Cyber-resilience standards and guidelines

shutterstock_482227276.jpg

Introduction

 According to IBM, financial services was the most cyber-attacked industry in 2016. Within the financial services sector, banks are the most obvious targets for cybercriminals as they have the most visible products and services.

In March 2017, the G20 Finance Ministers and Central Bank Governors noted that “the malicious use of information and communication technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence, and endanger financial stability. 

Regulated institutions’ use of technology includes greater levels of automation and integration with third-party service providers and customers. This results in an attack surface that is growing and is accessible from anywhere, and it incentivizes cyber-adversaries to increase their capabilities. Increased use of third-party providers means that the perimeter of interest to financial sector regulators has gotten bigger, and greater use of cloud services means that the perimeter is also shared. Shared service models require regulated institutions to think differently about how they build and maintain their cyber-resilience in partnership with third parties.

Given the increase in the frequency, severity and sophistication of cyber-incidents in recent years, a number of legislative, regulatory and supervisory initiatives have been taken to increase cyber-resilience. At the international level, the G7 issued Fundamental Elements of Cyber-security for the financial sector.

In response, bank regulators in a number of jurisdictions have issued new cybersecurity regulations in the past few years. Multinational banks must ensure they comply with the cyber regulations in all the jurisdiction in which they do business.

In the European Union (EU), the European Commission’s (EC) Fintech Action Plan invites the European Supervisory Authorities to consider issuing guidelines to achieve convergence on ICT risk.

 The Basel Committee on Banking Supervision (BCBS) recognized the merits of approaching operational resilience beyond the purview of operational risk management and minimal capital requirements, and established the Operational Resilience Working Group (ORG) with the intention of contributing to the international effort related to cyber-risk in close with the other international bodies involved.

ORG has identified following topics:

A)  Cyber-resilience standards and guidelines

Most jurisdictions address cyber through the lens of IT and general operational risk. Cyber-resilience expectations cover a wide range of regulatory standards. These expectations are sometimes embedded within high-level IT risk guidance.

Guidance typically addresses governance, risk management, information security, IT recovery and management of IT outsourcing arrangements. Cyber-risk management is considered as a subset of these practices.

Specific cyber-risk management guidance has emerged in the context of information security.

A few jurisdictions have issued specific cyber-risk management or information security guidance, including on the importance of effective cyber-security risk management, on early detection of cyber intrusions, on the establishment of a cyber-security policy and the common procedures and methodologies for the assessment of ICT risk.

In jurisdictions where no specific-security regulations exist for the financial sector, supervisors encourage their regulated entities to implement international standards and apply prescriptive guidance. Most jurisdictions implement key concepts from international and industry standards such as NIST, ISO/IEC and COBIT and leverage supervisory practices from US (FFIEC IT examination Handbook) and the UK (CBEST).

 B)   Cyber-governance

The majority of the regulators have issued either principles-based guidance or prescriptive regulations.

Supervisory expectations and practices were identified in the following areas relevant to governance:

  1. Cyber-security strategy

  2. Management roles and responsibilities

  3. Cyber-risk awareness culture

  4. Architecture and standards

  5. Cyber-security workforce

1.      Cyber-security strategy is expected but not required

Although most regulators do not require regulated entities to develop a cyber-security strategy, all expect regulated institutions to have a board-approved information security strategy, policy and procedures under the broad remit of effective oversight of technology.

 2.      Management roles and responsibilities

Almost all the jurisdictions emphasize the importance of management roles and responsibilities for cyber-governance and controls.
The majority of regulators have adopted the “second and third lines of defense risk management model (3LD)” to assess cyber-security risk and controls.

A widespread practice among large and globally active banks is to establish a governance structure based on the 3LD model. Typically, in this model, the CISO is the executive officer responsible for a bank’s cyber-security management. The CISO’s role is to serve as circuit breaker and to balance the firm’s risk appetite with security protection considerations long before introducing or expanding digital services or products.

3.      Cyber-risk awareness culture

An awareness of cyber-risk by staff at individual banks and a common risk culture across the banking industry are prerequisites for maintaining cyber-resilience within the sector.

 4.      Architecture and standards

For most jurisdictions, general regulatory requirements for architecture and standards are not in place, or there is a lack of coverage.

