants will arrive. Old-world systems, cultures andstructures will not encumberthese new entrants. Instead, they will be adaptable and responsive.

E-banking gives consumers much more choice. Consumers will be lessinclined to remain loyal.

E-banking will lead to an erosion ofthe endowment effect currently enjoyed by the major UK

banks. Deposits will go elsewhere with the consequence thatthese banks will have to fighttoregain and retain their customer base. This will increase their cost of funds, possibly makingtheir business less viable. Lost revenue may even resultin these bankstaking more risksto

breach the gap.

Portal providers are likely to attractthe mostsignificantshare of banking profits. Indeed bankscould become glorified marriage brokers. They would simply bring two partiestogether e.g.

buyer and seller, payer and payee.

The products will be provided by monolines, expertsin their field. Traditional banks may simply

be left with payment and settlement business even this could be castinto doubt.

Traditional banks will find it difficultto evolve. Not only will they be unable to makeacquisitions for cash as opposed to being able to offershares, they will be unable to obtain

additional capital from the stock market. Thisisin contrastto the situation for Internet firms forwhom itseems relatively easy to attractinvestment.

There is of course another view which sees e-banking more as an evolution than a revolution.

E-banking is just banking offered via a new delivery channel. Itsimply gives consumers anotherservice (just asATMs did).

LikeA

TMs, e-banking will impact on the nature of branches but will not remove their value.

Experience in Scandinavia (arguably the most advanced e-banking area in the world) appearsto

confirm thatthe future is clicks and mortar banking. Customers want full service banking via anumber of delivery channels. The future istherefore Martini Banking (any time, any place,

anywhere, anyhow).

Traditional banks are starting to fight back.

The start-up costs of an e-bank are high. Establishing a trusted brand is very costly asit requires

significant advertising expenditure in addition to the purchase of expensive technology (as

security and privacy are key to gaining customer approval).

E-banks have already found that retail banking only becomesprofitable once a large critical mass

is achieved. Consequently many e-banks are limiting themselvesto providing a tailored serviceto the better off.


5/15

Nobody really knows which ofthese versions will triumph. Thisissomething thatthe marketwill determine. However, supervisors will need to pay close attention to the impact of e-banks on

the traditional banks, for example by surveillance of:Electronic banking Delivery Channels:

E-Banking transaction needssome interface to communicate with banking customer. All the

electronic transaction performsthrough some interfaces. The electronic devices which performinteract with customers and communicate with other banking system is called electronic bankingdelivery channels.

Following are the electronic banking delivery channels.

ATM:

An automated teller machine (ATM) is a computerized telecommunications device thatprovidesthe customers of a financial institution with accessto financial transactionsin a public space

withoutthe need for a human clerk or bankteller. On most modern ATMs, the customeris

identified by inserting a plasticA

TM card with a magnetic stripe or a plastic smartcard with achip, that contains a unique card number and some security information, such as an expirationdate or CVC (CVV). Security isprovided by the customer entering a personal identification

number (PIN).

Using an ATM, customers can accesstheir bank accountsin orderto make cash withdrawals (orcredit card cash advances) and checktheir account balances as well aspurchasing mobile cell

phone prepaid credit. ATMs are known by various other namesincluding automated bankingmachine, money machine, bank machine, cash machine, hole-in-the-wall, cash point.

IVR (Interactive Voice Response):

Interactive voice exchange isthe E-Banking delivery channel used fortransaction using telecominfrastructure. User dialsthe number and selectsthe option using key punch, operator response

on every key press. Customer gives hisidentification by providing his NIC and TPIN.

CDM (Cash Deposit Machine):

Cash deposit machine isthe electronic machine used to depositthe cash, check. CDM scan the

cash or check and depositthe amountin his or her

Provided account number.

POS (Point of Sale):

Point ofsale used for retail transaction device, customerperform transaction by swapping the

card on POS machine. Most ofthe customer used debit or credit card forpurchasing transaction.Differentpayment gateway offerstheirservicesto bankssuch as VISA, Master etc.

Risk:


6/15

Astate of uncertainty where some ofthe possibilitiesinvolve a loss, catastrophe, or otherundesirable outcome.

Types of E-Banking Risks:

The risks associated with E-Banking are the following.

Strategic Risk

Business Risk

Operational Risk

Security Risk

Reputational Risk

Legal Risk

Strategic Risk:

On strategic risk E-banking is relatively new and, as a result, there can be a lack of

understanding among senior management aboutitspotential and implications. People withtechnological, but not banking, skills can end up driving the initiatives. E-initiatives can spring

upin an incoherent and piecemeal mannerin firms. They can be expensive and can fail to recouptheir cost. Furthermore, they are often positioned as loss leaders (to capture marketshare), but

may not attractthe types of customersthat banks want or expect and may have unexpectedimplications on existing business lines.

