The final day of SOFE 2017 was dominated by the topic of cyber security. The closing plenary covered three key elements to this challenge: the evolution of the threat landscape, new technology and the evolution of Swift's Customer Security Programme (CSP), and the regulatory perspective.
Leo Punt moderated a panel comprised of Carlo Hopstaken, Group Information Security Office at UBS; Stefano Ciminelli, Swift's Deputy CISO; and Wiebe Ruttenberg Senior Adviser, DG Market Infrastructure & Payments at the European Central Bank.
Threat landscape evolution
While developments in digitisation, such as AI, are touted as the answer to the cyber threats that financial services face, Hopstaken noted that security by design is not always integrated and there are different times to market. Cyber threat actors are very active and agile. They have tools and resources that are easily available, some of which can even be picked up on the dark web for free. Then there is malicious activity from state sponsored actors, where the technology used can allow the perpetrators to hide their identity.
Data leakage is a big issue for the industry. Hopstaken cited a number of examples, including one from 2015 where a teenager in the UK had been able to hack the communications firm TalkTalk. This issue is not going away, indeed it is getting worse. There is a reputational risk here, even if it is well known that this is a threat that exists for all organisations. There is also a financial risk for firms to manage, as those that are compromised can face significant fines.
Denial of service attacks are another prominent threat to organisations today, due to the rise of ransomware software. Hopstaken used the Petya attack that affected shipping giant Maersk, and the WannaCry attack that struck the UK's National Health Service among others as a couple of examples that demonstrated the crippling effect and negative publicity that these attacks can have. On top of all this, some of the more traditional cyber fraud, such as credit card fraud and business email fraud, continue to plague businesses.
To address cyber threats, Hopstaken said that organisations first need to ensure that the baseline security is in place, ensuring that all of the basics are up to date and protected. Another line of defence is to have resources to detect malicious threats and to know how your organisation should react when something happens.
As well as protection, Hopstaken stressed that organisations need to also have a focus on detection. He explained how his institution runs simulation threat exercises, and utilises ethical hackers to help scrutinise their systems for possible weak points. They also use cyber hunters, who investigate if there is anything malicious happening on the network. These cyber hunters make great use of data analytics.
Ciminelli began his presentation by mentioning a recent email for a new solution that he received that seemed to be packed with familiar buzzwords. He said it is important to turn the volume down on these buzzwords and hype, and to really understand which new technologies can actually be a differentiator for organisations. Cyber fraud is more than just an IT issue. As well as looking at new technologies, it is also important to evaluate the business and exploring new ways of working.
While threat actors are increasingly sophisticated, Ciminelli highlighted that traditional problems such as password protection remain major challenges. While new technology can help in the fight against sophisticated external threats, organisations need to focus on fixing the basics as well, by ensuring they have proper network segregation and address common authentication problems.
Moderator Leo Punt asked Ciminelli to elaborate a little on where Swift is with its CSP, which was launched in June 2016 and is designed to reinforce and evolve the security of global banking. Ciminelli said that thousands of customers are participating in testing various elements of the CSP. Under the CSP, Swift has published a Customer Security Controls Framework, including mandatory security controls that are designed to enhance their customers’ security baselines. The controls have been provided to all Swift customers, who now have until 31 December 2017 to self-attest their compliance against them. Ciminelli said that the first version of the framework has been launched, with the next steps being a newer, bolder version of the Framework in the pipeline.
Hopstaken added that UBS has reached out to Swift for different workshops to get a good understanding of the CSP and related issues. He noted that, while institutions differ and there is not a one-size-fits-all solution, a lot of progress is being made.
The regulatory perspective
"We are all victims" is a quote from an ECB cyber meeting that Ruttenberg used to begin his presentation to note that, in the context of the cyber threat, the regulator and the regulated are both affected. Indeed, with initiatives such as TARGET2, T2S and TIPS, the ECB faces threats as an operator, an overseer, and an organisation in its own right.
Cyber threats can effect the stability of the financial ecosystem and also the ECB's reputation, and therefore receive attention at the highest level of the ECB. Ruttenberg noted that, as systems are increasingly interconnected, it is vital to protect the privacy of data and the integrity of the systems. With banks facing European directives, national law and security directives, Ruttenberg acknowledged that institutions operate in a complicated, layered regulatory landscape. Indeed, some initiatives that aren't specifically targeted at finance - such as data breach rules - will still see banks fall under their purview.
An ECB questionnaire for financial institutions on cyber governance provided some interesting feedback. Ruttenberg said that results showed that, at the highest level, institutions are not fully up to speed with cyber governance. Also, the results showed a main focus on technology, but Ruttenberg cautioned that the other key elements - people and processes - are in danger of being overlooked.
Ruttenberg mentioned the use of red team testing as a tactic for testing cyber security and resilience, similar to the ethical hacking example that Hopstaken had mentioned earlier. The Dutch Central Bank has asked financial institutions to test themselves against a cyber security framework but, as Ruttenberg pointed out, this is just one in-country requirement. He said that the ECB is developing a pan-European framework which will be released in Q1 2018.
Another strategy to combat the cyber threat is high-level dialogue between the financial community. Ruttenberg acknowledged that this can sometimes be on a very technical level, and that there is a need for more strategic dialogue. The ECB has organised consultative meetings that will occur every six months. The first of these happened in June, feedback from which showed the need and willingness for regular dialogue.
Ruttenberg closed by saying that, while dealing with cyber threats is the responsibility of financial institutions, the ECB want to provide the tools that can assist in this effort. He assured the audience that the ECB is applying what it is saying to the market to itself as well.