CB Chief calls for improved cyber security

Central Bank Governor Dr. Indrajit Coomaraswamy yesterday said financial institutions ought to embed cyber risks in their overall enterprise-wide risk management framework, particularly in their operational risk mitigation mechanism. 

However, he noted, it must be ensured that cyber security strategies do not hamper business development, innovation and stakeholder or customer convenience.

Speaking at the 5th annual Cyber Security Summit, co-organised by Daily FT and CIRCA Campus, Dr. Coomaraswamy identified three fundamental strategies to cope with cyber risk, namely security, vigilance and resilience.

“Security: prioritise risks and enhance controls to protect against known and emerging threats; vigilance: detect violations and anomalies through better monitoring of workplace behaviours; resilience: establish the ability to quickly return to normal operations and repair damage to business.” 

Recalling hacker Kevin Mitnick’s breach into the US Department of Defence network, Dr. Coomaraswamy said, quoting Mitnick, “Companies spend millions of dollars on firewalls, encryption and secure access devices and this is money wasted because none of these measures address the weakest link in the security chain: the people who use administer, operate and account for the computer system that contains protected information.”

Firms need to adopt a holistic approach, said the Central Bank of Sri Lanka (CBSL) Governor, while ensuring that the “right basics are in place” so as to mitigate human error and insider threats.

Commenting on CBSL’s commitment to establishing cyber security in local financial institutions, Dr. Coomaraswamy said the bank has ensured that regulated entities have cyber security frameworks in place in accordance with international best practices.

“The regulatory framework has also sought to ensure that the required room exists for fostering innovations to bring down cost factors,” he said.

The CBSL also contributes to the Government’s digitalisation policy, said Dr. Coomaraswamy, establishing the Financial Sector Computer Security Response Team, the Financial Sector’s Certificate Authority and issuing regulations under the Payments and Settlements Act to govern mobile payments are key regulatory milestones. The Governor also made reference to CBSL’s Chief Information Officers’ Forum that he said was held with the objective of generating an effective dialogue on IT security-related issues, as well as the financial sector’s Certificate Authority ‘Lankasign’, which he said was another advancement in the cyber security architecture. 

“The Central Bank envisions promoting its ‘less cash society’ initiative by creating a balance between regulation and innovation as it is the institution that is responsible to the people and the Government for the safety and security of public funds as well as for the financial stability of the economy. But this vision can be achieved only through the cooperation of all players in the finance and banking ecosystem,” he said.

Reiterating the need for effective cyber security, Dr. Coomaraswamy said: “Cyber security is about risk management. It is about protecting your business, your shareholders’ investments while maintaining a competitive advantage and protecting assets.”

However, he cautioned that there is such a thing as too much security.

“He who defends everything defends nothing.  It should therefore be a carefully devised balancing act, to ensure delicate management of cyberspace,” he said.

Quoting Art of War author Sun Tzu, Dr. Coomaraswamy said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.”

This enemy, observed the Governor, needs to be clearly identified in order to better fight him.

“Let’s identify our enemy very clearly; and be prepared to combat cybercrime. Our wholehearted commitment towards collaborative defence will assist us to win the battle to maintain cyber security.  The Central Bank, as the regulator, is committed to working closely with you in this challenging endeavour,” he said.