Our Insights

Decoding cybersecurity

Global threats require global defences

In order to defend against increasingly sophisticated cybersecurity threats, the global financial sector is seeking to increase the sophistication of prevention tactics with the adoption of a more interconnected approach to mitigating cyber attacks.

In the current environment, when one institution suffers an attack, the consequences have the potential to reverberate globally. As a result, international oversight bodies are expected to continue to push for greater coordination and cooperation between institutions and jurisdictions.

While stakeholders may have varying concerns, approaches and considerations in relation to data security, all stand to benefit from a global effort to thwart organized cyber threats. A top priority for independent institutions, as well as international governing and oversight bodies, will be the building of a more comprehensive set of global cybersecurity standards that will apply to the financial sector.

Stakeholders around the world stand up

In an effort to enhance cross-border cooperation on global financial matters, the Financial Stability Board (FSB), through a survey, assessed the cybersecurity practices of its 25 member jurisdictions, as well as nine international body members and the G7 Cyber Expert Group. To gain a deeper understanding of the state of global cybersecurity standards, the FSB also conducted a workshop with 29 participants from across the financial sector and related industries. The results of this stocktake were released through a summary report and a detailed analysis in October 2017.The results were then delivered to a meeting of G20 Financial Ministers, as well as central bank officials in Washington, D.C.

The FSB cautions that the threat of cyber attacks are increasing and have the potential to disrupt the global financial system and compromise global financial stability. The FSB further notes that such threats are becoming more serious due to evolving technologies, the growing interconnectedness of global financial institutions, and external parties. It also acknowledges that cyber criminals are becoming more innovative in their methods of attack.

The FSB cautions that the threat of cyber attacks are increasing and have the potential to disrupt the global financial system and compromise global financial stability

Based on the growing sense of urgency and potential scale of these disruptions, authorities across the globe are taking regulatory and supervisory steps to mitigate these risks, as well as establishing best practices for financial institutions when responding to or recovering from cyberattacks.

While often grounded in the same principles, independent regulatory and oversight bodies have produced their own standards, best practices and requirements to suit their unique challenges, resulting in some discrepancies between jurisdictions in approaches to confronting cybersecurity concerns.

An integrated financial system requires an integrated cybersecurity approach

The FSB stocktake noted that while many regulators and oversight committees are experiencing similar challenges, they often apply different solutions. It also stated that standards not only varied between jurisdictions but found that some jurisdictions had as many as 10 different sets of rules in relation to cybersecurity for financial services providers.

The stocktake also found that all FSB members are “drawing upon a small body of previously developed national or international guidance, or standards of public authorities or private bodies in developing their cybersecurity regulatory and supervisory schemes for the financial sector.” In spite of drawing on similar resources, however, it concludes that the end solutions can vary widely.

The report identified a number of key requirements that differed and even potentially conflicted between jurisdictions, including the timeframe required to notify regulators, penetration testing requirements, governance, data leakage protections, two-factor authentication requirements, and privacy law.

Furthermore, the report noted a lack of uniformity in preferred approaches. While two-thirds of regulatory schemes reported adopting a targeted approach to cybersecurity and information technology risk, one-third addressed operational risk in a more general manner. 

In spite of these discrepancies, however, the stocktake revealed a wide-ranging interest in evolving practices among participants, adding, “Seventy-two percent of jurisdictions report plans to issue new regulations, guidance or supervisory practices that address cybersecurity for the financial sector within the next year.”

Jason Hall, Vice President, Group Risk Management, Cyber and Technology Risk Management, at RBC, agrees that an integrated approach is key to fortifying cyber defences and ensuring greater protection. “We need to continue working with our regulators to focus on the big picture. It’s not about one institution or one jurisdiction. With the interconnectedness of our global financial markets, an attack in one jurisdiction can have global implications. Our common goal needs to focus on building cyber resiliency into our global financial markets.”

The FSB stocktake makes it clear that views on the most effective approach to improving cybersecurity are far from consistent, with preferred methodologies ranging from international standards to principles-based supervision at the board level and senior management. Participants were in agreement, however, in their support for a principles-based, risk-based and proportional regulation, as well as co-operation between firms and regulators. However, they advocated against prescriptive regulation and a compliance-focused approach. This was especially true of larger firms with highly sophisticated internal cybersecurity teams, who suggested that such an approach could provide a roadmap for criminals and might stifle development of more effective cybersecurity practices by industry participants.

Participants of the stocktake also expressed concern for well-intentioned requirements that ultimately fail to enhance cybersecurity, such as encryption requirements which could limit their ability to search for potential threats, as well as a requirement to establish a “risk appetite,” which does not have a clear definition in a cybersecurity context. They also expressed concern about testing from outside the firm as it could disrupt networks and provide a gateway for attackers. Participants were also reluctant to provide regulators with details on cybersecurity prevention tools preferring not to have such information stored in authorities' databases.

Many, however, expressed support for basic prescriptive regulation of cybersecurity hygiene, which could act as a primary standard for small firms and a foundation for larger ones.

Stakeholders only consistent in their call for consistency

One of the key themes the FSB focuses on is information sharing and awareness. The results of the stocktake suggest that a revised approach to information sharing and awareness can be instrumental in preventing increasingly sophisticated attacks in an ever-changing landscape. The FSB recommends the steps that financial institutions should take in order to update their processes, increase their awareness of risks and enhance their ability to prevent or handle a breach. While participants broadly agreed with this approach, they did not discuss in detail who would be responsible for sharing this information.

“Private sector participants did note that information exchange between the private and public sectors is an important aspect of the public-private partnership, with some noting that information sharing should be permissive and protected, but not mandated,” the FSB’s summary report notes.

The importance of information sharing to help prevent cyber attacks in the financial industry has already been widely acknowledged by security specialists.

According to PwC’s recent Technology 2020 and Beyond report,2 while the traditional approach has been effective in the past, a more globally integrated and technology-based financial system requires new cybersecurity solutions.

A revised approach to information sharing and awareness can be instrumental in preventing increasingly sophisticated attacks in an ever-changing landscape

“Many financial institutions still rely on the same information security model that they have used for years: one that is controls and compliance-based, perimeter-oriented, and aimed at securing data and the back office,” PwC notes in the report. “But information security risks have evolved dramatically over the past few decades, and the approach that financial institutions use to manage them has not kept pace.”

The report further outlines how threats and attacks were once more predictable and security could be built around preventing traditional modes of attack. It explains that organizations today can no longer guard against a single class of threats, as an entirely new attack vector could emerge at any time, emphasizing the importance of information sharing among industry stakeholders.

As a result, according to the PwC report, “the true goal of cyber risk management is to build resiliency. You need to make sure that your systems and operations are designed to detect cyber threats and respond to cyber events, so you can limit any business disruption or financial losses.”

Furthermore, as a sector that manages significant financial resources, which is appealing to cyber attackers, the approach adopted by financial institutions needs to be robust and secure.

As summarized in the report, “A financial institution's cyber risk management program should be one of many components of the overall business risk environment that feeds into the enterprise risk management framework.”

Deploying state of the art defence systems

Though the threats are becoming more sophisticated, so are the defence mechanisms. For example, financial institutions can deploy state of the art data mining tools to detect anomalies in security and fraud applications. "With a structured approach to cyber-security, financial institutions will also be more prepared as threats evolve. This will help them to avoid financial damage, negative publicity, and loss of customers' trust, any of which could have catastrophic effects," recommended the report.

Though the threats are becoming more sophisticated, so are the defence mechanisms

In addition, companies are turning to training exercises such as cyber war games to test their response to data integrity attacks and attacks centered on data manipulation rather than theft or deletion. Robert Hannigan, the former director of the UK’s government communications headquarters, remarked at an FT cyber security summit that “attacks on data integrity will be the “next big threat after ransomware.”3

One significant barrier that remains for many financial institutions is a shortage of qualified talent, both in private and public sector institutions. According to the PwC report, "Financial institutions are starting to realize they will need talent with very different skills by 2020". This was a sentiment echoed by the FSB stocktake. “Private sector participants also noted the need for better training of supervisory examination staff, while acknowledging that it is difficult for governments to compete with the private sector in attracting and retaining trained cybersecurity professionals."

Cybersecurity now a cross-border issue

In order to address the growing threat of significant cyber attacks against an increasingly integrated global financial system, the financial industry needs to consider developing a set of international security standards.

The financial industry needs to consider developing a set of international security standards

The FSB's stocktake demonstrates how regularity and supervisory practices are broadly consistent but a lack of uniformity leaves room for vulnerabilities which could be easily exploited by sophisticated cyber criminals. While harmonization of cybersecurity protocols and regulation is a complex task, financial industry participants acknowledge the importance of developing greater alignment given the possible consequences to financial stability worldwide.

RBC to open a cybersecurity lab and fund new research at the University of Waterloo

On January 29, 2018, the Royal Bank of Canada announced it is opening a cyber security lab and investing CAD 1.78 million into research at the University of Waterloo to develop advanced cybersecurity and privacy tools. Online malicious attacks and botnets have become increasingly sophisticated and targeted as people share more and more personal data online. Security teams are often working within legacy hardware systems, across international borders with varying restrictions, and need to prepare for the post-quantum threat. Researchers are poised to create new solutions beyond the current infrastructure, the current encryption systems and the current computing capabilities. Further information is available here


You may also like

July 18, 2017

Fintech and cybersecurity

 

Sources

  1. Financial Stability Board (October 13, 2017) Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices
  2. PwC (October 2016) Financial Services Technology 2020 and Beyond: Embracing disruption
  3. FT (January 7, 2018) Companies test defences against new cyber crime threat