CYBER-SECURITY ISSUES AND OPTIONS

(BASED ON A 14 ECA COUNTRY SURVEY) PART I: CYBER-THREATS   

 

 

 

 

 

 

 

 

 

 

 

 

 

A Q U I L E S A . A L M A N S I & F E R N A N D O M O N T E S - N E G R E T

O U R T H A N K S T O O U R C O L L E A G U E K A T I A D ’ H U L S T E R F O R U S E F U L C O M M E N T S A N D S U S A N S C H R O E D E R F O R C O M P E T E N T E D I T I N G .

FERNANDO MONTES-NEGRETFINSAC, COORDINATOR, THE WORLD BANK  SOFIA, JUNE 16, 2015

A Positive Message:Finance has contributed significantly to economic progress “TECHNOLOGICAL PROGRESS IN FINANCIAL SERVICES HAS PLAYED A CRUCIAL ROLE IN MAKING THE SYSTEM WORK EFFICIENTLY, ENABLING GREATER AUTOMATION PROCESSES, HIGHER PROCESSING POWER, IMPROVED RISK MANAGEMENT AND A WIDER PRODUCT RANGE AVAILABLE ON ONLINE PLATFORMS. THIS BENEFITS BUSINESS AND RETAIL CUSTOMERS”.

EC, “European Financial Stability and Integration Review”, April 2015, page 190.

Inconsistencies: Information and the Regulatory Perimeter

Other (Non-Reporting/

Unregulated)

Non-Financial Institutions

(non-Reporting/ Unregulated)

NBFIs (Regulated/

Lightly Regulated

Central Bank

Evolution of Cyber-AttacksTHE FOUR Fs (DTCC):

Fun: mid-1980s (“Morris” virus);Fame: early 2000s;Fortune: Cyber criminals, starts in 2004, (“Phishing”, Denial of Service, etc.);Force: State-sponsored attacks (Advanced Persistent Threats (APTs) - Georgia & Estonia, etc.;).

Cyber-Threats & Vulnerabilities

Software Old, more vulnerable, IT legacy systems; Merged IT systems, not always fully compatible; Use of internal & external resources to manage IT systems; Phishing and malware; Crypto-locker blackmail; Wiper hacks; Advanced persistent threats; Access Vulnerabilities of the two-step verification software; Weak passwords and lax access policies; No or weak oversight over third party service providers and vendors’ systems & controls (outsourcing);

Cyber-Threats & Vulnerabilities (cont. 2)

Employees, Third Party Vendors & Outsourcing Staff stealing in-house proprietary and confidential information; Cross-border crime difficult to police & punish; Independent and State-backed hackers; Launching of new, untested, products; Excessive reliance on third-party service providers for critical banking functions, including payment processing, web applications, and online banking;

Targets Account takeovers, identity theft, telecommunication network disruptions, and data integrity breaches; Theft of proprietary trading algorithms and other intellectual property and valuable know-how; Customer accounts & data; ATM and point of sale schemes and other financial infrastructure.

General Responses to Cyber Risks Information Security Framework

Written information security policy; Security awareness education and employee training; Identification and management of key cyber risks and trends; Information security audits; Incident monitoring & reporting

Ten Steps Guidance:a. Information Risk Management Regime;b. Secure Configuration;c. Network Security;d. Managing User Privileges;e. User Education and Awareness;f. Incident Management;g. Malware Prevention;h. Monitoring;i. Removable Media Controls; andj. Home & Mobile Working.

