BCBS 239 Regulatory Risk: Examining Your IT Infrastructure to Identify Data Security Weakness
22 November 2016
The Basel Committee on Banking Supervision (BCBS) is an industry-driven effort among various nations to establish standards and best practices for issues related to banking supervision. Managing the regulatory risk of BCBS 239 – the international standard focused on principles for effective risk data aggregation and risk reporting – can be particularly challenging for some banks. In fact, 50 percent of banks self-assessed they would be materially non-compliant by the effective date. Both the challenge and the solution are rooted in a bank’s technology approach.
Spending on IT infrastructure is a constant battle between too many needs and too few resources. CIOs are conflicted about investing in technology that provides an expected ROI and the risk that investment presents – from high maintenance to poor performance and low utility. Thus, every company can acquire technology, but many fall short on its update, maintenance and continued use.
The SAANS Institute conducted research on IT spending and security risk. In the report it states: "For IT professionals, mitigation is cost-driven, which, in turn, requires quantification of the cost of the risk in order to procure resources for protection. Unfortunately, as survey results show, mitigation can be as formidable of a challenge as identifying the risks." As IT professionals onboard innovations each year, their acquisition sometimes takes precedence over maintaining legacy systems and governance of the security and privacy of sensitive data that might be accessible via these new technologies.
For example, suppose an organization uses a content management system. Over the years, new personnel within the organization and external stakeholders are given access to the system; but the CIO prioritizes budget for onboarding new technologies over investing in the maintenance and operating expenses associated with a legacy content system. The unstructured data within the content management system often lacks a secure perimeter that is updated as the environment and the technology change.
How can risk and data governance managers get ahead of our evolving IT technology environment? Here are four areas of focus in identifying security weaknesses:
1. The external as well as the internal organization. The external organization may well lack the necessary authentication, encryption and audit trail capabilities; and the organization hosting the content may not have any gateway set up to ensure the content management system is within a secure perimeter. Information and data stored in this way seems suitable if its use is limited to the internal organization. However, it is not. This sends a cautionary signal to regulators: Dependence on unguarded data means a weak infrastructure when it comes to that bank's overall governance, risk and compliance practices.
2. Disparate technology platforms without integrated control of data-risk governance. Numerous technology platforms exist throughout a banking enterprise –web portals, legacy software applications and systems, document management systems and various types of storage devices – most which operate disparately from one another with no integration among them to optimize control. Widespread data flow, without integrated governance, is a red flag to regulators and board expectations.
3. Operational adherence to existing policies and procedures that govern data risk. Within the vast network of a bank’s operations, overall data governance can challenge security policies, plans, procedures and guidance. And such data governance is an important part of establishing a culture in which data remains protected. Guidance and policy used to control data risk from operations is only as good as its adherence to it – which gets tougher and tougher in a larger organization with many different systems and platforms. Companies need systems that validate and ensure policies and procedures are utilized and followed, to prevent widespread distribution of technology that leads to security vulnerabilities.
4. Individual as well as operational adherence to policies and procedures. Operations must adhere to policies and procedures, but the same standard applies to individuals as to large-scale bank operations. If mandatory training is instituted and policies and procedures are communicated and pushed forward, what good is it if individuals within the organization do not comply with those policies and procedures? This is a likely and realistic scenario, one that must be addressed and met with robust controls to enforce policy and ensure individuals are using the practices and standards that have been set up to govern data risk.
Aggregation of risk data entails defining, gathering and processing risk data. It is what BCBS spells out as necessary to comply with its standards:
"Improving banks’ ability to aggregate risk data will improve their resolvability. For global systemically important banks (G-SIBs) in particular, it is essential that resolution authorities have access to aggregate risk data that complies with the FSB’s Key Attributes of Effective Resolution Regimes for Financial Institutions as well as the principles set out below. For recovery, a robust data framework will help banks and supervisors anticipate problems ahead. It will also improve the prospects of finding alternative options to restore financial strength and viability when the firm comes under severe stress."
Being mindful of this direction relative to changing IT infrastructure and technology portfolio of a bank is key. Focusing on principles to control access and security policy compliance is a best practice in complying with BCBS 239 – now and in the years to come.
To learn more about overcoming the operational challenges of BCBS 239 compliance, download the white paper “BCBS 239: Accelerating Compliance”
Jim Romeo is a journalist based in Chesapeake, Virginia, with a focus on business and technology. He is an engineer by background and education, and has written for numerous publications including SC Magazine, Security Magazine and TechTarget, among others. He is also the author of two books.