Last month, global consulting firm KPMG said the banking crisis in the UK was pretty much over. But, even as they issued this good news, KPMG clawed it back with a warning about the next crisis. Having repaired their balance sheets after the credit crunch,
banks need to prepare themselves against new systemic failures triggered by cyber attacks or serious system outages, says KPMG’s banking experts.
Naturally, the report triggered more discussion about how e-criminals, hacktivists or even hostile foreign government agencies could inflict serious damage on our banking systems. While the external threats are real and make for great news copy, it should
be remembered that the worst systemic failures affecting banks have come from shortcomings in internal controls and oversights, especially around identity and access management.
Coincidentally, I am meeting the architect of a banking systemic failure this month. Nick Leeson is the original Rogue Trader whose unchecked risk-taking caused the biggest financial scandal of the 20th century. Nick will be speaking at an event organised
by my company and putting his story into the context of today’s scenarios of how institutions approach access risk management in much more digitised operating environments than existed at Barings Bank almost two decades ago.
Leeson is a controversial figure, of course. His actions contributed to the collapse of a major bank and damaged many people’s careers. However, he recognises what he did and advises on how problems of stress and risk can be better addressed in business.
As a result, his life has moved very far away from his rogue trader days in Singapore.
But there are important lessons to be learnt from the Barings Bank story.
Clearly there is the requirement to not slacken on how access is governed against external regulations and internal rules and processes. Leeson worked the system based on his stature as a successful trader, making it harder to challenge and investigate
what might lie beneath the numbers. Are human beings any different today? Probably not despite the massive changes in regulatory scrutiny.
What is different from the banking of 1990s is how much more data there is associated with identity and access. Banking systems are much more massively digitised and interconnected. This “big data” could cultivate the seeds of another Rogue Trader threat
as large financial organisations try to oversee hundreds of millions of dynamic access privileges and user relationships alongside the big data of transactions and other system actions. It seems more than likely that rogue trades could be hidden within this
data storm especially as organisations draw upon a new talent pool of digital natives with the knack of working the system if they chose.
But big data does not need to be anathema to strengthening IAM as new generations of analytic technologies keep pace and can provide the tools to use that IAM big data to pinpoint access anomalies and dangers much faster.
Real time access intelligence systems can help banks monitor and analyse how all access risk factors are changing within an organisation and provide a clear view into where the greatest vulnerabilities lie. This will enable better auditability and compliance
with security practices and will help banks ensure that access to sensitive data is adequately monitored and controlled.
Risk management needs to keep on relearning the lessons of the past as well as consider how internal and external threats are fast changing too. It’ll be interesting to hear what Nick Leeson thinks when we meet next week and hear what you also think of what
we can and cannot learn from the Barings Bank story.