Cyber risk management frameworks for the South African banking industry

Abstract : Information technology (IT) has proven to be critical in the operation of businesses today. The banking industry is one of the industries that are most reliant on IT. The banking industry has enjoyed greater efficiency and effectiveness in their operations owing to the widespread use of IT. However, due to IT and continuous technological advancements, new threats such as cyber risk have surfaced, and the banking industry has experienced the most cybercrime incidents. In addition to the banking industry being the most targeted by cyber-criminals, cybercrime incidents have detrimental impacts on the industry. As a result, it is crucial for banks to employ effective cyber risk management processes. The South African banking industry is required by the South African Reserve Bank (SARB) to align their cyber risk management processes to the cyber resilience guidance document issued by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). The CPMI–IOSCO cyber resilience guidance contains guidelines that should be addressed within a bank’s cyber risk management framework. This study seeks to establish whether the Improving Critical Infrastructure Cybersecurity (ICIC) framework addresses the guidelines contained in the CPMI–IOSCO cyber resilience guidance. The ICIC framework is effective for managing cyber risk and allows an organisation to modify it to suit its specific needs and objectives. The objective of the study is to recommend to the South African banking industry, a framework for managing cyber risks that is effective and that addresses the CPMI–IOSCO cyber resilience guidelines. The results were gathered by analysing the ICIC framework and mapping it against the CPMI–IOSCO cyber resilience guidelines. The results revealed that the ICIC framework addresses up to 71 percent of the CPMI –IOSCO cyber resilience guidelines. The study therefore recommends that instead of building a new cyber risk management framework, the South African banking industry should adopt the ICIC framework and modify it by adding the 29 percent of the CPMI –IOSCO cyber resilience guidelines not addressed by the ICIC framework. All the guidelines contained in the CPMI–IOSCO cyber resilience guidance will then be addressed within the modified ICIC framework. South African banks will also achieve effective management of cyber risks through the ICIC framework.M.Com. (Computer Auditing

Cyberattack Detection and Response

Cyberattack Detection and Respons