It’s been ten years since BCBS 239 (or Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting) was implemented. Drawn up in reaction to the 2008 financial crash – which exposed the fact that many banks lacked consistent, accurate and timely risk data – BCBS 239 is aimed at improving data protection standards globally.
However, a decade on from BCBS 239’s introduction, many banks are yet to meet the regulation’s requirements in full . There have been shifts in the banking industry, as well as the data and cyber security landscapes. Since 2016, banks have continued to digitise, opening new possibilities to innovate, but also increasing exposure to threats.
Almost a quarter of banks own more than five petabytes (PB) of data today. To put that into context, 5PB is more than 2.5 million photographs’ worth of data. Alongside this deluge of data, cybercriminals and their methods have continued to evolve, outpacing cyber security budgets. These factors make strong data protection and BCBS 239 compliance more important than ever. And it’s important to note that all industries – whether they fall under BCBS 239 or not – have experienced the same shifts to the business landscape and have the same data protection challenges.
In theory, BCBS 239’s conditions are fairly rudimental. It doesn’t mandate any overly complex advanced cyber security but is more focused on ensuring cyber hygiene is implemented to a high standard and across the organisation. Identity and access management (IAM), patching programmes, data logging, monitoring and audit trails, and backup and recovery capabilities are some examples of the regulation’s requirements.
But because many banks are so vast, they have struggled to sustain these relatively basic processes to BCBS 239’s rigorous standards. A fragmented workforce, new, complex technology systems, the rise of online and mobile banking, and a deluge of data make scaling security – even entry-level must-haves – very hard.
Organisations outside of banking should have measures like IAM, patching and backups in place as standard. And every company – even the largest and best funded – has difficulty maintaining watertight cyber hygiene as they scale. But as the building gets larger, the foundations need to grow and strengthen concurrently.
While it might not be fashionable to focus on cyber hygiene in an age where AI and other advances in technology are opening the door to innovation in cyber security, it’s absolutely vital. We can all learn from our peers in the banking sector, which is still grappling with the regulatory requirements of BCBS 239 ten years after it was enforced.
The security profession is at the forefront of implementing and promoting security from the ground up. This might mean having frank conversations with senior management about pushing back a business-critical project while robust hygiene is ensured. Or spending budget on the less glamorous nuts and bolts of security before exploring new innovations. But getting the basics right will drive compliance, improve security and please regulators.