South Africa’s banking sector has always been characterised by forward-thinking mindsets. Like the rest of the continent, digital platforms and services play a crucial role in offering financial services to a majorly underserviced or “unbanked” population.

By Monica Sasso, global financial services digital transformation lead at Red Hat

Between 2012 and 2022, the number of people in Africa who have access to banking more than doubled, from 23% to 48%, millions of whom have never visited a traditional banking branch.

And, in 2022, South Africa ranked second on the Oliver Wyman Digital Banking Index, outperforming countries such as the UK and Germany.

We have reached a point where software is the backbone on which financial service institutions (FSIs) can build their entire organisational strategy. Indeed, the global core banking software market is expected to grow to $47,37-billion in value by 2030, propelled by the adoption of new technologies and cloud-based solutions.

However, this step change requires not only enhancing a firm’s AML/KYC capabilities to accommodate the speed that cloud-native core banking systems bring, but also means firms need to think differently about the ever-changing security and threat landscape on its software.

That is why local FSIs need to turn their focus to software supply chain security, all in the name of security, technical capability, and compliance.

Software-as … everything

It’s easy to dismiss software supply chain security as a tool or process that exists at just the beginning and end of the software development cycle (SDLC).

The truth is that it involves everything that touches the code from development to deployment, including network components, the developers, and the sources or projects from which the code originates.

This is incredibly relevant as, during the last few years, the use of software created outside of firms has increased significantly. It’s estimated that more than two-thirds of application code is inherited from open source dependencies.

There is also a growing volume of sophisticated technologies, such as generative AI, that are overtaking traditional solutions and that FSIs and sector regulators are now starting to feel comfortable using. But, at the same time, bad actors have access to the same modern technologies.

The surface of attack is also greater today than it ever has been. To remain competitive and on the cutting edge, FSIs rely on interconnected technologies, data, and ancillary services that can all serve as points of intrusion or vulnerability.

Understanding digital risks

We are all familiar with common threats such as phishing or social engineering scams where the intent is to gain unauthorised access to systems via stolen or compromised credentials.

Indeed, bad actors commonly use valid credentials to access financial service networks or systems, and they have historically proven they can compromise a software supply chain without using malware. But there is more to this than stolen login passwords.

Simply put, organisations don’t know what they don’t know. Many firms and institutions still operate in data and departmental silos and might not be aware of the impact of the decisions they have made.

Equally, the developers and control functions might not appreciate that those decisions have impacted their software supply chains and could miss out on implementing a control.

Additionally, FSIs and the sector carry a lot of accountability and responsibility, and are subject to regulators that continuously monitor their operational risk. Therefore it is paramount to embrace the rules and go the extra mile in building supply chain resilience.

Best practices

First and foremost, FSIs need to fully comprehend their dependencies and vulnerabilities. They need their developers and teams to buy into the idea of compliance controls and the benefits they unlock, while their enforcement acts as guardrails.

FSIs should also consider their architectures and make the transition away from traditional perimeter security to zero trust. And finally, the two ends of the supply chain need to be sound, with organisations defining and managing risk from third parties.

There is an increasing focus on software bill of materials (SBOMs), which provide a machine-readable, comprehensive inventory of software components and dependencies, with license and provenance information.

The SBOM helps an organization know if the product was built properly, at the right location, in the right way, and what went into it. Even if it has a bad dependency, the SBOM indicates its presence – which makes addressing vulnerabilities much easier and faster.

FSIs should always consider what is best for their software supply chain resilience. They should continuously assess their current capabilities and investments, as well as embrace cross-functional delivery practices that break down internal silos and improve communication across the organisation.

Today’s IT platforms boast built-in software supply chain management features that streamline the process and automate responses to logged vulnerabilities.

By working with trusted vendors, South Africa’s FSIs can be assured of their software supply chain resilience and continue to innovate as a leader in digital-first banking.