Cyber Resilience
A central bank’s perspective
Rajko Sekulović, CISA, CISM Central Bank of Montenegro
Ability to anticipate, absorb, adapt to, rapidly respond to and recover from disruption caused by a cyber attack Cyber Resilience definition
2
Agenda
Cyber Risk - OpRisk #1
Building Resilience
Future Challenges
3
Operational Risk #1
4
Game changer
The digitalization of banking has changed the nature of financial crimes
Attacks are becoming increasingly sophisticated and highly targeted
Emerging channels, like mobile banking, open new doors for cybercriminals
Demands for anytime & anywhere access to system, time-to-market pressure for new systems/applications create new vulnerabilities
No such thing as 100% security, cyber incidents are matter of when – not if
5
The big picture
The financial services industry, a vital component of the nation’s critical infrastructure, remains a prime target for cyber criminals
Beyond the impact to an individual bank, cyber incidents can have huge economic consequences
A security breach at a few financial institutions can pose a significant threat to market confidence and the nation’s financial stability
6
Recent well-known incidents
The attack on the Ecuadorian Banco del Austro (BDA) in January 2015 caused financial losses of $12 million
The public learned about the BDA attack 15 months after it occurred, suggesting that the bank hesitated to disclose information about cyber-attack in order to prevent reputation damage
In December 2015, Vietnam’s Tien Phong Bank (TP Bank) succeeded in stopping a cyber-attack in which hackers attempted to use fraudulent SWIFT messages to transfer more than €1 million
In February 2016 famous attack on the Central Bank of Bangladesh happend – attackers put through requests for nearly $1 billion, but thanks to a spelling error, they made off with “only” $81 million
These banks were targeted using similar hacking techniques: obtaining valid credentials of SWIFT operators, then initiating transactions by sending fraudulent SWIFT messages on behalf of these operators
The banking community should be able to prevent further attacks by uncovering unforseen attack patterns 7
Real-time alert database
European Central Bank created a cyber attack real-time alert database
The ECB is requiring banks to submit information on cyber threats on realtime basis and collects data on significant cyber incidents
It allows the ECB to spot patterns and warn other banks of emerging threats
The aim is to set up a database to register incidents and create an early warning and analysis system for banks
8
Agenda
Cyber Risk – OpRisk #1
Building Resilience
Future Challenges
9
Tone at the top
Everybody has some responsibility for cyber resilience but ultimately the accountability lies within the Board
Resilience requires initiative and decisive action from the top. Key tasks for senior management:
Recognize cyber risks as part of the organization's risk appetite Define a comprehensive cyber strategy Ensure that responsibilities are clearly defined Raise awareness among staff and provide training Be an example in promoting secure cyber behavior
10
Integrated approach
Integrated approach for operational risk management, cyber security and business continuity can help manage cyber risk
Existing ORM methodology should be adapted for cyber risk management, bearing in mind uniqueness of cyber risks
Embedding cyber security in operational risk management system builds stronger cyber resilience
Cyber attack response plan should be included within the BCM process Cyber Security
BCM
ORM
11
Standards and best practices
International standards and industry best practices in managing cyber security should be utilized
The ’Three lines of defense’ model provides a simple and effective way to enhance risk management
Continual improvement – set of attitudes and behaviors that ensures cyber resilience continues to provide the protection needed in a constantly changing environment ISO/IEC 27001
ISO 22301
COBIT
Cyber Risk Management System
ITIL
ISO 9001
ISO 31000
12
Professional associations
13
Agenda
Cyber Risk – OpRisk #1
Building Resilience
Future Challenges
14
Cyber security skills
15
Regulator’s role
Cyber security is a function of a good (or bad) risk management strategy and culture across organization
Resilience cannot be added after-the-fact or on a sporadic basis – it must be ingrained into objectives, strategies, processes, technologies and overall organizational culture
Cyber resilience of individual financial institution is crucial, but the resilience of whole ’financial ecosystem’ must be ensured
Therefore, regulators should play a significant role in combating cyber risk
But, regulation cannot give a detailed prescription for cyber security, because technical details quickly become obsolete; Also, there is no one-size-fits-all solution that can cover the diversity of institutions
16
Cultural change
Realizing that cyber security is not only an IT issue, but a CEO and Board issue
Move from check box compliance to risk-based thinking, also from protection only to detect and respond
Banks need a comprehensive security program, prevention must be multilayered as attacks are today
Detect what is known as well as unknown – sophisticated new attacks demand intelligent data science techniques to identify suspicious behaviors
New threat lanscape requires a shift from technology focus to people focus; Training employees to detect and report weaknesses is very important
Organization’s strong security culture and cyber aware workforce are the best defense against cyber risk
17
Cooperation is key
Cooperation for mutual learning is of vital importance, despite reasonable resistance (e.g. lack of trust, reputational concerns)
Cyber exercises are needed on national and multinational level to simulate the impact of a large scale attack on the financial system
Financial institutions in Montenegro should establish a common channel for information exchange on cyber risks
To adequately deal with the persistent threat of cyber-attacks, financial institutions and bank regulators must come together, identify potential weaknesses and seek for optimal solutions
18
Thank you!
[email protected]
