Financial Sector’s Cybersecurity: Regulations and …...FINANCIAL SECTOR’S CYBERSECURITY:...

Financial Sector’s Cybersecurity:Regulations and Supervision

FINANCE, COMPETITIVENESS & INNOVATION INSIGHT | FINANCIAL STABILITY & INTEGRITY

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

© 2018 The World Bank Group

1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved.

This volume is a product of the staff of the World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes.

The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank Group does not guarantee the accuracy of the data included in this work.

Rights and Permissions

The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly.

All queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: [email protected].

I

TABLE OF CONTENTS

ACRONYMS AND ABBREVIATIONS III

ACKNOWLEDGMENTS V

INTRODUCTION 1

I. ARE CYBER-SPECIFIC REGULATIONS NECESSARY? 3

II. COORDINATION AMONG AUTHORITIES 5

III. MANDATORY REPORTING AND INFORMATION SHARING 7

IV. RESPONSIBILITIES OF THE BOARD 11

V. RESPONSIBILITIES OF SENIOR MANAGEMENT 13

VI. INFORMATION SECURITY OFFICER 15

VII. INCIDENT RESPONSE 17

VIII. TESTS AND SIMULATIONS 19

IX. OUTSOURCING 21

X. SUPERVISION 23

XI. CONCLUDING REMARKS 25

REFERENCES 27

FINANCIAL SECTOR’S CYBERSECURITY: REGULATIONS AND SUPERVISION

I


III. MANDATORY REPORTING AND INFORMATION SHARING

II

IIIFINANCIAL SECTOR’S CYBERSECURITY: REGULATIONS AND SUPERVISION

III

ACRONYMS AND ABBREVIATIONS

AICPA AmericanInstituteofCertifiedPublicAccountants

APIs ApplicationProgrammingInterfaces

ASIC AustralianSecuritiesandInvestmentCommission

BaFin GermanFederalFinancialSupervisoryAuthority

BCBS BaselCommitteeonBankingSupervision

CAPEC CommonAttackPatternEnumerationandClassification (MITRECorporation)

CCDCOE CooperativeCyberDefenceCentreofExcellence

CCI CommonwealthCybercrimeInitiative

CERT ComputerEmergencyResponseTeam

CISO ChiefInformationSecurityOfficer

CPMI CommitteeonPaymentsandMarketInfrastructures

CSIRT ComputerSecurityIncidentResponseTeam

CTO CommonwealthTelecommunicationsOrganisation

CybOX CyberObservableExpression

DDoS DistributedDenialofService

EBA EuropeanBankingAuthority

ENISA EuropeanUnionAgencyforNetworkandInformationSecurity

EU EuropeanUnion

FDIC FederalDepositInsuranceCorporation

FinSAC FinancialSectorAdvisoryCenter

FMI FinancialMarketInfrastructure

FRB FederalReserveBoard

G7 Group of 7

GCSCC GlobalCyberSecurityCapacityCentre(UniversityofOxford)

GCSP GenevaCentreforSecurityPolicy

IaaS InfrastructureasaService

ICT InformationandCommunicationsTechnology

IEC InternationalElectrotechnicalCommission


IVIVACRONYMS AND ABBREVIATIONS

IOSCO InternationalOrganisationofSecuritiesCommissions

ISAC InformationSharingAnalysisCenter

ISO InternationalOrganizationforStandardization

IT InformationTechnology

ITU InternationalTelecommunicationUnion

NATO NorthAtlanticTreatyOrganization

NIST NationalInstituteofStandardsandTechnology

NYSDFS NewYorkStateDepartmentofFinancialServices

OAS OrganizationofAmericanStates

OCC OfficeoftheComptrolleroftheCurrency

OECD OrganisationforEconomicCo-operationandDevelopment

PaaS PlatformasaService

SaaS SoftwareasaService

SOC SystemandOrganizationControls

STIX StructuredThreatInformationExpression

TAXII TrustedAutomatedExchangeofIndicatorInformation

UNCTAD UnitedNationsConferenceonTradeandDevelopment

VCDB VERISCommunityDatabase(Verizon)

VERIS VocabularyforEventRecordingandIncidentSharing(Verizon)

