The European Banking Association (EBA) has placed cybersecurity high on its agenda for 2017. Slavka Eley, head of the EBA supervisory convergence unit, and Lot Anné, one of the unit’s banking experts, outline the potential pitfalls of modern-day technology and how industry players can join forces to tackle the problem of cyberthreats.
Cyber and information-security risk is a complex challenge for financial institutions, which have to contend with the rising threat of intruders trying to gain unauthorised access to their critical systems and data. Cyberrisks are growing more diverse as they increase in sophistication, frequency and persistence. Institutions face potential operational, legal and reputational risks related to cyberincidents, including business interruptions, data and software loss, cyberextortion, cyberfraud, breach of privacy, network-failure liabilities and damages to physical assets, which can all result in monetary losses. With the increased digitalisation of banking, financial institutions are becoming more intertwined and dependent on computer networks. An insufficient level of protection against cyberincidents, and a failure of critical IT infrastructure could lead to major damages in individual financial institutions and potentially the financial market. This explains why cybersecurity is high on the agenda of policymakers, regulators and supervisors of the financial sector.
In order to develop appropriate responses to address the present and growing risks related to cybersecurity, it is important to understand the specific nature of cyberrisk.
First of all, cybersecurity is a fast-moving target. Cyberthreats and vulnerabilities evolve rapidly, and financial institutions are continually challenged by the changing landscape. For this reason, on top of focusing on the immediate cybersecurity issues of today, financial institutions also have to prepare for what is coming next. It is vital for specialists to know their enemy and be aware of the latest threats, vulnerabilities and trends in cyberattacks. Therefore, continual training and sharing of information between different players are important. Pooling these insights can deepen the collective understanding of how attackers may exploit sector-wide vulnerabilities that could potentially disrupt the financial system. Some industry initiatives facilitating information-sharing between financial institutions following incidents already exist. Supervisors can also play a role in creating pooled knowledge on threat indicators, how vulnerabilities are being exploited and the emerging methods used by attackers.
Cybersecurity is a multifaceted challenge. There are multiple entry points through which a financial institution can be compromised. Therefore, it is important for financial institutions to cooperate and communicate with other stakeholders, including service providers, customers and other financial institutions, in order to enhance the resilience of the individual institutions and their ecosystems. Similarly, supervisors need to liaise with non-banking authorities such as consumer or data protection, and privacy authorities to adequately grasp the entire scope of the issue.
Control the contagion
Due to the high and increasing levels of interconnectedness and digitalisation in the financial sector, there is a serious risk of contagion in cybersecurity. A financial institution can itself become a channel to further propagate cyberattacks; for example, through the distribution of malware to interconnected entities. Other sectors, such as energy and telecommunications, present external dependencies and can be a source of cross-contagion. Therefore, it is important for financial institutions and supervisors to consider developments in these sectors as part of any review process.
Cybersecurity is a global issue, since digital services connect across various countries. Collaboration, cooperation and convergence are thus required between authorities within the EU and at the global level. The challenge for policymakers and supervisors is to ensure efficient frameworks to bolster cyberdefences, avoiding gaps and unnecessary duplication, and ensuring consistency. They also need to establish streamlined networks for information sharing and incident reporting, obviating unnecessary reporting burdens and overlaps in requirements for financial institutions to report to multiple authorities.
Finally, cybersecurity is more than just IT; it concerns not only systems but also people and processes. Financial institutions should cover these factors as well, rather than limiting their cyberresilience framework to only securing the viability of their IT operations. The human factor is often underestimated but employees can play an important part in the cyberthreat, whether intentional or not. With regard to cybersecurity, the devil really is in the detail, and that is why training, and creating and maintaining awareness around cybersecurity throughout the organisation is crucial. Raising awareness demands a degree of upskilling knowledge in the organisation, including at the level of the board, which is ultimately responsible for setting the cyberresilience framework and strategy, and, thus, the institution’s tolerance against cyberrisk. Active involvement of the board and senior management is instrumental in building resilience. It is important that supervisors treat cybersecurity from a broader perspective than if it were a purely IT-related risk, and ensure understanding and communication between IT supervisors and line supervisors in this respect.