Business risks:

Business risks are also significant. Given the newness of e-banking, nobody knows much about

whether e-banking customers will have different characteristics from the traditional bankingcustomers. They may well have different characteristics e.g. I wantit all and I wantit now.

This could render existing score card modelsinappropriate, thus resulting in either higherrejection rates orinappropriate pricing to coverthe risk. Banks may not be able to assess credit

quality at a distance as effectively asthey do in face to face circumstances. It could be moredifficultto assessthe nature and quality of collateral offered at a distance, especially ifitis

located in an area the bankis unfamiliar with (particularly ifthisis overseas). Furthermore asit

is difficultto predict customer volumes and the stickiness of e-deposits (things which could leadeitherto rapid flowsin or out ofthe bank) it could be very difficultto manage liquidity. Ofcourse, these are old risks with which banks and supervisors have considerable experience but

they need to be watchful of old risksin new guises. In particular risk models and even processesdesigned fortraditional banking may not be appropriate.

Banks face three main types of operations risk:


7/15

volume forecasts

Managementinformation systems and

Outsourcing.

Accurate volume forecasts have proved difficult One ofthe key challenges encountered by

banksin the Internet environmentis how to predict and manage the volume of customersthatthey will obtain. Many banks going on-line have significantly misjudged volumes. When a bank

hasinadequate systemsto cope with demand it may suffer reputational and financial damage,and even compromisesin security if extra systemsthat are inadequately configured ortested are

brought on-line to deal with the capacity problems.

As a way of addressing this risk, banksshould:

undertake market research,

adoptsystems with adequate capacity and scalability,

undertake proportionate advertising campaigns, and

Ensure thatthey have adequate staff coverage and develop a suitable business continuity plan.

In brief, thisis a new area, nobody knows all the answers, and banks need to exercise particularcaution.

The second type of operations risk concerns managementinformation systems. Again thisis not

unique to E-banking. I have seen many banks venture into new areas without having addressedmanagementinformation issues. Banks may have difficultiesin obtaining adequate management

information to monitortheir e-service, asit can be difficultto establish/configure new systemstoensure thatsufficient, meaningful and clearinformation is generated. Such information is

particularly importantin a new field like e-banking. Banks are being encouraged by the FSAtoensure that management have all the information thatthey require in a formatthatthey

understand and that does not cloud the key information with superfluous details.

Finally, a significant number of banks offering e-banking services outsource related businessfunctions, e.g. security, either for reasons of cost reduction or, asis often the case in this field,

because they do not have the relevant expertise in-house. Outsourcing a significant function can

create material risks by potentially reducing a banks control overthat function.

Security Risk:

Security issues are a majorsource of concern for everyone both inside and outside the banking

industry. E-banking increasessecurity risks, potentially exposing hitherto isolated systemstoopen and risky environments. Both the FSA and banks need to be proactive in monitoring and

managing the security threat.


8/15

Security breaches essentially fall into three categories; breaches with serious criminal intent (e.g.fraud, theft of commercially sensitive or financial information), breaches by casual hackers

(e.g. defacement of web sites or denial ofservice causing web sitesto crash), and flawsinsystems design and/orset up leading to security breaches (e.g. genuine usersseeing / being able

to transact on other users accounts). All ofthese threats have potentially serious financial, legal

and reputational implications.

Many banks are finding thattheirsystems are being probed for weaknesses hundreds oftimes a

day but damage/losses arising from security breaches have so fartended to be minor. Howeversome banks could develop more sensitive burglar alarms, so thatthey are better aware ofthe

nature and frequency of unsuccessful attemptsto breakinto theirsystem.

The mostsensitive computersystems, such asthose used for high value payments orthosestoring highly confidential information, tend to be the most comprehensively secured. One could

therefore imply thatthe greaterthe potential lossto a bankthe less likely itisto occur, and ingeneral thisisthe case. However, while bankstend to have reasonable perimetersecurity, there

issometimesinsufficientsegregation between internal systems and poorinternal security. It maybe thatsomeone could breach the lightersecurity around a low value system, e.g. a banks retail

web site, and gain entry to a high value system via the banksinternal network. We areencouraging banksto look atthe firewalls between their differentsystemsto ensure adequate

damage limitation should an external breach occur. As everthough, the greatestthreatso far hasbeen from the enemy within i.e. your own employees, contractors and so on.

Itis easy to overemphasize the security risksin e-banking. It must be remembered thattheInternet could remove some errorsintroduced by manual processing (by increasing the degree of

straightthrough processing from the customerthrough banks systems). This reduces risksto theintegrity oftransaction data (although the risk of customersincorrectly inputting data remains).