Other Strong cyber-security governance (beyond IT Departments, including a dedicated information security executive); Frequent security updates & reporting to Board of Directors and relevant managers; Adequate information security budget;

General Responses to Cyber Risks Information Security Framework (cont. 2)

Cyber-Insurance & Partnerships External insurance coverage; Information sharing among financial institutions, retailers, and security agencies (Information Sharing and Analysis

Centers, in spite of reluctance to reveal security weaknesses to competitors); A more concerted response from all parties; Sharing of information in real time among trusted parties; Speedy response;

Cyber-attack Bills Sharing the losses among: banks- insurers- retailers; Setting industry data protection standards (Gramm-Leach-Bliley Act in the US);

Software Anti-virus software and (internet) firewalls; Detection of unauthorized devices; Spyware and malware detection; Server-based access control lists; Intrusion detection tools & intrusion prevention systems;

General Responses to Cyber Risks Information Security Framework (cont. 3)

Training of bank staff Vulnerability scans and (internal 7 external) penetration tests; Encryption: files and information traffic; Data loss prevention tools; Make software providers liable for vulnerabilities; More effective passwords and access codes (multi-factor authentication & encryption); Smart cards and one-time password tokens; Biometric tools;

Communication Strategy Communication plan & designated communication officer following a cyber-security breach.

Supervisory Actions More frequent and detailed IT examination procedures focused on cyber security; Review of IT governance arrangements, response and event management; More focus on internal access controls and security; Review of contracts for Vendors, screening compliance with management policies; Disaster recovery plans and enforcement legislation Require regular reporting of cyber-attacks to supervisor

Cyber-Preparedness is a Policy Issue: Main Messages

Cyber-Preparedness is a Policy Issue, with an important IT component, but it is not only an IT issue;

Governance of cyber-risks is paramount, at: CBs & Regulatory Agencies, Banks and Non-Bank Financial Institutions, FMIs, and private & public corporations;

It reflects the pervasive nature of information, which extends to all players in the economy holding private/confidential client information;

Role of Central Banks & Supervisory Agencies, Consumer Protection Agencies, Security Services;

Bank’s Boards and Bank Supervisors have a key role to play. They need better intelligence, be more pro-active to confront, prepare and invest to contain cyber-risks;

Ask your technical staff the hard questions!. Frankly you need to think “out of the box”!; It is likely that a future systemic crisis might have a significant cyber-event. A dynamic and complex process, requiring the coordination of multiple stakeholders. ÞNeed to prepare, be alert and invest. No time for complacency;ÞThe economic and non-economic costs of cyber-attacks are on the rise!.

Part II: Survey Findings

Working Paper

Objective and Scope

Fifteen Central Banks were invited to comment on cyber incidents in their respective jurisdictions, and to assess the current state of their own cyber security practices. The results reported here correspond to the fourteen responses received. The objective of the World Bank Group’s Vienna Center for Financial Sector Advisory Services (FinSAC) survey was to contribute to cyber-risk awareness and preparedness. FinSAC took as a model OSFI’s cyber security self-assessment questionnaire.

Main Findings – Information on Incidents

Eleven of the fourteen respondents have been target of cyber-attacks. Of these, all but one have registered incidents of actual network penetration, and at least three are regularly blocking (from daily to once or twice a week) attacks.

Knowledge about cyber-attack attempts and successful breach incidents of financial institutions in their respective jurisdictions varies considerably across the fourteen countries. No information In five of them.

Ten of fourteen respondents reported to have no information about cyber-attacks to major utility providers, retail stores, or other public or private institutions holding customer bank or credit card data.

Main Findings – Self Assessments

The strongest self-assessments correspond to technical issues typically in charge of IT departments.The weakest self-assessments correspond to areas typically in the hands of Senior Management and/or the Governor/Board, with institutional developmental issues similar to those frequently present in every other area of financial regulation and supervision.Self-assessments were far from unanimous, the highest dispersion corresponding to areas with the weakest self-assessments.

Self-AssessmentRatings:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 350

0.5

1

1.5

2

2.5

3

3.5

4

Average self-assessment

question

self

asse

ssm

ent

4. Fully Implemented

3. Largely Implemented

2. Partially Implemented

1. Not Implemented

0. NA

Strongest Self-AssessmentsQ18, avg. 3.50: The Central Bank segments its network into multiple, separate trust zones.

