An analysis of the cyber risk management practices in the local banking industry

Abstract

Purpose: Banks rely heavily on technology, and while technology innovation is ever-increasing, it also provides new opportunities for cyber criminals. The researcher sought to acquire an indepth insight of the cyber risks that Maltese banks are exposed to, with the aim of analysing the relevant risk management processes these banks have in place to control and mitigate cyber risks to an acceptably low level. By using the acquired information, the study intends to assess whether the local banking industry as a whole is appropriately postured to defend against cyber threats. Design: By virtue of its nature, the study makes use of qualitative research. Semi-structured interviews were set up with personnel from local banks working in the risk management function or those affiliated with risk, particularly those involved in cyber risk management. Being an inductive study, the research is supplemented by reference to other available literature. Findings: The findings resulting from this study illustrate that there is a considerable discrepancy between the cybersecurity controls adopted by the core domestic banks and those implemented by the majority of the other banks. This is typically due to the fact that the latter have lesser available resources; however, in view of their size, some mistakenly believe they would most probably not be a target for cyber attacks. In contrast, the safeguards and robust controls set by the larger banks are very meticulous, which allow for adequate management of any cyber threats that may be encountered. Conclusion: In spite of having lesser resources, the majority of the other banks still apply certain risk management practices to mitigate cyber risks, albeit the need for improvement. Nonetheless, considering the whole sector, it may be concluded that the local banking industry is sufficiently postured to defend against cyber threats, as evident from the fact that none of the interviewed banks have been a victim of a significant cyber attack in the past 12 months, despite receiving multiple cyber attacks on a daily basis. Value: This study intends to raise awareness about the importance of cybersecurity in the local banking industry, as cyber risks can otherwise disrupt business activities resulting in loss of revenue and can cause considerable reputational damage, including eroding shareholder, investor and customer confidence. This study can be beneficial for local banks in identifying any area of weakness, while also receiving a number of recommendations submitted by the author.