 5.      Cyber-security workforce

The skills and competencies of cyber-workforces, their regulatory frameworks and the range of practices differ markedly across jurisdictions. Some jurisdictions have IT-specific standards that address the responsibilities of the IT workforce and information security functions, with particular attention to cybersecurity workforce training and competencies.

Their range of supervisory practices covers the assessment of team divisions, staff expertise (background and security checks of cyber-security specialists), the staff training processes and the adequacy of funding and resources to implement the organisation’s cyber-security framework.

Most of the jurisdictions are in the early stages of implementing supervisory practices to monitor a bank’s cyber-workforce skills and resources. Their regulatory schemes require regulated entities to manage risks but do not set specific requirements to address cyber-security workforce skills and resources.

 C)   Approaches to Risk management, testing and incident response and recovery

This section sets out a range of observed practices on cyber-risk management, and incident response and recovery. It aims to identify practices in the supervision of banks’ cyber-resilience which could inform future work. This section is divided into four sub-sections:

• Methods for supervising cyber-resilience

• Information security controls testing and independent assurance

• Response and recovery testing and exercising

• Cyber-security and resilience metrics.

 C1) Methods for supervising cyber-resilience

Most jurisdictions undertake off- and on-site reviews and inspections of regulated institutions’ information security controls to assess compliance with regulatory standards and alignment with good practice.

Reviews are completed either as part of general technology assessments or risk management assessments more broadly.

They tend to focus on governance and strategy, management and frameworks, controls, third-party arrangements, training, monitoring and detection, response and recovery, and information-sharing and communication.

The number, type, and nature of regulated institutions vary by jurisdiction, as do the size of the specialist risk teams of the regulator.

C2) Information security controls testing and independent assurance

Most jurisdictions (eg Australia, the EU, Hong Kong, Singapore and the US) recognize the importance of mapping and classifying business services and supporting assets and services as a basis for building resilience. A clear understanding of business services and supporting assets (and their criticality and sensitivity) can be used to design testing and assurance of end-to-end business services. This is typically completed as part of business impact analysis, recovery and resolution planning, reviewing dependency of critical services on external third parties, and scoping for assessments.

Following core themes are identified:

-        Requirement to conduct risk assessment

-        Board and senior management accountability

-        Requirements to report to regulator on cyber incidents

-        Testing for vulnerability and resilience to cyber risk

-        Incident detection, response and recovery

-        Information sharing

-        Cybersecurity training, expertise and awareness

-        Cyber resilience of third-party service providers

In May 2018, the ECB published the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber-attacks in the financial market. The framework facilitates testing for cross-border entities under the oversight of several authorities.

C3) Response and recovery testing and exercising

Evaluation of service continuity plans focuses on reviewing alignment with institutions’ risk management frameworks, the business continuity management strategies chosen, IT disaster recovery arrangements and data centre strategies. 

The majority of regulators require entities to establish a framework or policy for prevention, detection, response and recovery activities, including incident reporting. Specific requirements vary across supervisory authorities, and most are not specific to cyber-risk.

C4) Cyber-security and resilience metrics

Backward-looking indicators comment on past performance as an indicator of future performance, which is reasonable when institutions’ operations and risk environment are relatively stable over time and more or less independent from outside influences. However, cyber-risk frustrates this because adversaries are dynamic, themselves adapting to institutions’ responses and protective measures, sometimes changing their tactics and strategies even in the space of a single cyber-incident.

While backward-looking metrics continue to be important, jurisdictions are increasingly recognizing the need for forward-looking indicators as direct and indirect metrics of resilience, indicating whether a regulated institution is likely to be more or less resilient in the event of a risk crystallizing.

 D)  Communication and sharing of information

Most Basel Committee jurisdictions have put in place cyber-security information-sharing mechanisms, be they mandatory or voluntary, to facilitate sharing of cyber-security information among banks, regulators and security agencies. These communications are established for multiple purposes, including helping relevant parties defend themselves against emerging cyber-threats. This section sets out a range of observed cyber-security information-sharing practices among banks and regulators. For the purpose of this report, they are divided into five categories according to the parties involved in the sharing.

Different kinds of cyber-security information are shared by banks and regulators, including:

-        cyber-threat information,

-        information related to cyber-security incidents,

-        regulatory and supervisory responses in case of cyber-security incidents and/or identifications of cyber-threat,

-        best practices related to cyber-security risk management.