ACKNOWLEDGMENTS

Theauthor,AquilesA.Almansi,isaLeadFinancialSectorSpecialist,Finance,Competitiveness&InnovationGlobalPracticeattheWorldBankGroup(WBG).Thispaperdrawsonthebackgroundwork of Dror (2017), Nelson (2017) and Taylor (2017). Detailed comments were received,althoughnot necessarily reflected in this draft, fromDorotheeDelort (SeniorFinancialSectorSpecialist),KatiaD’Hulster(LeadFinancialSectorSpecialist),MiquelDijkman(LeadFinancialSectorSpecialist),PasqualeDiBenedetta(SeniorFinancialSectorSpecialist),ValeriaSalomaoGarcia (Senior Financial Sector Specialist), Damodaran Krishnamurti (Lead Financial SectorSpecialist),HarishNatarajan(LeadFinancialSectorSpecialist),SangManPark(SeniorFinancialSectorSpecialist)-alloftheFinance,Competitiveness&InnovationGlobalPractice-aswellasIvetaZdravkovaLohovska(Consultant,InformationTechnologyServices,WBG),SandraSargent(SeniorOperationsOfficer,DigitalDevelopmentandTransport,WBG),ZhijunWilliamZhang(SeniorInformationTechnologyOfficer,InformationTechnologyServices,WBG),ClausSengler(EuropeanCentralBank),PaulWilliams(BankofEngland),andRuiLinOng(MonetaryAuthorityofSingapore).

AspecialthanksgoestoAichinLimJones(GraphicDesigner)forherworkonthegraphicsdesignofthispublication.

VFINANCIAL SECTOR’S CYBERSECURITY: REGULATIONS AND SUPERVISION


V

VIVIACKNOWLEDGMENTS

1

INTRODUCTION


1

AccordingtotheGroupof7(G7)(2016),cybersecurityriskstotheglobalfinancialsystemareofcriticalconcern.Attacksoncyberspace,thatis,thespacebetweeninterconnectedcomputers,are“increasinginsophistication,frequency,andpersistence,[and]cyberrisks

aregrowingmoredangerousanddiverse,threateningtodisruptourinterconnectedglobalfinancialsystemsandtheinstitutionsthatoperateandsupportthosesystems.”Similarly,theInternationalOrganisation of Securities Commissions (IOSCO) (2016) has “recognized that cyber riskconstitutesagrowingandsignificantthreattotheintegrity,efficiencyandsoundnessoffinancialmarketsworldwide.”Compounding theproblem, the inexorable trend toward exclusivedigitalcustomer interactions increases the financial sector’s exposure to cyber risks. In this context,PricewaterhouseCoopers(PwC)(2017)notesthat46percentofbankcustomersarealreadydigital-only,comparedwith27percentin2012.Furthermore,thosecustomersinteractingwithbankstaffcontinuetoshrink,fallingfrom15to10percentduringthesameperiod.

IBM X-Force Research (2017) reveals that thefinancial services sector was attacked more thanany other industry in 2016, with the averagefinancial institution monitored by IBM SecurityServicesexperiencing65percentmoreattacksthantheaverageclientorganizationacrossallindustries.Moreover,therewasa29percentincreaseinattacksfrom2015.1 In this context, distributeddenialofservice(DDoS)andransomwareattacksdisruptedthe provision of financial services in severalcountries.Money was stolen or confidential data“exfiltrated”(leaked)usingothertypesofmalwareand“socialengineering”tricks.

“Cyber risk,” frequently narrowly understood asthe occurrence of intentional ormalicious “cyberincidents,”isjustoneofthemanythingsthatcangowrong in theworldof interconnectedcomputers.2 Information and Communications Technology(ICT) risk, in turn, is traditionally understood asjust one class of operational risk, a tradition that

could suggest some questionable analogies withotherclassesofsuchrisk.

To deal with the problem, several leadingjurisdictionshaveissuedorproposeddetailedlaws,regulations or guidelines dealing with cyber riskor, more generally, ICT risk. The World Bank’sFinancialSectorAdvisoryCenter(FinSAC)(2017)has compiled and continuously updates a digestof this quickly growing body of regulatory andadvisorywork.

The G7 (2016) sees the following fundamentalelements “as the building blocks upon which anentitycandesignand implement itscybersecuritystrategy and operating framework”: governance, risk assessment, monitoring, response, recovery, information sharing, and continuous learning.

ThispaperpresentsthemainideasthatcanbefoundwidelyrepresentedintheFinSAC’sCybersecurity

1 For detailed analyses and statistics about cyber incidents, see also Symantec (2017), Synoptek (2017), and Verizon (2017a and 2017b).

2 In addition to intentional incidents, incidents can occur accidentally due to faulty processes, or for purely technical rea-sons. For a discussion of the many things that can go accidentally wrong due to software complexity, see Somers (2017).


