Managing Emerging Risks for New Technologies

In this NBS Knowledge Lab webinar moderated by Associate Professor Hannah Yee-Fen Lim from the Division of Business Law, Nanyang Business School (NBS), Nanyang Technological University Singapore (NTU Singapore), speakers Mr Lim Shih Hsien, Chief Security Officer at SP Group; Mr Han Kwee Juan, Managing Director & Group Head of Strategy & Planning at DBS Bank; and Dr Anusuya Yogarajah, Head of Ethics & Compliance, APAC at Getinge drew on their own industry experiences to provide insights into emerging risks in utilities, banking, and medical technology.

Associate Professor Lim opened the discussion with a question on emerging risks associated with technology in the past decade. Mr Lim suggested that the cyber realm is a relatively young domain and the first known hackers were initially motivated by curiosity, as they explored the boundaries of the Internet. However, we are now seeing a lot more technology crimes largely because businesses have moved onto the web, and the exposure from a risk standpoint becomes a financial one.

Where Time Is of the Essence

Financial institutions themselves have also become increasingly digital but Mr Han clarified that the fundamental risks in banking (credit, market, and operations) remain unchanged. The major challenge is how quickly banks can react and make decisions. In addition, the rise of social media creates a new dimension as to what banks need to take into consideration. Mr Han emphasised this is a matter of speed – organisations need to react promptly as news and information are now received within seconds.

Protecting Data Privacy

Working in medical technology, Dr Yogarajah has extensive experience in data processing and privacy. In recent years, there has been a change in the landscape for data privacy and protection as people become more aware of its importance. For many organisations, one of the challenges is sensitive data being pervasive across systems, with work needing to be done to find the data, understand its lineage, and conduct inventory tracking. Even as new technologies are deployed to do all that work, bridges need to be built with old systems, where data is stored.

Additionally, Dr Yogarajah pointed out the need to look beyond the organisation itself as data is shared with external partners. Furthermore, firms need to consider cyber safety as employees work from home or on their personal devices.

Risks Associated with Handling Big Data

With regards to handling big data and how its risks are adequately managed, Mr Han suggested first asking how data is used, and what data is useful. There are three main concerns: First, the idea of democratisation vs control; second, being insightful vs being “creepy”; and finally, the potential of opening up risks of biasness.

On the first concern, Mr Han pointed out that firms need to understand the different data they can make available and the level of anonymity they can apply. On the second point, he explained that DBS’s approach to communicating data is guided by two broad frameworks: RED (Respectful, Easy to deal with, and Dependable) and PURE (Purposeful, Unsurprising, Respectful, Explainable), which determine how much help they should provide customers without making them uncomfortable.

Lastly, to manage the risk of biasness when using Artificial Intelligence (AI), firms need to adopt the right frameworks to prevent excluding people from services. Mr Han encouraged active participation in forums and discussions in order to get a broader sense of how businesses can align technologies with their business principles.

The Role of Governance in Managing Cybersecurity

As the volume of data continues to increase rapidly, banks need to increase automated decisioning to handle this volume and speed. If organisations lack the processes and know-how to handle these new shifts, the manifestation of credit, market, and operation risks will amplify. DBS’s Control Towers, for example, allow the bank to see the screens customers use when they log onto the website or app. This way, the bank would know instantly when problems occur. However, Mr Han reiterated the need to have the right governance around automated decision making.

Speaking from his perspective as a CSO, Mr Lim pointed out that cybersecurity can literally be a matter of life and death today. If Singapore’s power supply goes out, for instance, hospitals may only be able to run for a few hours. Currently, Mr Lim is witnessing more board level discussions on security functions, which, in the past, used to be more technically driven for CSOs. Mr Lim said that a CSO’s role will evolve further due to the increasing risks in technology in our daily lives, and the growing use of AI.  

Are Mobile Phone Apps Secure?

As more technology is built around mobile phones, Associate Professor Lim asked how individuals can minimise risks. To this, Mr Lim replied that how securely the device is configured depends on the various device creators. However, Mr Lim also suggested that there are lower chances of things going wrong on mobiles as apps are usually curated. For consumers, risks more often take the form of phishing or misinformation on social media.

Adopting Best Practices Across Organisation

On the role of organisational culture in managing risks, Mr Han emphasised the importance of creating an environment where staff understand what is important to the organisation. For DBS, this means being “customer obsessed” as they focus on how customers experience services, how they would trust their information and money with the bank, etc. In evaluating employees, the bank also has two rating systems: What (hard goals) and How (values) that encourage employees to integrate the bank’s purpose into their daily work.

The Issue with Cyber Insurance

With regards to insurance in mitigating the risks and liabilities of new technology, Dr Yogarajah pointed out that cyber insurance protects the company if it is sued for liabilities in cases such as data breaches, employee theft, loss of hardware, etc. A measured approach is required as firms need to relook and review their industry, risks, and the contractual obligations they have with partners.

Q&A Session

Risks Surrounding Cryptocurrency and DeFi

In the Q&A session, participants wanted to know how DBS is reacting to risks in cryptocurrency and decentralised finance (DeFi). As a bank, Mr Han said, the three risks remain the same even though the underlying assets have changed. The DBS digital exchange offers asset tokenisation, cryptocurrencies for trading against fiat currencies, and digital custody. Mr Han added that DeFi is a good thing, and consumers will benefit from the industry competition. 

Risks for SMS 2FAs

Responding to a question on two factor authentication, Mr Lim suggested that it is best to avoid SMS 2FAs as anyone can intercept an SMS message. This similarly applies to voice-based verifications. If someone loses their phone, Mr Lim stressed that the important thing is to call the bank to avoid identity theft.

Learning More About Emerging RIsks

When asked for recommendations for courses on emerging risks, Mr Lim said that working closely with people in the business and having the empathy for the risk of doing business is more important. Associate Professor Lim added that while there are courses available such as NTU’s MiniMasters, one can always start off with readily available online courses as a “taster”.

Insuring Cybersecurity

Finally, participants were concerned that cybersecurity insurance premiums may not be economical for SMEs and wondered about alternatives. Dr Yogarajah suggested that there has been changes recently and premiums have gone down quite a bit based on her experience. Firms can try to mitigate risks by maintaining a clean record of past claims, exploring a-la-carte policy options, training staff to be aware of mitigation, and displaying controls to insurance companies during the purchase of insurance premiums.

Dr Yogarajah ended the session by stressing that there is no one way of doing things but firms should “assess, manage, and respond” accordingly.