Present wherever its customers are
DNB is Norway’s largest financial services group and one of the largest in the Nordic region in terms of market capitalization. The group offers a full range of financial services, including loans, savings, advice, insurance, and pension products for retail and corporate customers.
Need to protect financial services
Banks provide such vital services that they must do everything in their power to eliminate or reduce their exposure to risk. If banking systems go down it can have a devastating effect on individual customers, businesses, or entire countries.
Whether it’s ensuring IT uptime, vetting third-party trading partners, or protection from external cyber-attacks, the need to identify and mitigate vulnerabilities is a daunting task. This is certainly the case for DNB, with an annual IT spend of more than €500m, and which has around 50 service owners handling nearly 1,000 IT-related applications, data centers, and cloud infrastructures.
In the highly regulated financial services world, DNB also needs to protect its 11 banking and financial products licenses by proving compliance with watchdogs such as Schrems II, Basel III, and NIST.
“If we had a security breach and a data intrusion it would be devastating for our reputation. We could lose our licenses to operate and get incredibly large fines, and customers might go elsewhere,” says Anne Kristine Næss, Enterprise Architect for the ServiceNow platform at DNB.
Managing risk is high on the DNB agenda, but the bank found it was impossible to do this complex job manually, using Excel spreadsheets. Too much time was taken up and when data became available, it was often stale.
The Basel III regulatory accord and the capital requirements related to DNB’s risk posture means that the bank must also put aside large sums each year as a contingency should things go wrong. The bank wanted more control of its risk and to be able to lower its risk posture to reduce capital requirements, allowing the bank to invest this money into more profitable activities such as building new digital products and features that match customers’ ever-growing expectations.
Risk mitigation based on current data
“We needed a tool that could provide us with a hierarchy where we could link nodes and deliver results that are of interest to different frameworks,” says Kristine. “We also needed to prove that policies are being adhered to which required task management so people could collect live data, see what is going on, and then do something about it.
“We have not been able to get rid of Excel entirely, but people now see that it is better to trust the data in ServiceNow than trusting their spreadsheets.” Already the user of many other ServiceNow solutions, DNB implemented ServiceNow Integrated Risk Management to manage risk for both internal services and threats from third parties.
The Software Asset Management (SAM) module and Vulnerability Response are used to track vulnerabilities around software assets which may be reaching end of life or need patches and upgrades. In this way DNB can ensure that information in its Configuration Management Database (CMDB) is correct and service owners have indisputable data to support funding for patches and other activities that make services secure.
ServiceNow Security Incident Response simplifies the identification of critical incidents and provides workflow and automation tools that speed up remediation. This enables the bank to learn from what has caused trouble in the past and add to its risk posture.
“I would also like to mention the DevOps module and the upcoming DevOps configuration where you can check code increments before they are deployed and go into production,” says Kristine. “This meets risk policies like NIST and ensures that more teams are working to best practice DevOps and providing an audit trail for us.”