When $81 million was stolen from the Bangladesh Bank in 2016 and laundered through casinos in the Philippines, many in the financial world were shocked, but not the risk managers at the Bank of the Philippine Islands.
For some time, ahead of the world’s biggest cyber heist, security experts at the bank had noticed a sharp uptick in cyber activity in the Philippines from a variety of locations, says Marita Socorro Gayares, chief risk officer at BPI.
“We noticed months before the attack that there were also some patterns of unusual access attempts in the bank’s systems coming from various IP addresses, and we were able to detect that some third party may be interested in trying to penetrate BPI. There was a direct link between the attack on the Bangladesh central bank and our bank’s decision to invest more in cyber security,” she says.
As a result, the BPI board signed off an ambitious programme of improvements to its cyber security in 2017, which included a conscious decision to spend at least two billion pesos (US$19.7 million) annually – as part of an IT spend equivalent to 9% of the bank’s total revenues – to guard against a risk that Gayares sees as critical to the success of the whole business.
“The franchise value of the bank will depend on how well we protect ourselves from cyber risk, as a successful attack would have a negative impact on a number of areas: our brand reputation, share price, and valuation ratios such as P/E, including potential sanctions from our regulator. The amount of money and time, which we have subsequently spent on managing our cyber exposures, demonstrates how focused and dedicated we are to controlling this risk,” she says.
Cyber security centre
BPI’s first act was to set up a cyber-security centre, and then it sent 24 members of its team abroad for cyber risk training before asking EY to validate the effectiveness of its defences.
“We made sure we invested heavily in people and technology, and we engaged vendors to help us establish a cyber-security operations centre and continue monitoring the cyber risks for actual attacks, malware, and other security threats that are over and above the vulnerability and penetration testing that we do on an ongoing basis. It is challenging and quite expensive, but it gives credence to the risk management governance structure of this institution,” Gayares says.
So far, the majority of BPI’s cyber risk investment has been focused on the bank’s online and mobile offerings. However, Gayares says there have been several warnings recently about ATM attacks and the bank is preparing to counter that.
“We have adopted a very conservative risk philosophy that there will always be attacks and the possibility of breaches is high. The issue is how we deal with it – how long before it is discovered and how quickly we can recover after an attack,” she says.
Wider risk management
The decision to invest heavily in its cyber defences is part of a broader pattern of placing risk management at the heart of BPI business. In 2014, BPI became the first Philippine bank to win an Asia Risk award in recognition of its five-year plan, drawn up in 2013, to create BPI’s risk management office, which the firm has expanded since. The number of staff in the office has grown by 27% since 2013, to reach 120, the majority employed as risk officers.
As well as expanding its cyber-security defences in 2017, the bank implemented several other risk management initiatives, including setting up the infrastructure to handle big data and becoming the first Philippine bank to comply with International Financial Reporting Standards (IFRS) 9. It also introduced risk-based pricing in the frontline of the business.
As with the cyber risk component, BPI sought third-party help for its IFRS implementation. It worked initially with EY to set up its models before switching to PwC this year, for help with the calibration of its system once it was up and running. In 2017, BPI had asked Deloitte to measure its business continuity preparation.
“There is a pattern of us taking third-party risk assessments of our preparedness. We believe BPI cannot just look at our domestic competitors; it is also vital that we benchmark ourselves against the global banking industry,” says Gayares.
The business benefits of BPI’s unremitting focus on risk management are best illustrated in its loan book: as an emerging market bank, credit risk is its biggest exposure, and here the firm is a clear market leader in the Philippines.
Since it set up a risk management office in 2013, BPI has seen its loan portfolio double in size – a figure equivalent to a mid-sized Philippine bank, it says – and still manage to keep its non-performing loan figures under 2%.