Cyber on our minds
In a 2019 interview with CBS’ 60 Minutes, Federal Reserve Chairman Jerome Powell surprised his interviewer by stating that “in a sense, [cybersecurity] is our top priority”. Not inflation, not questions of employment or foreign exchange – cybersecurity was keeping one of the world’s most influential policymakers up at night. Powell then touched upon the dynamic nature of cybersecurity, describing it as an area “where the playbook is still being developed in real time”.
Both the fluid nature of an emerging field of expertise and the rise from the conceptual to the materially relevant were discussed in my June blog post. The following excerpt remains highly relevant:
“The fundamental socio-economic changes imposed by our collective response to COVID-19 have provided the latest push towards an economic model featuring reduced reliance on physical proximity at the same time as dramatically increased reliance on IT infrastructure. This fundamental shift in how we live and how business is done goes hand in hand with socioeconomic disruptions which provide an opportunity for individual organizations to gain a competitive advantage via swift adaptation, but also systemic risk relating to widespread IT vulnerabilities.”
If the digitalization of all economic sectors was already in full swing in 2019, the 2020 pandemic has kicked this overarching socioeconomic trend into overdrive. Inevitably, the importance of cybersecurity has risen in parallel, and Jerome Powell’s comments seem all the more prescient.
An emerging framework
IT/ICT risks go hand in hand with cybersecurity and it is unfathomable to think of a modern financial system without thinking of the ICT infrastructure that underpins it. As the European Banking Authority notes, “ICT is a key resource in developing and supporting banking services; ICT systems are not only key enablers of institutions’ strategies, forming the backbone of almost all banking processes and distribution channels, but they also support the automated controls environment on which core banking data are based. ICT systems and services also represent material proportions of institutions’ costs, investments and intangible assets. Furthermore, technological innovation plays a crucial role in the banking sector from a strategic standpoint, as a source of competitive advantage, as it is a fundamental tool for competing in the financial market through new products as well as through facilitating the restructuring and optimisation of the value chain. As a result of the increasing importance of ICT in the banking industry, some recent trends include:
- the emergence of cyber risks together with the increased potential for cybercrime;
- the increasing reliance on third parties for ICT services and products, often in the form of diverse packaged solutions and resulting in manifold dependencies and potential constraints and concentration risks.
To mitigate these risks, which are not limited to the financial system but also highly pertinent to other critical infrastructure, broadly accepted guidelines and norms, private-public sector collaboration and effective supervision are called for. In recent years, significant strides have been made towards the creation of a comprehensive supra- / international framework for the implementation and supervision of IT network risks, including but not limited to cyber risks, notably via the 2016 NIS directive which has since been transposed into national law across the EU, though with significant variability, as discussed here by Wavestone. For instance, some countries directly transposed security measures for essential information systems into law, whereas others rely on ISO/IEC 27001 certification:
ISO/IEC 27001 certifications have seen a 450% rise over the past 10 years, partially driven by legislation such as NIS, partially by organic adoption in recognition of their usefulness. More broadly, the ISO/IEC 27000 family of standards “enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties”.
Penalties for non-compliance with measures contained in the NIS directive vary widely from country to country; a variable that doubtlessly factors into resource allocation decisions for multinationals:
While high penalties may disincentivize some companies to set up shop in a given jurisdiction, conversely, when a given legislator signals that they are serious about enforcing InfoSec provisions, said jurisdiction’s reputation may be strengthened. Creating a safe and reliable operating environment for all market participants is of paramount importance as we continue to move towards an economic model that is heavily reliant on IT cross-sector. Point in case: according to a recent ENISA report, as of April 2020, there were more than 500 cyber incident response teams in Europe, preoccupied with the proactive detection of malicious activity through internal monitoring and via reference to external resources. It seems safe to assume that incident response teams will continue to grow in numbers in the coming months and years.
Awareness plus investment equals future-proofing
Where does the Luxembourg financial sector stand? As tens of thousands of tertiary sector workers have adopted remote working, as customer preferences shift and as the Luxembourg financial hub continues to position itself favorably in a challenging geopolitical context, the country’s top financial regulator offers clues as to strategic priorities. As LHoFT associate S. Elif Kocaoglu Ulbrich laid out in June, the country “aims to position itself as a leading European location for cybersecurity start-ups, talent, investors, and experts looking for growth opportunities. The ecosystem hosts many up and coming start-ups such as Hacknowledge, Fineksus, Jemmic, Uniken.” This is further bolstered by a proactive public policy approach as I will illustrate below.
