Securing Digital Frontiers through Cyber Risk Management

Wahyu Agung Prasetyo, It And Cyber Risk Management Head, Bank Meg

Wahyu Agung Prasetyo is a seasoned professional in the field of IT and cyber risk management, currently serving as the head of this division at Bank Mega in Indonesia. With a wealth of experience, he oversees and monitors the risk perspective of various digital initiatives within the bank. He navigates challenges posed by emerging technologies and regulatory requirements, ensuring robust cyber risk management practices. His expertise lies in implementing measures across people, process, technology, and governance dimensions to safeguard digital assets and enhance user safety. With a proactive approach and strategic insights, Prasetyo is instrumental in fortifying Bank Mega's defenses against cyber threats.

In an interview with APAC CIOoutlook, Prasetyo sheds light on regulatory scrutiny and tackling AI-powered cyber threats while emphasizing the importance of fostering a cybersecurity culture across the banking sector.

Can you outline your key roles and responsibilities at Bank Mega?

My role falls within the second line of defense among the banking industry's three lines of defense model. It focuses on overseeing and monitoring the risk perspective of the first line, which encompasses IT and digital initiatives brought forth by the business side. This involves monitoring IT initiatives, digital products, services, and technological aspects within the bank.

What are some of the current challenges in the industry?

The emergence of new technologies accelerated by digitalization has significantly impacted the need for cyber risk management in Indonesia's banking sector. There are several emerging developments that influence our ability to effectively meet business needs. However, a major challenge is the increasing sophistication of cyber threats empowered by AI. While technologies prove advantageous for threat detection and prevention, attackers are leveraging machine learning and deep fake technologies to exploit vulnerabilities, impersonate customers, and abuse systems.

For example, we use live detection in our mobile banking onboarding systems. However, we must implement robust and advanced technology to counter potential threats posed by deep fake AI. Regulatory scrutiny, particularly from entities like Otoritas Jasa Keuangan, requires banks to adapt strategies to comply with evolving regulations while maintaining business agility. For instance, we need to implement thorough and ethical simulations to comprehensively understand the tools and methods used by attackers. This requires significant investment as we need to understand the current tactics employed by them.

What innovative developments in cyber risk management do you anticipate will ensure user safety?

Cyber risk management involves four key dimensions, which include people, processes, technology and governance. The focus is fixed on raising awareness and fostering a security-focused culture among customers, emphasizing secure practices like protecting PINs and being vigilant against fraudsters by contacting via various channels like phone calls, messages, WhatsApp or emails.

• Increased awareness and education: companies should work with educational institutes to raise awareness of the cyber security career path and the required skills. This can be done via career talks, placements, internship programs, and mentorship programs. Have a few role models to show them what success looks like; this will definitely raise the student’s interest.

Deployment Of Detection Systems Helps In Identifying Unauthorized Devices Or Malware And Prevents Risky Transactions

On the process side, measures like zero-trust steps are implemented in mobile banking applications to minimize risks. For example, it is essential to verify the authenticity of the recipient when initiating a top-up or transfer. Payments should only proceed if the recipient's details are confirmed. Users can further authenticate transactions by receiving OTPs on their registered phone numbers and inputting them into the application. This process helps mitigate risks associated with mobile banking.

Technologically, the deployment of detection systems helps in identifying unauthorized devices or malware and prevents risky transactions. Proper governance ensures compliance with regulatory standards, integrating cyber risk into overall business risk management strategies.

Can you discuss the key aspects of a recent project you have been involved in?

We highlight the importance of initiatives like enhancing incident response capabilities. This offers mutual benefits for IT and risk management and also enables effective communication on the business side. It allows us to promptly identify and address any digital impersonations of our products or services in the public domain. Detecting these instances early on minimizes the risk of attackers exploiting them to harm our customers. Through proactive monitoring, we can respond to potential threats, akin to a cat catching a mouse.

We also collaborate with global third parties to remove unauthorized applications and report them to regulators. Strengthening incident response capabilities involves conducting tabletop exercises and optimizing communication protocols to ensure swift responses. Employee security awareness training is crucial to establish a baseline for safeguarding both our employees and customers against fraudulent activities.

What is your sage advice for professionals in similar roles across companies?

It is crucial to foster a culture of cybersecurity risk awareness across all levels of the organization. This involves ensuring everyone understands that cybersecurity is part of business risk and not solely a technological concern. Regular self-assessment and simulation exercises are essential to gauge our readiness and identify vulnerabilities. Staying updated on the latest threats and collaborating with industry peers and regulators are key strategies to effectively mitigate cyber risks.