A

s e-banking advances, focusing general attention on security risks, there could be large securitygains.

Reputational Risks:

Finally, with regard to risks, I would mention reputational risk. Thisis considerably heightened

for banks using the Internet. For example the Internet allows forthe rapid dissemination ofinformation which meansthat any incident, either good or bad, is common knowledge within a

shortspace oftime. Internet rumors can easily become self-fulfilling prophecies. The speed ofthe Internet considerably cutsthe optimal response times for both banks and regulatorsto any

incident. Banks must ensure their crisis management, particularly PR, processes are able to copewith Internet related incidents (whetherthey be real or hoaxes).

Any problems encountered by one firm in this new environment may affectthe business of

another, asit may affect confidence in the Internet as a whole. There istherefore a riskthat onerogue e-bank could cause significantproblems for all banksproviding services via the Internet.

Thisis a new type ofsystemic risk and is causing concern to e-banking providers. Overall, theInternetputs an emphasis on reputation risks. Never before hasthe banksshop window (ie its

site) been so important.


9/15

One last reputational risk will be familiarto us all. Thatis whetherthe products being sold overthe net are being marketed in such a way thatthe bank will be protected against future charges of

mis-selling. Asin the physical, so in the virtual world. Banks need to be sure those customersrights and information needs are adequately safeguarded and provided for.

Legal Risk:

The bank not following the rules and regulation for E-banking, normally risk mainly arise fromvirtual bank when E-banking services are offered without complying the rule and regulation of

other countries.

Risk Assessment:

Risk assessmentisthe firstprocessin the risk management methodology. Organizations use risk

assessmentto determine the extent ofthe potential threat and the risk associated with an ITsystem. The output ofthisprocess helpsto identify appropriate controls for reducing or

eliminating risk during the risk mitigation process.

Riskis a function ofthe likelihoodof a given threat-sources exercising a particularpotentialvulnerability, and the resulting impactofthat adverse event on the organization.

To determine the likelihood of a future adverse event, threatsto an IT system must be analyzed

in conjunction with the potential vulnerabilities and the controlsin place forthe IT system.Impact refersto the magnitude of harm that could be caused by a threats exercise of

vulnerability. The level ofimpactis governed by the potential mission impacts and in turnproduces a relative value forthe IT assets and resources affected (e.g., the criticality and

sensitivity ofthe IT system components and data). The risk assessment methodology

encompasses nine primary steps, which are briefly defined in following part.

System Characterization:

In assessing risks for an IT system, the firststepisto define the scope ofthe effort. Generally wecategorize itin to two main componentsi.e. IT systems and operating environment. In IT system

we usually lookinto hardware, software, system connectivity, and responsible division orsupportpersonnel whereasin operating environment we lookin to functional and technical

requirements, security policies, and level ofprotection towards data and networktopologies.

Threat Identification:

The goal ofthisstepisto identify the potential threat-sources and compile a threatstatement

listing potential threat-sourcesthat are applicable to the IT system being evaluated. Due to thesethreatspotential vulnerabilitiesthatsystem contains has also been delineated so thatpossible

remedies for existing controls must be taken into account.

Vulnerability Identification:


10/15

The target forthisidentification isto develop a checklist for all the vulnerabilitiesthat mayexploit differentthreatsources. Recommended methods foridentifying system vulnerabilities are

the use of vulnerability sources, the performance ofsystem security testing, and the developmentof a security requirements checklist.

Control Analysis:

The goal ofthisstepisto analyze the controlsthat have been implemented, or are planned for

implementation, by the organization to minimize or eliminate the likelihood (orprobability) of athreats exercising a system vulnerability.

Likelihood Determination:

To derive an overall likelihood rating thatindicatesthe probability that a potential vulnerabilitymay be exercised within the construct ofthe associated threat environment.

Impact Analysis;

The next majorstepin measuring level of riskisto determine the adverse impact resulting froma successful threat exercise of vulnerability. Before beginning the impact analysis, itis necessary

to obtain the following necessary information:

System mission (e.g., the processesperformed by the IT system)

System and data criticality (e.g., the systems value orimportance to an organization)

System and data sensitivity.

Risk Determination:

The purpose ofthisstepisto assessthe level of riskto the IT system. The determination of risk

for a particularthreat/vulnerability pair can be expressed as a function of:

The likelihood of a given threat-sources attempting to exercise a given vulnerability

The magnitude ofthe impactshould a threat-source successfully exercise the vulnerability

The adequacy ofplanned or existing security controls for reducing or eliminating risk.

Control Recommendations:

During thisstep ofthe process, controlsthat could mitigate or eliminate the identified risks, asappropriate to the organizations operations, are provided. The goal ofthe recommended controls

isto reduce the level of riskto the IT system and its data to an acceptable level.