 Depending on the type of arrangement, the kind of information shared varies. For instance, information related to cyber-security incidents is more widely observed in sharing from banks to regulators and with security agencies, whereas cyber-threat information/intelligence is the most common kind of information shared among banks.

Reporting requirements are established by different authorities for specific purposes depending on their mandate (eg supervisory and regulatory functions, consumer protection and further distribution of information to national cyber-security agencies for systemic operators).

Incident reporting by banks to regulator(s) is a mandatory requirement in many jurisdictions, with different scopes of requirements and ranges of application. For jurisdictions already enforcing the requirement in the past, the reporting obligation has a broader operational incident scope, including cyber-incidents. The perimeter can include all supervised institutions but is more often limited to systemically important institutions. Nearly all institutions regulated in the EU are required to report cyber-security incidents to the competent authorities. The requirements stem from supervisory frameworks (such as the Single Supervisory Mechanism (SSM) cyber-incident reporting framework), EU directives (PSD2, NIS) and local law.

Some requirements also include the obligation to submit a root cause analysis for the incident, or a full post-mortem or lessons learnt after the incident. Different scopes and perimeters may depend on the type of authority (eg supervisors, regulators, national security) and their mandate (ie national cyber-security agencies, consumer protection, banking supervision, etc), sector(s) involved (eg multisector or specific: banks, significant banks, systemic operators, payment) and geographical range (eg national, multiregional). While many of the supervisors focus only on reporting and tracking incidents that have already taken place, some require proactive monitoring and tracking of potential cyber-threats because concerns about reputational risk may lead to a delay in incident reporting by the regulated entity.

 E)   Interconnections with third parties

 All jurisdictions recognize the challenge of gaining assurance of an entity’s cyber-resilience, a challenge both for regulators with regard to financial institutions, and for financial institutions with regard to their third-party service providers.

Extensive use of third-party services increases the challenge for jurisdictions and regulated institutions themselves to have full sight of the controls in place, and the level of risk. For the purpose of identifying the range of practices in relation to cyber-resilience, “third parties” is understood in a broad sense, including: (i) all forms of outsourcing (including cloud computing services); (ii) standardized and non-standardized services and products that are typically not considered outsourcing (power supply, telecommunication lines, commercial hardware and software, etc); and (iii) interconnected counterparties such as other institutions (financial or not) and FMIs (eg payment and settlement systems, trading platforms, central securities depositories and central counterparties).

Cyber-resilience practices in relation to third parties are analyzed across the following areas:

• Governance of third-party interconnections

• Business continuity and availability

• Information confidentiality and integrity

• Specific expectations and practices regarding visibility of third-party interconnections

• Auditing and testing 

• Resources and skills

 In Luxembourg, authorities have put in place a specific regulation for companies that supply specialized services to financial institutions. For these “financial sector professionals”, the same regulation for authorization and ongoing supervision applies as for the financial institutions themselves. 

Consistent with the expanding scope of supervisory scrutiny or regulated entities, in Europe legal mandates that regulate interaction between institutions, supervisors and third-party providers are provided by the Mifid II Directive, and 12 competent authorities can directly review third parties involved in IT services.

In addition, specific expectations for control and location of data are starting to emerge in the form of requirements that the location of at least one data center for cloud computing services provided in the country or region (eg in the EU) be identified, or data ownership, control (Australia) and location (Brazil and France) be identified and monitored as part of the outsourcing agreement. Some jurisdictions (Germany, Singapore and Switzerland) further require a contractual clause that reserves the right for institutions to intervene at, or give directives to, the service provider.

About the Author

pierre.jpg

Pierre Vanden Weghe, have worked for bank, insurance and industrial companies, as functional analyst, project and change manager. He joined Initio in 2017.


Main References

https://www.bis.org/bcbs/publ/d454.pdf (Basel Committee)

https://ec.europa.eu/digital-single-market/en/cyber-security (European Commission)

https://www.consilium.europa.eu/fr/policies/cyber-security/ (Conseil de l’Union européenne)

https://www.bis.org/cpmi/publ/d146.htm (Guidance on cyber resilience for financial market infrastructures)