With extensive experience in compliance and risk at Ghanaian banks like Ecobank Ghana, I note that information risk management is pivotal under the BoG’s Cyber and Information Security Directive 2020, which mandates robust policies to safeguard data amid rising cyber threats. The Data Protection Act, 2012 (Act 843, amended 2018) requires banks to protect personal data, with non-compliance leading to fines or reputational damage, as seen in global breaches like the 2021 SolarWinds incident and local increases in 2025 phishing attacks.

(a) Objectives of an Information Risk Policy (10 marks)

A bank’s information risk policy, aligned with BoG directives and ISO 27001 standards, aims to establish a framework for identifying, assessing, and mitigating risks to information assets. Key objectives include:

1. Protecting Confidentiality and Integrity: Ensure sensitive data (e.g., customer accounts) remains confidential and unaltered. For example, at GCB Bank, encryption protocols prevent unauthorized access, complying with Act 843’s data minimization principle.
2. Ensuring Availability and Resilience: Guarantee uninterrupted access to critical systems, vital for operations. In 2025, Stanbic Bank Ghana implemented cloud-based redundancies to mitigate downtime from cyber incidents, supporting business continuity under BoG’s BCM guidelines.
3. Compliance with Regulatory Requirements: Align with BoG’s directives and international standards like GDPR influences. This objective drives annual audits, as in Access Bank’s compliance programs, avoiding sanctions like those imposed for weak IT governance.
4. Risk Identification and Mitigation: Proactively identify vulnerabilities through risk assessments and implement controls like firewalls. Practically, Ecobank uses AI-driven threat detection in 2025 to address threats, reducing breach likelihood.
5. Promoting Awareness and Culture: Foster a risk-aware culture via training, as per the Corporate Governance Directive 2018. Banks like Fidelity conduct mandatory cyber training, embedding risk management in daily operations to prevent insider threats.

(b) Prevalent Risks in the Information Technology Space (10 marks)

Banks face multifaceted IT risks, exacerbated by digital banking growth under Act 987. Five key risks include:

1. Cyber Attacks (e.g., Phishing and Ransomware): Malicious attempts to steal data or disrupt services. In Ghana, 2025 saw a surge in ransomware targeting banks, leading to losses; counters include multi-factor authentication.
2. Data Breaches and Leakage: Unauthorized disclosure of customer data, violating Act 843. A 2024 incident at a local bank exposed details, resulting in BoG fines; encryption and access controls mitigate this.
3. System Failures and Downtime: Hardware/software malfunctions causing operational halts. Frequent power issues amplify this; redundant systems, as at Stanbic, ensure resilience.
4. Insider Threats: Employees or vendors misusing access. Poor HR controls heighten this; Ecobank’s protocols address it.
5. Third-Party Vendor Risks: Outsourcing to fintechs introduces vulnerabilities. A 2025 vendor breach affected a bank; due diligence is essential.

These elements integrate into modern banking by enhancing trust and efficiency, preventing events like global cyber incidents.