Thomas Kok, DBS Bank: Singapore infrastructure not yet steeled for natural or terrorist disasters
Wed 29 Oct 2014
Thomas Kok is Head of Group Business Continuity Management at DBS Bank, Singapore. He spoke at Cloud Expo Asia as a Member of the CSA CISO Round-Table, and is an experienced financial industry professional in Technology Risk Management and Business Continuity Management.
What are the particular challenges of business continuity in the context of Singapore’s existing capacities and infrastructure?
In terms of business continuity, Singapore’s power grid, telecommunication network, public transportation infrastructure and standards of building are among the best in Asia. Power failures are very rare either in the work or domestic sector. Telecommunication is generally reliable, except for an exchange-related incident last year, which could have been prevented. Public transportation of MRT and buses is also generally reliable.
However, one important challenge for us is complacency regarding the impact of natural disasters on business continuity – even though these are relatively rare occurrences. Management and staff of both public and private organisations need to take business continuity as seriously as those in other countries. At present organisations are not devoting adequate priority, budget or manpower allocation to the cause of business resilience.
Also, as you will have observed throughout the major media, there are significant threats developing globally. Since Singapore is an open economy, an international air-hub and a major international financial centre, it may face greater threat than many other countries. Looking at Asia, or even the world at large, we should be concerned with the Ebola pandemic, terrorism due to radicalisation, political and social instability, and the threat of cyber-attacks and data leakage. I called these the ‘Four Horsemen of 2015’, and we should be watchful of these.
How has the Monetary Authority of Singapore (MAS) TRM affected your workload in the past few years, in terms of complying with the edicts regarding limited downtime?
Obviously with TRM Notice being legally binding, there will be increased efforts across all financial institutions – in identifying critical systems, in monitoring their availability, in assessing relevant incidents, and in reporting to the regulator. For financial institutions which have invested substantially in system resiliency, IT infrastructure, proven IT processes and matured technology risk management practices, the effort should not be substantially higher. For those who have yet to level up, it is a great opportunity to do so.
Is there a temptation to join the likes of NASA in favouring old and proven technologies over potentially better – but unproven – ones, given that the stakes are so high for a bank in terms of security and business continuity?
I spoke about the financial industry being a ‘Trust’ industry in a recent conference. Customers, whether consumers or institutional, and counter-parties or partners in the financial industry, choose you because they trust that you can deliver and can protect their assets – especially their information.
Therefore protection of customer information is an important obligation. It’s necessary and pragmatic that we choose proven and effective technologies to support the businesses of financial institutions.
Having said that, it’s worth noting that the financial industry is one of the most innovative sectors, and hence continuously attracts numerous IT vendors of new products and services. Financial institutions are also generally more matured in information security and business continuity than other sectors.
How do you negotiate this tension between the desire to improve security through new methods versus understandable caution?
We always talk of a multi-layered approach to information security. The use of new methods to improve one area of security must not degrade existing methods which are already implemented. These new methods can indeed help to substantially improve the overall technology risk posture for the financial institution; after that, the question is one of cost-effectiveness. Ultimately, we need to balance the risk-cost equation, and one of opportunity cost of this investment/expenditure.
What can the cloud offer to the banking sector in the next few years, and what are the primary challenges in taking up those opportunities?
In information security, we talk of information classification – public, confidential, secret, and the corresponding depth of controls we have to put in place to protect them. There are good business reasons, regulatory and legal requirements to protect information along the information life-cycle, from cradle to grave. We have the Personal Data Protection (PDP Act), Banking Act, and other supporting regulatory requirements in the banking sector because we are a ‘Trust’ industry. Large financial institutions have already set up our own resilient IT infrastructure and put in place a multi-layered protection to address business continuity and information security requirements.
So, if we are talking about cloud storage service, then the service must be able to comply with our requirements, and bring added value to the table.
For instance, if we are talking about a cloud processing service utilising massive parallel computers or processes to solve complex problems and to reduce processing time, then there will be a need for us to de-sensitise the information before sending them on to this cloud service.