Striking the balance in compliance, innovation, and cyber security in SL’s financial sector

This feature is based on a panel discussion facilitated by the Centre for Banking Studies, consisting of industry experts who delved into how the elements of compliance, innovation and cybersecurity could be harmonized to ensure robust banking operations, comprehensive customer protection and sustained resilience against evolving cyber threats. 
The expert panel comprised keynote speaker Madu Ratnayake, Co-founder of global cybersecurity firm Scybers and former Global CIO of Virtusa, K.G.B. Sirikumara – Assistant Governor and Chief Compliance Officer of CBSL, Dr. Ramesh Shanmuganathan – Executive Vice President and Group CIO of John Keells Holdings PLC and Sanduni Wickramasinghe - legal consultant specializing in information privacy and technology law, and Sujit Christy – Advisory Board Member, Cybersecurity Center of Excellence, SLASSCOM (Sri Lanka Association for Software and Services Companies). 

Digital transformation of the banking and financial services sector is a topic that has gained substantial attention and debate in Sri Lanka lately. 
This transformation has touched almost all industries, helping to enhance customer experiences, improve operational efficiency and reduce costs through technology. Covid-19 further intensified the shift from physical to digital, driving banks and financial institutions to accelerate their digital transformation plans as customers’ needs and tendencies changed in response to the pandemic.

Digital transformation in banking  & finance

 The banking and financial services sector went through a significant transformation during the pandemic, with banks carrying out aggressive campaigns to get their customers to use digital services and customers being forced to adopt digital banking in order to stay connected with their funds, and the journey is far from over, with predictions showing innovation will continue to expand. Since the industry is continuing to transform, it will take collective efforts from the industry’s stakeholders to welcome the transformative journey in order to remain relevant.

Challenges faced 

The current digital transformation initiatives and trends also created significant challenges in terms of regulation, compliance and heightening concerns for cybersecurity. The attack surface at many organizations has greatly expanded (exploits of vulnerabilities have doubled since last year), highlighting the need for better vulnerability prevention, detection, and mitigation strategies. Online banking is increasingly vulnerable to cyber-attacks as customer data is available online across multiple channels and platforms.  As if this was not enough to worry about, there is a growing automation of complex online attacks. 
Common ways in which data breaches and cyber-attacks happen include phishing, stolen or compromised credentials, cloud misconfiguration, business e-mail compromise, social engineering, physical security compromise, malicious insiders, accidental data loss, lost or stolen devices, system errors, known unpatched vulnerabilities or unknown vulnerabilities. A large portion of data breaches can occur due to avoidable and easily fixable hygiene issues rather than complex and planned cybercrime. 
What are companies doing to protect themselves? Companies should digitalize securely – ensure that systems are robust against vulnerabilities and move to a strategy of building and buying technology products that are secure from inception. 

An upward trend in data breaches

Despite recent efforts to improve cybersecurity, data breaches continue to increase year-on-year affecting both large and small organisations. Despite having large budgets in place to prevent such attacks, large global players such as Facebook and Microsoft as well as the Sri Lankan Government and PickMe locally have faced data breaches and cyber-attacks. Even though cyber-attacks are not 100% avoidable, organisations must figure out how to manage their impact and build adequate resilience. 
Reported data breaches in the banking and financial services sector have increased during the last 12 months as per headlines around the world and in Sri Lanka, with local banks also subjected to such breaches.  The average cost of a data breach also continues to rise, reaching an all-time high in 2023. The cost of breach involves cost to detect, escalate and respond to the breach, cost of loss of business because of the breach, cost of notification and post breach response. There have been numerous cases where the compliance and regulatory costs outweigh the cost of breach itself. 
Organisations need to assess security risks and build mechanisms to safeguard themselves from threats. While the highest average cost of a data breach was detected in the healthcare industry (a sector relatively newer to digitalization and therefore less regulated), the financial sector ranks a close second. 

Bridging the trust gap

While companies should take all possible steps to build robust cybersecurity, the protection strategies cannot be focused only on technological controls. Companies should also involve the human element as well. They should work on building a digitally-resilient culture in which cybersecurity is an everyday task for stakeholders at all levels, both inside and outside the organization. 
Trust gaps exist on many levels across the corporate ecosystem. At the Board and C-suite level, individuals may be less informed about cybersecurity issues than they are about financial and operational matters. A trust-based relationship among business units, the IT department and cybersecurity function may also be challenging to maintain. A trust gap may exist between organisations and their vendors, and regular conversation should be facilitated to decide on levels of security required to protect business information. Finally, gaps may exist between companies and Government agencies. While technology alone cannot prevent cyber-attacks, a culture of trust among all stakeholders – board directors, IT leaders, employees, vendors and Government agencies is also important for cybersecurity initiatives to succeed.

How can companies address these issues in a modern and holistic way? 