Cybersecurity is a journey, not a destination. It is a process that moves through different phases, building and strengthening itself along the way. The measures and controls can broadly be divided into two categories. The first category of measures is focused on preventing an incident; the second category contains all the measures to be taken in case such an incident does occur, including precautions for the detection, response and recovery phases. The dynamic growth of new threats and discovery of potential vulnerabilities requires timely adjustments to the controls in the prevention, detection and response cycle. Lessons learned during the reaction phase will be addressed in the planning of prevention measures and detection configurations.
There are several security measures that can be taken by financial institutions to prevent cyberincidents. Apart from creating awareness and educating employees, precautions include security policies, controls and processes; for example, security protection of the IT boundaries and critical assets, firewalls, internet gateways, secure configurations, access controls, malware protection, traffic scrubbing and patch management. Since the networks of financial institutions are often highly complex and fragmented, institutions need to make an inventory of their full network perimeter and scan it for vulnerabilities. Preventive measures also include penetration tests to identify any security weaknesses or vulnerabilities in the systems and applications. They form the link between the detection and response phases since they also test the institution’s ability to detect and adequately respond to any breaches.
Penetration testing can be organised by financial institutions, but it is also increasingly used by supervisory authorities in the form of ethical hacking to complement other tools to assess the cybersecurity framework of institutions.
The use of ethical hacking, which is mostly executed by independent expert specialists, enables supervisory authorities to effectively assess the overall strength of the organisation’s defences, and its ability to detect and respond to incidents. It also enables supervisory authorities to acquire cross-industry insights that can be used to create awareness with other financial institutions or address common problems at the relevant providers.
Whereas ethical hacking testing is typically performed for larger financial institutions, the challenge of how to organise such tests for smaller institutions in a proportionate manner remains. Going forward, such solutions could include automation of some of the penetration testing using intelligent technology. Another important challenge for supervisors in the context of penetration testing is cooperation with foreign supervisors to effectively cover the assessment of cross-border interconnections of banking groups.
Currently, there is still room to standardise the process of penetration testing organised by supervisors. Comparable standards for ethical hacking that can be recognised across borders could be a solution for supervisors and institutions to make the process more efficient and avoid duplications. International standardisation of penetration testing could potentially pave the way for common tests carried out at the EU level, which would be more effective and less costly.
It is important for financial institutions to have adequate measures and controls in place for the detection of a cyberincident, and subsequent response and recovery. Timely detection is critical. Institutions can use several tools, such as multilayered controls, to enable early discovery of potential or actual cyberincidents. These include intrusion-detection systems strategically placed at network and application levels to monitor system activity, and notify when activities warrant further investigation.
Early recognition of incidents facilitates the response process in case of an actual cyberincident and supports the information collection for forensic investigation. The response to a cyberincident should be planned well in advance. The response plan would include measures for incident management and reporting, mitigating actions such as a shutdown or workaround solutions, and crisis management and communication with stakeholders. Supervisory practices in the response phase typically include the requirement for institutions to report cyberincidents to their supervisor. It would be beneficial for the financial sector to have a single point of contact for this reporting, where all knowledge can be pooled, and shared to promote awareness for institutions and supervisory authorities.
In line with its mandate to ensure effective and consistent prudential regulation and supervision across the sector, the European Banking Authority (EBA) has undertaken several initiatives to promote the convergence in IT-related supervisory practices in the EU for payment services and financial institutions, including in the field of cybersecurity.
In the area of payment services, EBA has issued guidelines on the security of internet payments, and recently completed the standards on strong customer authentication and secure communication under the revised Payment Services Directive (PSD2). The EBA is also finalising guidelines on the reporting of major incidents under PSD2, and is working on guidelines on the security measures for operational and security risks of payment services.
In the area of credit institutions and investment firms, EBA is finalising the ICT risk-assessment guidelines for supervisors, which cover the supervisory assessment of ICT governance and strategy, and the ICT risk exposure of institutions, including those related to cyberrisk. It is also in the process of completing guidance on cloud outsourcing, a service increasingly being used by institutions. This guidance includes key security expectations and attention points for financial institutions that are outsourcing services to cloud service providers. Based on the takeaways of the workshop organised with the industry in 2016, cybersecurity was put high on the agenda of the EBA work programme for 2017. The goal of the programme is to achieve further convergence in supervisory expectations and practices for cybersecurity in the EU, and move forward with the topics of incident reporting and penetration testing. This would involve issuing additional guidance where needed and extending training activities for supervisors in the area of IT supervision and cybersecurity.