The CSSF’s 2019 annual report recognizes the “sizable challenges” associated with – among other considerations – “obsolete” IT systems and the need to re- and upskill financial sector workers in order to ensure competitiveness and operational continuity. Innovation (Fintech) and digitalization is listed as a priority area alongside traditional core regulatory tasks such as consumer protection and AML/CFT.
CSSF intends to take a proactive approach towards implementing the aforementioned NIS directive, writing on page 86 that “[integration of the NIS directive’s requirements] presents a significant change, which needs to be presented to market participants [by CSSF] in order to ensure that it is properly understood”. In the same vein, CSSF also accentuates a strengthening of internal IT expertise as well as continued national and international coordination on questions of emerging technologies. Last but not least, the regulator’s “4.0” strategy promises to increase productivity and reduce turnover times significantly by deploying advanced automation tools based on AI.
There are also concrete examples of the CSSF’s proactive approach towards leveraging contemporary IT infrastructure: as Anne-Sophie Morvan of Luxtrust lays out here, as part of Luxembourg’s AML V implementation, CSSF is moving from a “push” to a “pull” approach when it comes to the reporting obligations of certain supervised entities.
Figure 2: Source: CSSF Circular n°20/747, p.5. – via Luxhub. Schematic representation of CSSF’s API-based implemtation of certain reporting obligations under AML V.
While it may seem like a mere technicality to casual observers, this transition in the CSSF’s regulatory approach promises to remove inefficiencies, reduce the risk of financial fraud and it most certainly acts as a positive impetus for further integration of the regulatory function with the markets it supervises thanks to technologically appropriate solutions. This instance of technological evolution in the service of supervision also demonstrates that inherently inefficient processes and transactions are bound to be uprooted by technological change in due time. Investing in readiness today ensures relevance.
And this is where things come full circle: the growing role of technologically enabled solutions means growing systemic risk stemming from cybersecurity considerations, but it also means that adopting best practice makes financial sense. LHoFT member Cyberhedge continues to make the case for the close evaluation of technology governance considerations by investors, citing the predictive power of its cyber governance ratings with regard to company performance.
Integration of financial services and business-to-regulator functions via APIs as discussed earlier is likely just the beginning of a long journey of increasing interconnectedness which includes such things as the internet of things and the growing importance of vast extra-financial datasets. As remote onboarding remains in high demand due to COVID, established financial institutions have taken note and are ramping up their collaborative efforts with Fintechs offering solutions with regard to AI-enabled “deep fakes”. In the age of digital, ensuring that institutions are dealing with “real people and not manipulated recordings” will become an increasingly pressing concern.
Even as the glue that holds the financial system together is increasingly made of hardware and software, human agency still matters. If boardrooms are the weak link in an organization’s cybersecurity strategy, not much else matters. To establish cyber-resilience, vertical integration of best practice, close collaboration between market participants and the public sector, global incident reporting and the implementation of effective norms and processes are all required. Learning to leverage technology to our benefit, and doing so in a collaborative manner, ultimately rests on human preferences and decisions.
Be sure to sign up for this year’s edition of Cybersecurity Week – 100% virtual – to continue and deepen your engagement with the community.
Tools and resources:
- MONARC is an iterative and qualitative method of risk analysis in four stages; broadly inspired by ISO/IEC 27005. MONARC uses an iterative method which enables the pragmatic progression of risk management. This approach, as recommended by ISO 27005, enables the user to restrict himself to the essentials, then to carry out successive iterations to broaden the target or further refine it to cover more technical aspects.
- MISP – the Open Source Threat Intelligence and Sharing Platform – is supported by the EU and co-developed by Luxembourg’s CIRCL (computer incident response center). Institutions and individual researchers may request access in order to contribute and retrieve data relating to emerging cybersecurity threats.
- GOVCERT is the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private
- ENISA proactive detection gap analysis report – includes valuable feedback from an EU-wide survey of incident response teams, gap analysis and comparison with earlier survey results.
Author: Jérôme Verony – LHoFT Research and Strategy Associate
