Maybank takes to the dark web to tackle hackers

Bank’s CRO and CTO discuss front-foot approach to cyber threats

gilbert-kohnke
Group chief risk officer Gilbert Kohnke: “We have to plan for extreme scenarios”; this includes state-sponsored hacking

When it comes to fighting cyber criminals, Malaysian lender Maybank is going on the offensive. Executives at the retail-focused bank, active in a fast-growing economy, say they cannot afford to rely on traditional defences as new and more dangerous threats emerge: a single successful attack could erode the trust of the bank’s 22 million customers.

Suhail Suresh, group chief technology officer at Maybank, sets out the nature of the threat facing the lender in stark terms. Acknowledging that cyber criminals are ahead of the game compared with banks, the firm has taken a leaf out of their book, relying on a combination of external vendors, ethical hackers and an IT war council to keep its customers safe.

“Our thinking has evolved from being defensive to proactive. Cyber crime has grown so much that the defensive mechanism comes to how fast we can detect an attack, and how [quickly we can] recover from it. That’s where our threat assessment teams come in,” he says.

The bank’s risk managers have to cover a lot of ground: the group operates in 20 countries, with a physical footprint of some 2,200 branches. Its asset base of $165 billion makes it the fourth-largest bank in South-east Asia.  

Suresh shoulders this burden with Gilbert Kohnke, Maybank’s group chief risk officer, who joined the bank in November 2017, following stints at Singapore’s OCBC and Danske Bank. The two men, whose offices are next to each other, say they work together on an almost daily basis to look at cyber security from the technology and risk management perspectives.

“We have to plan for extreme scenarios. Banks have to assume they could be attacked by a highly sophisticated party, including possibly a state-sponsored hack or less sophisticated hackers – they may try to take a poke at the bank. The way we look at cyber security and threat scenarios has shifted from how we looked at this eight, nine years ago,” says Kohnke.

DDOS defence

As part of its proactive strategy, the bank relies on its group-wide IT security council – a risk management forum built to look at emerging risks, learn lessons from past attacks, and make sense of incidents that are already occurring across the industry. Aside from quickly identifying areas where the bank may be susceptible, the team’s mandate is to develop a mechanism to deal with threats from inception to conclusion.

As an example, Suresh cites the bank’s approach to proactively defending against distributed denial of service (DDOS) attacks, in which a malicious actor seeks to overload a website with more traffic than it can handle, with the aim of taking it offline.

“When [attacks] come, we can route traffic to a different site, and then reroute to a different site and reroute clean traffic back – so the DDOS attack is warded off,” he says.

The firm also relies on daily reports from specialist vendors to tell it what threats are looming, and what incidents have occurred across the industry: “We also have a group of ethical hackers to look at what’s happening in the dark web to look for threats.”

The so-called dark web consists of private networks on the internet accessible via specialist software, unindexed by search engines, which can be used to facilitate the exchange of illicit goods or information. Many banks, from the largest multinationals to smaller regional lenders, are known to utilise so-called ethical or ‘white hat’ hackers – in contrast with ‘black hat’ malicious hackers – either to test their own defences against a potential breach, or to keep tabs on internet chatter on dark web forums and markets.

Hiding incidents to protect one’s reputation are practices of the past

Suhail Suresh, Maybank

This can often yield disturbing but effective results: for instance, a specialist vendor recently discovered the credit and debit card details of 10,000 customers from one of India’s largest banks on the dark web, available for sale at $4.50 a card.

Given the scale of the industry’s challenges in cyber risk, Suresh urges his peers in Asia to adapt to a new mindset quickly. They must abandon insularity for a collaborative approach, he says – something Bank Negara Malaysia, which recently foiled an attempted cyber attack based on false payment messages sent over financial network Swift, has sought to encourage. The central bank also has an IT investigation unit that regularly consults with the country’s banks.

“What banks need is an industry-wide collaborative effort to keep ourselves updated with what’s happening. Hiding incidents to protect one’s reputation are practices of the past. It is imperative that everyone in the industry shares such information so that we can weed out the fraudsters and share ways to protect our systems by closing the loopholes,” he says.

Cyber scenarios and capital

Aside from making sure Maybank’s risk and IT infrastructure is battle-ready, Suresh and Kohnke focus on ensuring the lender is adequately capitalised against potential losses, in case the worst should happen. With the forthcoming standardised measurement approach shifting the emphasis onto using a bank’s past losses when determining its capital requirements, many Asia-Pacific banks are worried low historical realised losses from cyber incidents make it difficult for banks to properly quantify forward-looking threats.

The nature of cyber risk losses has also changed dramatically over the past few years, as evidenced by the Bangladesh Bank hack and the numerous attacks on cryptocurrency exchanges, threatening to make prior loss data irrelevant as inputs for calculating potential future losses.

I don’t know if putting aside more capital per se is going to make us safer or more resilient

Gilbert Kohnke, Maybank

For most banks, techniques such as scenario analysis remain an integral component for operational risk capital calculations, despite the method losing its place in their modelling arsenal under the switch to the standardised measurement approach. Kohnke says the ever-evolving nature of cyber threats means new scenarios must be constantly envisaged, allowing the potential size of damages to reflect hackers’ increasing sophistication.

He believes a different approach may be required. Kohnke argues cyber insurance could be better suited than operational risk capital as a tool for covering potential losses from tail risk events: “When we think of cyber security, we have to ask … is this an insurance issue or capital issue? I’m more sceptical about the standardised measurement approach because of the lack of scenario applications, which I think is the way to go for cyber. I don’t know if putting aside more capital per se is going to make us safer or more resilient.”

Although some have questioned the efficacy of cyber insurance, Kohnke argues the product has evolved sufficiently to make it a more suitable, tailored risk management tool for hard-to-model losses. The bank works with specialist insurance brokers to understand and put a dollar value on its exposure to tail risk events, he adds.

“Cyber risk insurance has evolved a great deal, and we work with the brokers to get a sense of how they would look at insuring or reinsuring such risks. We can leverage on their experience too, so it’s mutually beneficial,” says Kohnke.

Biography – Gilbert Kohnke 

November 2017–present: Group chief risk officer, Maybank

2015–17: Head of group risk management, Danske Bank

2005–14: Group chief risk officer, OCBC Bank

2004–05: Head, European portfolio management, CIBC World Markets

Biography – Suhail Suresh

April 2015–present: Group chief technology officer, Maybank

2014–15: Chief information officer, group technology, Maybank

2012–14: Head of virtual banking and payments, Maybank

2011–12: Managing director, Malaysian Electronic Clearing Corporation

2009–11: Group managing director, Malaysian Electronic Payment System

Editing by Tom Osborn

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: