“Cyber threats are by essence a global phenomenon. The cross-border nature of cyber-threats require a high degree of alignment of national strategies – regulatory and supervisory requirements and expectations.”
On 26 April 2018, Chief Policy Officer Sebastien de Brouwer, participated at the 13th ASEM-EU 2018 Finance Ministers meeting in Sofia, Bulgaria. The meeting brought together the finance ministers from Europe and Asia to discuss issues of mutual interest. The ministers covered a number of topics, notably the current economic situation, digital taxation and addressing the risks and vulnerabilities of the financial system such as cyber security.
Vladislav Goranov, Finance Minister Bulgaria
Valdis Dombrovskis, Vice-President of the European Commission
Ueli Maurer, Federal Councillor, Head of Federal Department Switzerland
Vincenzo la Via, DG Treasury, Ministry of Finance, Italy
Wolfgang Schmidt, Secretary of State, Germany
Addressing new and emerging risks in the financial system
Let me first thank the Bulgarian Presidency for its hospitality, as well as for inviting the private sector to participate in this major meeting. It fits very well with one of the main messages I would like to convey today, meaning the importance of a true, proactive and deep public-private partnership in the area of cybersecurity.
I will not report on any figures today. What is important, is to understand that cyber-attacks are growing in number, size and sophistication.
While we believe that the financial sector is better prepared than other sectors, trust and security being at the very heart of the financial services, it is also one of the sectors most under attack. Not only this is where the money is, but banks also hold large volumes of information about their customers. In addition, nation-states and hacktivists are also targeting the financial sector for political and ideological leverage.
The on-going digital transformation not only creates new opportunities and agility for businesses, it also significantly raises cybersecurity risks and threat levels. The increasing use of digital technologies such as the cloud, mobile, IoT and artificial intelligence in ever more areas of business and society, and the growing interconnectivity between economic actors create greater challenges on the level of security, compliance and data protection.
Bank systems’ multiple points of contact with outside parties may result in significant vulnerability to cyber-attacks and could be used as entry points for attacks targeting other parts of the financial system. The advent of open banking (as brought about by PSD2), is set to disrupt the entire financial services’ industry in terms of innovation and competition but is also creating huge new challenges in terms of cybersecurity. Opening the financial system to thousands of Fintech solutions, through API may thus trigger a new wave of cybercrime or open up new attack vectors. Exposing large quantities of personal consumer data could increase the risk of cyber-attacks, hacking and identify-theft. In view of this, we cannot be complaisant with security requirements in this context.
Last, but not least, cyber threats are by essence cross-border and of an evolving nature. The cross-border nature of cyber-threats require a high degree of alignment of national strategies – regulatory and supervisory requirements and expectations.
Strengthening cyber resilience with the tools at our disposal
Although it is, of course, the prime responsibility of the banking system and banks individually to increase cyber-resilience and protect themselves against cyberattacks, we believe we all have a shared responsibility in safeguarding the resilience and integrity of systems and the trust of citizens and consumers.
First and foremost it is important that banks have adequate governance, systems, procedures and processes in place to mitigate cyber-risk. The level of awareness in banks now appears to be high. Cyber-risk should also be the focus of regulators and supervisors. Policies should be conducive to the fight against cybersecurity. In this context the concept of a ‘security by design approach’ appears to be interesting. Not only banks should make sure that any products or services launched are being designed properly and take into account cybersecurity.
Regulators and supervisors too should ensure that each piece of legislation by default passes the test of their impact (impact assessment) on cybersecurity. Also, it is essential to increase the cyber resilience, by upgrading their IT security, of these non-banking actors interacting with the banking sector as well as ensuring that they are properly supervised.
The human firewall remains often the weakest and we live in a very online world where the line, between work, homeworking and private interaction with secure systems, is becoming more and more blurred. Banks in this respect have a specific obligation to train their staff to understand the threats, look for phishing mail, look for scams, not to click on attachment etc. In effect, banks need to contribute actively to raising awareness on issues related to cybersecurity and enhancing digital/cybersecurity skills for bank employees, but also for customers. (Digital) education should also be a shared responsibility with public authorities. Awareness raising campaigns about cybersecurity risks should also be added to the toolkit.
Related to the point above is the importance of reconciling security with innovation a proper balance needs to be found between the objectives of innovation, competition but also security and data protection, privacy which sometimes tends to be forgotten. The Facebook case serves as a reminder. Rights, responsibilities and liabilities in terms of data access, use and sharing should be clarified and properly and fairly allocated between the diverse actors. At present, this is not the case.
Cooperation is fundamental for improving cybersecurity – perhaps one of the most important elements – Public Private Partnerships should be built, in particular, to facilitate information sharing on cyber threat, prevention and attacks after they have taken place. Once you are aware of the dangers, you can prepare. Access to threat intelligence from the authorities also appears to be essential. Closer cooperation and coordination of threat intelligence sharing across the EU financial sector, and, between banks and law enforcement agencies – in both directions – is indispensable. Banks should work more closely together but also with law enforcement agencies. More needs to be done in this area (e.g. the Cabarnak case where cooperation between Europol and banks though the EBF helped to arrest the criminals).
Cybersecurity cannot be addressed with just traditional solutions. It has to be considered as a key strategic priority and requires a collective and wide-ranging approach. The EBF is pleased that the EU Commission supported by the European Parliament, has made cybersecurity one of the priorities in the FinTech Action Plan.
The inherent global nature of cyber threats has also made clear that international cooperation is crucial in addressing such risks. Cooperation and coordination is vital at regulatory and supervisory levels as well as intelligence sharing and judicial cooperation. In this respect, it might be interesting to look at what was done for AML/CFT at international level. The setting up of an international independent body like the FATF might be worth considering so as to define minimum standards, monitor the progress in cybersecurity maturity levels and judicial cooperation across countries and sectors around the world, and to acknowledge good practices. All this while urging other countries and players to improve.