Companies are increasingly relying on skilled cybersecurity teams with cutting-edge tools including artificial intelligence (AI) that can help detect, defend and fortify against evolving threats. AI is rapidly developing and transforming various aspects of the financial services industry (including credit risk, fraud detection, debt collection, product design etc). AI and machine learning are potent tools to combat modern cyber threats, with many global organisations already leveraging AI to detect security intrusions and behaviour patterns, understand and prevent threats faster and reduce the blast radius from attacks by reducing response time. 
For businesses, technology risk is governed by one equation: likelihood x impact = risk exposure. This provides useful insight and pinpoints two basic ways to mitigate risk.  The first is to reduce the likelihood of unexpected events. The second is to lower their impact on the business. Organisations can reduce likelihood by avoiding being the target of opportunity by protecting their crown jewels (the most critical assets in the organization’s information systems), maintaining good cyber hygiene and regulatory compliance and adopting the right security architecture (people/principals/platforms).
Impact measures how much disruption the organisation will face if a threat actually occurs and this can be mitigated by ensuring the organisation’s systems are built for resilience (balancing the amounts spent on protection and cost of responding to a breach) and frequent testing. Rather than overspending on defensive security tools and resilience, both of which can cause business disruption – maintaining a balanced spending on minimal viable cybersecurity and resilience is essential.
In his closing remarks of the keynote speech, Madu Ratnayake employed an analogy to effectively convey his message “What makes a supercar go fast is not its engine but its brakes – giving you the ability to go fast because you can stop safely in seconds and avoid an incident. When building a business – it is less about cybersecurity and compliance and more about building a system that makes your business grow fast and at the same time have a world class system in place that addresses the risks involved.” 

Personal data protection 

On 18 March 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 or 2022 (PDPA), thereby becoming the first South Asian country to enact comprehensive data protection legislation. The PDPA applies to processing of personal information that takes place in Sri Lanka, and to controllers or processors that are domiciled in, incorporated in, or offer goods or services to persons in Sri Lanka. 
The PDPA applies to all businesses (small or large alike) but does not cover personal information processed purely for personal purposes by an individual. The PDPA provides mechanisms of protecting personal data, while also facilitating the growth and innovation in the digital economy in Sri Lanka with protection being ensured to those identified as data subjects. The PDPA provides measures to protect personal data of individuals held by the government entities, banks, telecom operators, hospitals and other public and private personal data aggregating and processing entities.
The PDPA also set up the Data Protection Authority, to act as the data protection regulator. The regulator is responsible for ensuring regulatory compliance with the PDPA. The Authority has the power to require controllers and processors to conduct inquiries, receive complaints, impose penalties, and make rules and guidelines under the PDPA.

What is CBSL’s role in building trust and confidence in the ecosystem?  

The CBSL is the key regulator in the banking and financial services sector and as such, has a serious responsibility regarding personal data protection. Financial institutions handle huge amount of money and sensitive data, making them an attractive target for cyber security attacks. Banks and financial institutions that come under the purview of CBSL are also directly impacted by the PDPA. 
Another legal principal that significantly affects the banking sector and instills trust is banking secrecy. This is the principal that banks are not allowed to provide personal and account information of their customers to a third party subject to some conditions. Breach of banking secrecy is an offense resulting in criminal and civil penalties. As such, entities in the banking and financial services industry need to remain vigilant at all times, with robust cybersecurity and resilience measures in place and adhere to the highest industry standards regarding risk management and mitigation strategies. 
“Innovation is essential, it is what distinguishes between a being a follower and business leader. However, the banking and finance sector is inherently risky, since it involves working with money belonging to others more so than other industries. Financial institutions cannot experiment under the guise of innovation and put other people’s money into jeopardy. When a regular organisation attempts to innovate and fails, it is the failure of the organisation alone. When a financial institution fails, it has a systemic impact, and can affect the whole economy. Therefore, striking a balance between innovation and compliance is essential in the banking and finance sector,” explained Sirikumara highlighting a need for a delicate balance between the elements. 

True digital transformation 

When it comes to undertaking digital transformation, many only take small incremental steps. They look at where they are now, the current needs of the businesses and implement strategies to address these topics. This is incremental change, rather than a digital transformation. While it may be beneficial, it only brings in a fraction of the innovation, differentiation and value that true transformation can offer. With an incremental approach, meaningful change ends up happening too late, or never at all. True digital transformation involves the overhaul of entire business operations, processes, and culture. 
“If we want every citizen of Sri Lanka to be empowered in the digital economy, we need to implement an ‘outside-in’ approach to thinking, rather than trying to grow from where we are,” said Dr. Ramesh Shanmuganathan, emphasizing the need for technology to fundamentally change how the banking and financial services sector of Sri Lanka operates and delivers value to customers.
The evolving banking and financial services landscape demands a nuanced approach to balancing innovation and risk management. Achieving a balance between embracing innovation (which, in today’s digital world is not an option but a means of survival) and strong cybersecurity measures are essential in order to ensure the growth and resilience of an organisation. Banks and financial institutions that master this balancing act are poised to capitalize on the benefits of innovation while maintaining the trust of their customers and stakeholders.