EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

UBS IT infrastructure fails – can we learn anything from this event?

November 24th, 2006 · 2 Comments ·

Recently we published a security guide with tools and tricks advising users on how to do safer online banking:

CyTRAP Tip – CT210013 – CT220014 – Mehr Sicherheit im Online Banking – 10 Commandments for more security when doing online banking

The trend to maximize profitability has, for most banks, resulted in IT services being outsourced offshore, which has again increased the risk for consumers to have their identity stolen:

India and and outsourcing – we have your financial details

In some cases, while banks have decided to offshore services these are handled by the bank’s own organization and not by a third party.

Trend – outsourcing or just the more efficient allocation of resources by Credit Suisse?

But recently infrastructure issues have come to the forefront not just in cases of services being located in far away places but, as importantly, in key markets. Infrastructure hick-ups do affect reliability and dependability of services offered to clients.

To illustrate, 2006-11-20 (Monday) UBS Switzerland had a power failure that began at 10:00 o’clock and ended for some around 14:15 for others around 16:00 hours.

_What services were affected?

During the above hours the following services failed to work:

– UBS’ 1000 Automatic Teller Machines (ATMs are called Bancomat in Switzerland) worked off-line only, this meant that while customers were able to withdraw cash, other requests could not be processed);
– e-banking or internet banking (offline during those hours); and
– payment transfers and other services (wealth managers had to call their customer rep. inside the bank so he or she could book their trade, confirmation was sent to clients using fax instead of the usual electronic means).

2006-11-22 some of the facts about the the shut-down were still being sorted out according to Rudolf (Ruedi) Buergin (UBS – Zurich – media relations). But today Friday, 2006-11-24 we got more details from Rene Lins (UBS project manager IT) and if you are in charge of critical infrastructure, you should read the more _technical details_ about this:

_What triggered the power failure?_ (click on Login as a guest to get free access)

It appears as if the redundancy services (in particular fault-tolerant power, as well as uninterruptable power supplies – UPS) put in place worked fine but one of these low probability events occured that required a shut-down to prevent an even greater disaster.

_Can we learn anything from this event?

1. Large-scale systems are hard to manage and represent a risk that one should possibly not take. This means, it is wise and good risk management practice to have several IT centers in different locations to reduce risks (i.e. have one center with one type of application such as e-banking go offline but not several as happened with UBS).

2. Using UPS set-ups as UBS did are prone to have synchronization problems when they are put on-line again after a shut-down.

3. Globalization makes the ideal point of time for turning on or off systems of any kind an illusive concept. In fact, somebody, somewhere requires the service regardless when things get turned-off or turned-on.

4) To further minimize the risk regarding power supply problems, however, huge additional investments are required according to Rene Lins (UBS project manger IT). Unfortunately, achieving risk levels that are far better than those currently achieved with such additional investments can be questioned.

5) Related to the above four points, from a business continuance perspective it also boils down to:

how much damage will and in this case have such interruptions of services on business operations

This is a decisive factor used to decide if such additional investments should be authorized. We dare to suggest that the fall-out for UBS is limited as we have outlined here:

Business continuance at UBS challenged – fall-out limited

What follows is that if the reduction in residual risk achieved by putting additional efforts into redundancy power systems is questionable. In turn, further investments are of limited value to C** level executives. Nonetheless, even if one uses the latest technology, this does neither imply nor assure that risk management is at its best.

_PS1.

The first UBS e-banking efforts were apparently started at its Wolfsberg think tank during the early part of 1997. E-banking has come a long way since then.

_PS2.

The e-banking website as well as the press and media corner at the UBS.ch page had no detailed information posted about the service cut-off. Neither did private nor corporate customers receive mail explaining what had happened and apologising for the event.

_PS3.

Does this make you more comfortable as a corporate client how UBS handles these types of risks?

What have HSBC, UBS and the Bank of England and others in common?

You be the judge… But the recent mishap with online banking in the UK (see above) suggests that customers should be careful. And while the infrastructure may represent the latest technology as UBS assures us, this does not guarantee that systematic risks are handled most effectively. It all depends on how convinced C** level managers are that this is a vital issue to business operations. The lack of public outcry (e.g., media) and customer complaints regarding this powr outage and service shut-down would suggest that UBS is doing just fine.



|

→ 2 CommentsTags: banking · banks · credit · ct220014 · mehr · outsourcing · sicherheit · suisse