By Karnoto Mohamad
BANKERS in Indonesia have opened the 2022 calendar more optimistically. The Financial Services Authority (OJK) reported that banking credit throughout 2021 has grown 5.2% with a capital adequacy ratio (CAR) which strengthened to 25.67% and gross non-performing loan (NPL) decreased to 3.00%. Restructured loans continued to slope to Rp 693.60 trillion per November 2021 with a reserve level of 14.85%.
However, bankers still have to be vigilant. According to Infobank Institute, there are two sides to the challenges for banks to face. One, in terms of assets and liabilities. Banks are still faced with the threat of a surge in the COVID-19 variant of the Omicron, normalization of monetary policy in developed countries that tighten liquidity, global demand that will trigger inflation, and tame the bomb of non-performing loans (NPL) because the relaxation of credit restructuring policies will end in time. Here the banking industry must have a strong stance to realize the loan growth plan of 7.5% in 2022.
Two, in terms of operations. Digital transformation to support effective operations to adapt to the development of the digital economy also increases the vulnerability of banks to cyber incidents. In the midst of the projected increase in the digital economy and finance, there is a threat of cyber attacks that have the potential to pose major risks to the digital banking business in the next few years. In fact, related to this cyber threat, the banking and financial services industry must be on alert.
This is because cyber attacks in the world, including Indonesia, are increasingly massive in line with the increasing variety of human activities in cyberspace. The National Cyber and Crypto Agency (BSSN) noted that attempted cyber attacks on Indonesia throughout 2021 reached 1.6 billion. Pratama Persadha, the Chairman of the Cyber Security Research Institute for Communication & Information System Security Research Center (CISSReC) estimates that the number of attacks will increase to more than two billions in 2022.
The reason is that cyber security has not become a culture in Indonesia. “The digitalization that has occurred in the government, private sector, and society has not been followed by good cyber security awareness, and the lack of cyber security education and policy makers who are blind to cyber security issues,” Pratama told Infobank.
Because most hackers have economic motives, the banking sector continues to be the main target for cyber attacks, followed by manufacturing, energy, retail, professional services, government, healthcare, media, transportation, and education. Based on data of IBM Security X-Force 2021, cyber attacks on the financial industry came from 28% server access attacks, 14% data theft attacks, and 10% ransomware attacks.
The types of cyber attacks that the financial services sector also needs to watch out for are worms, denial of service, credential harvesting, misconfiguration, spam, web scripts, BEC, RAT, to insider threats. Because, people from within the organization or company who have information about security practices, data, and computer systems can be a threat from within. While ransomware, although still the top threat in cyberspace, hackers see non-financial organizations as more profitable to attack such as manufacturers and professional services that have a lower tolerance for downtime.
Cyber attacks have resulted in huge losses. The total loss due to cyber attacks in the financial services sector globally is estimated by the International Monetary Fund (IMF) in 2020 to reach US$ 100 billion or more than Rp 1433 trillion. Meanwhile, in total for all sectors, the value of global losses caused by cyber crime, according to Cybersecurity Venture 2021, is predicted to be US$ 6 trillion in a year. In other words, there is a loss of US$ 6.4 billion per day.
Data leakage cases are still very prone to occur in Indonesia, especially in the absence of a personal data protection law. In fact, the Indonesian Police website has been hacked several times. After a group of hackers calling themselves Typical Idiot Security hacked the website in 2018 and 2019, in November 2021, a Brazilian hacker Son1x managed to break into the Indonesian Police website so that 28 thousand data was allegedly leaked and distributed for free by one of the netizens on Twitter.
Finally, in early 2022, there was a Bank Indonesia (BI) data leak after more than 200 computers were hacked by Russian hackers. The hacked data is 74 GB. There is a prediction that the hacked data is actually bigger than that because until now the hackers group is still releasing the data little by little in the dark web.
The breakdown of the cybersecurity system at BI may not result in direct financial losses to people who are consumers of financial services in Indonesia, but this is a signal for the Indonesian financial world, which is keen to accelratedigital transformation after the pandemic. Considering that financial institutions such as Bank Jatim and BRI Life were found to have experienced a data leak, it is possible that other financial institutions experienced the same incident but they didn’t reveal the information.
Because reputation and market trust are very important, financial institutions, especially banks, generally have anticipated cyber threats as part of risk management. However, IT experts warn that no system can be 100% free from cyber attacks. This is because hackers generally have enough time, resources, and passion that are greater than their targets so that they can find a way in. Therefore, it is not surprising that threat actors continue to innovate and new threats emerge. In addition to making profits, hackers also want to test whether an organization’s website security system is really safe.
The banking industry, which always faces the risk of fraud in all transaction activities, seems to be in an increasingly widespread vulnerable zone. Burglary in terms of funds is no longer in the form of counterfeiting deposits, but extends to the cyber realm. The risk of burglary is not only experienced by owners of big accounts belonging to priority banking customers, but it is also by accounts with small values belonging to savings customers who take advantage of the weaknesses of the electronic system in banking and the carelessness of the people (customers).
Because the landscape of banking services has changed from branch offices to digital service channels, banks must strengthen their fund security fortress. “Banks must fulfil the components of cyber security management, cyber risk exercise, and cyber security reporting,” said Mohamad Miftah, Research Director, OJK Research and Regulatory Department in a Webinar with a theme Supporting Banking Roadmap and Payment Transformation. The webinar was organized by Infobank Media Group and Akamai, in January. Previously, OJK had prepared a 2020-2025 Banking Development Roadmap, among which the pillars were strengthening the structure and competitive advantage of banks as well as accelerating digital transformation.
It should be noted that the banking industry is facing the era of VUCA (volatility, uncertainty, complexity, and ambiguity). The important key to facing these challenges is how banks have resilience, which is reflected in their capital and portfolio quality, as well as competitiveness, which is reflected in the cost of funds they bear. When banks were unable to boost credit growth due to weak market demand due to the pandemic and previously affected by the economic slowdown in the United States (US) and Europe, non-interest income became an important support.
According to data from Infobank Research Bureau, the contribution of interest income still dominates total banking income, although there is a downward trend. Since the banking industry has no longer enjoyed credit growth of above 20% and its net interest margin (NIM) continues to decline since 2014, banks are also trying to boost non-interest income. The contribution of interest income to total bank income has also decreased from 74% in 2018, 72% in 2019, 66% in 2020, and 63% in October 2021.
The ability of banks to achieve fee-based income is linear with the banks’ customer base and the cheap funds they have, especially savings. If a bank’s cybersecurity system is weak, the savings whose transactions are connected to the internet will become promising targets so that funds that are not needed in daily transactions will be transferred by customers to colder deposits. In fact, the current battle between banks is how to boost low-cost funds, especially savings to maintain NIM and increase commission income.
Digital transformation is a bank strategy so that the customers will not leave. However, the customers’ expecta-tions have changed. Actually, the customers’ trust to place their funds is not because of the digital factor, but rather because of the trust in the brand’s reputation, service, and security. For this reason, banks must improve prepared-ness and ensure their cyber security systems function properly, not only securing the data centre but also human resources (HR) through VPN, zero trust, and other supporting software.
It is true that banks as trusted institutions must have the courage to tell the public about the certainty of their cyber security system. The most important thing is the banks have to stay alert in various ways because hackers are also interested in testing the security systems of an organization that is touted as very secure. Because, not all hackers have economic motives. There are also hackers who just want to show off their skills and want to be praised by netizens even though taking data or accessing it without the owner’s permission is against the law. (*)