Q17, avg. 3.43: The Central Bank has implemented network boundary monitoring and protection.

Q15, avg. 3.29: The Central Bank has implemented the following security tools and provides for their automated updates, and institution-wide application: Intrusion detection / protection systems; Web application firewalls; Anti-virus; Anti-spyware; Anti-spam; DDoS protection; other.

Q25, avg. 3.21: The Central Bank tightly controls the use of administrative privileges.

Q24, avg. 3.21: The Central Bank applies strong authentication mechanisms to manage user identities and access.

Q16, avg. 3.21: The Central Bank has a process to obtain, test and automatically deploy security patches and updates in a timely manner.

Q11, avg. 3.21: The Central Bank maintains current a knowledge base of its users, devices, applications and their relationships, including but not limited to software and hardware assets, network maps (including boundaries, traffic and data flow), and network utilization and performance data.

Q29, avg. 3.07: The Central Bank’s incident management process is designed to ensure that the following tasks are fully completed: Recovery from disruption of services; Assurance of systems’ integrity following the cyber security incident; Recovery of lost or corrupted data.

Weakest Self-Assessments

Q4, avg. 1.57: Cyber security awareness is provided to all commercial bank employees.

Q10, avg. 1.71: The Central Bank conducts regular cyber-attack and recovery simulation exercises.

Q28, avg. 1.71: The Central Bank has an external communication plan to address cyber security incidents that includes communication protocols and draft pre-scripted communications for key external stakeholders (i.e. customers, media, critical service providers, etc.

Q13, avg. 1.86: 'The Central Bank monitors and tracks cyber security incidents in the financial services industry and other relevant sectors.

Q9, avg. 1.93: The Central Bank conducts regular testing with third party cyber-risk mitigating services.

Q33, avg. 1.93: The Central Bank has utilized scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.

Q34, avg. 2.14: A Senior Management committee has been established that is dedicated to the issue of cyber risks, or an alternative Senior Management committee has adequate time devoted to the discussion of the implementation of the cyber security framework.

Dispersion of Self-Assessments

1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334350.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

Dispersion of self-assessments per question

qUESTION

stde

v/m

ean

1 1.5 2 2.5 3 3.5 40.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

Mean vs Dispersion per Question

MEAN SELF ASSESSMENT

STDe

v/M

EAN

Understanding the dispersion

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 350

0.5

1

1.5

2

2.5

3

3.5

4

Average self-assessment per cluster

Cluster A Cluster B Cluster C

Areas of greatest dispersion

13. The Central Bank monitors and tracks cyber security incidents in the financial services industry and other relevant sectors.

28. The Central Bank has an external communication plan to address cyber security incidents that includes communication protocols and draft pre-scripted communications for key external stakeholders (i.e. customers, media, critical service providers, etc.).

31. The Central Bank has established an institution-wide cyber security policy, with supporting procedures in place that set forth how the Central Bank will identify and manage its cyber security risks.

32. The Central Bank has a cyber-security implementation plan that outlines key initiatives and timelines.

33. The Central Bank has utilized scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.

34. A Senior Management committee has been established that is dedicated to the issue of cyber risks, or an alternative Senior Management committee has adequate time devoted to the discussion of the implementation of the cyber security framework.

35. The Board, or a committee of the Board, is engaged on a regular basis to review and discuss the implementation of the Central Bank’s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.

Conclusions

Information on cyber security-events: good about incidents affecting the Central Bank, limited about incidents affecting supervised institutions, very limited or inexistent about incidents affecting other sectors. Self-Assessments: the strongest correspond to issues typically in charge of IT departments, the weakest self-assessments correspond to areas typically in the hands of Senior Management and/or the Governor/Board.

THANK YOU FOR YOUR ATTENTION !

fmontesnegret@worldbank.orgfmontesnegret1@gmail.com