Seemanta Patnaik, co-founder and chief technology officer at SecurEyes, discusses the continually evolving challenges and threats, and possible solutions to remain resilient to cyber attacks in today’s central banking environment.
Central banks are finding themselves in unusually fraught situations as they grapple with the threat of rising inflation and the risk of another economic downturn. Recent events, such as the failures of prominent US lenders Silicon Valley Bank and Signature Bank, followed by the rescue of Credit Suisse by UBS, have triggered turmoil in global markets and revived concerns about a recession. Germany, the largest economy in Europe and the world’s fourth-largest, has already slipped into a recession that went unnoticed for six months.
Amid the complexity of the banking sector’s stress, central banks face insurmountable pressure from a constant and alarming cyber security threat. On average, a cyber attack occurs every 39 seconds, adding to the challenges central banks must confront: such as the war in Ukraine, global financial pressures and the continuing recovery from the Covid-19 pandemic exacerbate this cyber threat even further – circumstances that create an ideal environment in which hackers can thrive.
The Ideagen report of key accounting and cyber security trends for 2023 reveals that 82% of chief audit executives ranked cyber and data security among their top five risks. This figure has increased year-on-year, with the Bank of England now identifying cyber attacks as the single biggest risk to the UK financial system.
In 2023, the cost of cyber attacks is expected to reach $8 trillion – the equivalent of $255,000 per second. By the end of 2025, the financial repercussions of cyber attacks are projected to skyrocket to $10.5 trillion annually, a figure that would position it as the world’s third-largest economy behind the US and China – a substantial increase from the $6 trillion recorded in 2021 and $3 trillion in 2015.
Mounting cyber threats
Banks and financial sector infrastructures remain prime targets for cyber criminals, who present a persistent challenge to the efforts to defend against cyber attacks. With intricate financial and technological networks interwoven within the sector, the potential for rapid dissemination of attacks throughout the entire system is heightened, risking widespread disruption and eroding trust. Cyber security concerns undeniably threaten the stability of the financial domain.
The complexity of threats is also on the rise. Recent attacks necessitate constant vigilance at an operational level, and the continuous evaluation of regulatory and oversight frameworks is vital in determining whether updates are necessary. Unforeseen and significant shifts can occur at any moment, meaning central banks must be prepared and able to promptly adapt to reduce the financial ecosystem’s vulnerabilities to cyber attacks.
The Euro Cyber Resilience Board for pan-European Financial Infrastructures has recognised supply chain attacks and ransomware as major threats in the current landscape, while artificial intelligence has been identified as an emerging one. At the same time, it has observed how geopolitical developments, such as Russia’s recent aggression against Ukraine, have weaponised cyberspace. Distributed denial-of-service attacks that target government and financial entities have been the most prominent examples.
Alarming gaps and vulnerability to cyber threats
An International Monetary Fund (IMF) survey of 51 countries, published in March 2023, reveals that most financial supervisors in emerging markets and developing economies have yet to implement cyber security regulations or establish the necessary resources for enforcement.
The survey identified alarming gaps and vulnerabilities to cyber threats in the following areas:
- National cyber strategies: 56% of central banks or supervisory authorities lack a comprehensive national cyber strategy specifically tailored to the financial sector.
- Cyber security regulations: 42% of these entities lack dedicated regulations focused on cyber security or technology risk management.
- Specialised risk units: 68% of central banks or supervisory authorities lack a specialised risk unit as part of their supervision department, leaving them inadequately equipped to address cyber risks.
- Testing and exercising cyber security measures: 64% of these entities do not mandate the testing and exercising of cyber security measures, nor do they provide additional guidance to enhance their effectiveness.
- Cyber incident reporting regimes: 54% of central banks or supervisory authorities lack a dedicated regime for reporting cyber incidents, making monitoring and responding to such threats promptly challenging.
- Cyber crime regulations: 48% of these entities do not have specific regulations addressing cyber crime, leaving them vulnerable to various forms of malicious cyber activity.
Meanwhile, a Bank for International Settlements assessment of 29 jurisdictions identified shortcomings in the oversight of financial markets infrastructures.
