AdNovum’s David Chan discusses the need to safeguard APIs as financial institutions increasingly seek to digitalise their services.
The banking and financial services industry is transforming rapidly. The push for digitalisation, accelerated by the pandemic, has prompted industry players to innovate and increasingly adopt new technology to automate and deliver higher-value services.
But while digital transformation may bring significant benefits, it does not come without challenges. Financial institutions also grapple with the need to manage their exposure to technology risks, especially as cyber threats grow increasingly sophisticated.
The urgency of this has been reflected in the Monetary Authority of Singapore’s (MAS) revised Technology Risk Management Guidelines (TRMG). Industry players must view these guidelines as an essential manual to success in the digital era.
The guidelines provide companies with a holistic approach to secure their services from the ground up, beginning with the additional guidance on the roles and responsibilities of directors and senior management.
The guidelines also emphasise the need for systems in the financial ecosystem to be subjected to monitoring, testing, reporting and sharing of cyber threats regardless of whether they sit on-premises or cloud. More stringent assessments of third-party vendors and entities that access financial institutions’ IT systems are also recommended.
Urgent need to safeguard APIs
An important yet often overlooked aspect of technology risk management centres around protecting Application Programming Interfaces (APIs). APIs allow two applications to talk to each other and are the glue that holds most digital infrastructures together.
This is especially the case in the financial sector where software applications – such as those used for statistical analysis and accounting – rely on APIs to interact, exchange data and scale-up.
As stipulated in the TRMG, adequate safeguards must be established to manage the development and provisioning of APIs to ensure the secure delivery of services. This has become increasingly urgent as APIs have become a new high-value target for hackers.
In 2017, Gartner predicted that API abuse will become the most common attack seen by security teams. A recent 2021 report by Salt Security confirmed this fear: a whopping 91 percent of enterprise security officials experienced an API security incident in the last year.
APIs will continue to grow in volume and functionality as more banks embrace digital, and so will the volume and sophistication of the attacks they bear. Thus, securing APIs and making sure they are defined and as efficient as possible has become more crucial than ever before.
Ensuring proper governance
A rigorous API management system can help businesses assess how their APIs should be governed, how they are being used, and defend against security risks. More importantly, a proper management system can also enable businesses to scale up their applications further.
Companies have to work with the belief that security risks and vulnerabilities can exist in any software offered by any partner. APIs are particularly exposed to these threats as they are always online, and open to queries from anyone on the web – which means complacency simply cannot be allowed.
For proper API management, companies must start with third-party API access governance, and have a well-defined vetting process that assesses the third parties’ suitability in connecting to their systems via APIs.
To do so, all the statistics associated with the use of the API must be collected and examined, and usage that is not in line with the business or technology goals must be scrutinised. This begins with logging the access sessions by third parties, such as the identity of the party making the API connections, date and time, as well as the data being accessed and detecting suspicious activities.
Doing so ensures accountability, helps to alert the company when security is breached, and captures trends that enhance the overall API offering.
In terms of security, standards for designing and developing secure APIs should also be established. Measures to protect the API keys or access tokens must be included, where API keys or access tokens are revoked in the event of a breach, to reduce the risk of unauthorised access.
Finally, businesses should also take a close look at the data they collect. Regular data cleansing removes outdated and inaccurate information, improving data quality and productivity.
Holding on to unnecessary data can also be a trap. Privacy regulations like the General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA) prescribe hefty fines for organisations that allow data to be compromised.
Therefore, it is important for businesses to perform scheduled data housecleaning to regularly flush information that they do not need, and focus on protecting only useful data.
Driving business value
For financial institutions leveraging digital services, the ability to scale a system or software quickly is imperative and can determine organisational success. Having a well-thought-out API management strategy can provide greater visibility into the APIs that connect into a bank’s applications, while simultaneously maximising and scaling the capabilities of current services.
While compliance with the TRMG is not a requirement by law, businesses that do comply can showcase this to clients to gain an advantage over competitors. A secure and resilient system that is compliant with the TRMG may very well be the deciding factor that pushes the customer to choose a company’s service.
Equipped with a proper API management approach, financial institutions can continue to accelerate their digital transformation, maintain a competitive edge, and prepare themselves for the future.
David Chan is Managing Director at AdNovum Singapore.