Results Documentation:


11/15

Once the risk assessment has been completed (threat-sources and vulnerabilitiesidentified, risksassessed, and recommended controlsprovided), the resultsshould be documented in an official

report or briefing.

Case Study of ABC Bank:

In the light ofthe above steps we start our understandings on one ofthe private bank of our

country. Lets call itABC bank, since ourtopic is concerned with risk management with respectto BCP and DR, therefore our course from here onwards will be confined to aforementioned

definitions on common E-banking servicesi.e. ATM, POS, Internet Banking and IVR.


12/15

Threats Identification:

Generally the hardware used forsuch services are very upto dated and keptin a secure areausually called as data center. Living in a world of humansthere is always a possibility to oversee

few threats due to lack of businesspolicy planning orincompetence ofthe people involved in the

IT security. Following figure will give us an idea ofthreatsources, the motivation ofit and theactions done on the bases ofthese threats.

The threatstatement, orthe list ofpotential threat-sources, should be tailored to the individualorganization and itsprocessing environment. In general, information on natural threats (e.g.,

floods, earthquakes, storms) should be readily available. Known threats have been identified bymany government and private sector organizations. Intrusion detection tools also are becoming


13/15

more prevalent, and government and industry organizations continually collect data on securityevents, thereby improving the ability to realistically assessthreats. Sources ofinformation

include, but are not limited to, the following:

Intelligence agencies (for example, the Federal Investigation Authority)

Mass media, particularly Web-based resourcessuch as SecurityFocus.com,SecurityWatch.com, SecurityPortal.com, and SANS.org.

Vulnerability Identifications:

Following chart will explain the vulnerabilitiesthat may existin e-banking services.

Likelihood Determination:

Since the bank are dealing with financial transactionstherefore likelihood forinternet bankingwill be rated as high where asin case ofATM card theft or lostthe level will be medium type

because there is a backup ofitin face of cheque book. Ifthere is any natural disaster bank can goas manual (i.e. transactions can be maintained through paper registers).

Impact analysis:

Impact analysis for aforementioned threats and vulnerabilities can be of higher level because if

the bank doesnt have the proper data of our customersthere is no authenticity. Integrity ofthedata which one rates high issacrificed. No integrity meanszero confidentiality. Due to this

business and reputation ofthe banksuffer a lot and bank will lose it deposits. Losing depositmeans decrease in profitability


14/15

Risk Mitigation and Control:

Control recommendations:

Our recommendations for all this assessment are following:

y Effectiveness of recommended optionsy Legislation and regulationsy Organizational policyy Safety and reliability

Effectiveness of recommended options:

Itisthe responsibility ofthe IT security specialistto know aboutthe known threatspriorto

attack and must follow the policy that dictates continuity ofthe businessin adverse conditions.

Legislation and regulations:

To facilitate nation wide E banking Pakistan has now drafted E-banking law which givescoverage to all types of electronic frauds. Besidesthat State bank of Pakistan has also circulated

necessary action taken in case of disaster.

Organizational policy:

Since SBP enforce policy for all banksto have there DRsite available in all times when thecontinuity ofthe business has been scarified. Therefore organizational policy forthe bankisto

maintain complete backup ofthere data on daily basis and on real time in case of backing upthefinancialstransactions. In this context bankis using to types of communication channel with DR

sites. First one isthrough land line networks a service by Cybernet and also radio link assecondary backup channel.

Safety and reliability:

In general, networkintrusion detection has been done through variousintrusion detection

systems. Proper disposal of ex-employee identity from the systems has been done. Two factorauthenticationsshall be done on data center orthrough biometrics at least. Proper authorizations

have been given to people who accesssensitive data. Proper backupsshall be taken to avoid anyunnecessary data loss.

Conclusion:

Asuccessful risk managementprogram will rely on:

y Senior managements commitmenty The full support and participation ofthe IT team


15/15

y The competence ofthe risk assessmentteam, which must have the expertise to apply therisk assessment methodology to a specific site and system, identify mission risks, and

provide cost-effective safeguardsthat meetthe needs ofthe organizationy The awareness and cooperation of members ofthe user community, who must follow

procedures and comply with the implemented controlsto safeguard the mission oftheir

organizationy An ongoing evaluation and assessment ofthe IT-related mission risks.

References:

[1] Risk management Guide for Information technology

Gray Stonebunner, Alice Goguen, and Alexis feringa

[2] Business Countitinuty and Distaster Recovery

Susan Snedaker

[3] Risk Management Principles of Electronic Banking www.bis.org/publ/bcbs98.pdf

[4] Internet banking in Pakistan

Shahzad Shariq

Risk Assessment of E

Documents

Transcript of Risk Assessment of E