Neutralising cyber threats
The IMF has submitted a set of five safeguards for the banking sector and financial institutions, along with recommendations for regulators, to prepare for increasing cyber threats and potential breaches:
- Central banks, regulators and financial firms should establish a comprehensive cyber security strategy. Cyber risk is a complex issue that requires solid security measures within governing bodies, robust oversight through regulation and supervision, collective action within the market, and initiatives to enhance capacity and expertise.
- Financial regulators and firms need to shift their focus from traditional business continuity and disaster recovery planning to ensure the delivery of critical services even in the face of disruptions caused by cyber attacks. Building resilience requires the commitment of top leaders in companies and financial regulatory bodies, as well as their board members. Firms should be prepared for severe but plausible incidents that can have a systemic impact. Supervisors should mandate the industry to consider such adverse scenarios and test their contingency plans individually and collaboratively.
- Financial supervisors are responsible for ensuring cyber regulation and supervision effectively promote resilience. Although there is no one-size-fits-all approach, several common elements can be identified. An effective supervisory approach involves a combination of on- and off-site activities, carried out by a diverse team of security experts and generalist supervisors who enforce regulations in a proportionate manner.
- Financial firms must enhance cyber hygiene, develop secure-by-design systems, and establish effective response and recovery strategies. While many of today’s attacks are increasingly sophisticated and rely on social engineering techniques to acquire sensitive information, most successful attacks result from routine lapses, such as failing to apply patch updates or implementing appropriate security configurations. Therefore, implementing awareness programmes and habitual practices to ensure the secure handling of critical data and network/system security is crucial.
- The international community should work towards harmonising cyber incident reporting and promoting adequate information sharing to enable authorities worldwide to manage incidents effectively. This co-operation is essential to enhancing global cyber resilience and mitigating the impact of cyber threats. The model for incident reporting and the common lexicon being developed by the Financial Stability Board are important steps forward.
The Digital Operational Resilience Act
The Digital Operational Resilience Act (Dora), set to take effect in early 2024, marks a significant regulatory milestone in addressing cyber risks in the European Union. Dora aims to enhance the resilience of the European financial sector by establishing unified and strengthened rules for managing information and communications technology (ICT) risks. It also encourages co-operation among relevant authorities in this domain.
Dora establishes a regulatory framework for digital operational resilience, requiring all firms to prepare themselves to withstand, respond to and recover from various ICT-related disruptions and threats. These requirements are consistent across all EU member states, with the primary objective of preventing and mitigating cyber threats. The provisional agreement ensures a robust framework that bolsters the IT security of the financial sector while ensuring the efforts demanded by financial entities are proportionate to the potential risks they face.
Central banks anticipate financial service providers will have adequate tools and governance frameworks in place at a local level to identify, measure, manage, monitor and report ICT and cyber security risks. They also expect these providers to design and implement appropriate ICT governance and risk management frameworks, and maintain robust ICT/cyber security risk management practices. Securities market participants should closely follow the development of Dora and align their cyber security governance and risk management processes with the objectives outlined in the new regulation.
Conclusion
Cyber threats are a persistent reality that cannot be ignored. Numerous adaptable threat actors continually seek to exploit weaknesses or vulnerabilities for illicit purposes. The existing threats are increasingly perilous and new threats are looming. In light of this, central banks must constantly adapt optimal operational and cyber resilience frameworks. This adaptation should occur individually and collectively, achieved through rigorous regulation, enforcement and prosecution.
There have been frequent instances of attackers gaining unauthorised access to banking systems by exploiting technological vulnerabilities, such as the absence of adequate IT security measures, and human vulnerabilities, such as insufficient staff awareness. Human error, whether due to successful phishing attempts or inadvertent negligence, accounts for approximately 95% of cyber security breaches.
Future co-operation between public and private institutions will play a pivotal role in combating cyber threats. Regulators and authorities must actively encourage and ensure the resilience and preparedness of banks in the face of such threats.
Sponsored content
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@centralbanking.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@centralbanking.com