22INTRODUCTION

RegulationsintheFinancialSector(2017),whichcoincides with those of the G7’s fundamentalelements. It also outlines attempts to identify theemerging consensus on practices to implementregulations, as well as on how to supervise theirimplementationbyindividualfinancialinstitutions.

Thepaperisorganizedasfollows:SectionIbrieflypresents some different viewpoints with regardto the need forfinancial institutions towrite newregulations. Section II discusses the necessarycoordination between financial sector authoritiesand other state agencies in the regulation andsupervisionofthesector’sICTsystems.SectionIIIpresents sample taxonomies (languages) used bydifferentpartiestotalkaboutcyber“risks”andshareinformation on cyber “incidents”. Sections IV,V,andVIoutline,respectively,theresponsibilitiesoftheBoard,seniormanagementand,ifthepositionexists, the Information Security Officer. SectionVII discusses incident response and recovery.SectionVIIIdescribespracticesregardingtestsandsimulations.SectionIXaddressestheincreasinglycritical issue of outsourcing. SectionX presentssampleguidelines for supervisors, and sectionXIcontainsconcludingremarks.

The mandatory or suggested practices identifiedin this paper are thoseofprimary interest for thefinancialsectorauthorities inchargeof regulatingand/or supervising licensed banking and non-banking institutions. As more dimensions ofthe provision of financial services migrateto the space of interconnected computers (or“cyberspace”), other state and regional agencies— such as EuropeanUnionAgency forNetworkand Information Security (ENISA), and nationalsecurityagencies in some jurisdictions—willberegulating howoperations are to be conducted intheirrespectivedomains.Thisimpliesthatfinancialinstitutionsinsomejurisdictionswillhavetoabideby a growing number of regulations pertainingto technical ICT matters beyond the regulatoryperimeter of the financial sector authorities, suchas encryptionprotocols, applicationprogramminginterfaces (APIs), or authentication mechanisms.Theseareoutsidethescopeofthispaper.

While the provisional findings of this work aresignificantly enhanced by theFSB stocktaking ofexisting regulations and supervisory practices inG20jurisdictionspresentedlastOctober,financialsectorauthoritiesfromWorldBankclientcountries,in search of guidance on whether and how toregulate and supervise cyber riskmanagement ininstitutions subject to their jurisdiction, may findthemainideasheredescribedagoodstartingpoint.

3FINANCIAL SECTOR’S CYBERSECURITY: REGULATIONS AND SUPERVISION

3

I. ARE CYBER-SPECIFIC REGULATIONS NECESSARY?

CrisantoandPrenio (2017)note that therearediffering institutionalviewsaboutwhetherandhowto regulatecyber risks. “Oneviewis that theevolvingnatureofcyber risk isnot amenable to specific regulation and that cyber issues can be handledwith existing

regulationsrelating to technologyand/oroperational risk.Theotherviewis that [a] regulatorystructure isneeded todealwith theuniquenatureofcyber risk,andgiven thegrowing threatsresultingfromanincreasinglydigitizedfinancialsector.”

CommentingontheUnitedStatesFederalReserveBoard/OfficeoftheComptrolleroftheCurrency/FederalDepositInsuranceCorporation(FRB/OCC/FDIC)advancednoticeofproposedrulemakingonenhancedcyberriskmanagementstandards(2016),Promontory (2017) notes that a “rulemaking thatimposedoverlappingnewcybersecurity standardson topof themultipleexisting standards,withoutany empirical analysis of actual effects, wouldbe counterproductive. Rather than improvingcybersecurity, such a rulemaking would divertto unproductive compliance processes the veryresources that covered entities could otherwisedevote to securing operations.” In this context,CrisantoandPrenio(2017)notethatone“potentialbenefitofregulationisthatitcanhelpensureBoardandManagementbuy-in.Asregulationmakesanyissue more visible to Boards and Management,regulation on cyber risk gives banks a strongerincentive to continuously invest in improvedcybersecurity.”

Promontory points out the multiple, overlapping,international cybersecurity standards such as theInternational Organization for Standardization(ISO)/ International Electrotechnical Commission(IEC)27000(2016),ISO/IEC-27001(2005),ISO/IEC-27002 (2013), the System and OrganizationControls(SOC)forCybersecurityoftheAmericanInstituteofCertifiedPublicAccountants(AICPA)3,

frameworks such as the one from the NationalInstitute of Standards and Technology (NIST)(2017 and 2014), as well as guidelines likethoseof theCommitteeonPayments andMarketInfrastructures (CPMI-IOSCO) (2016), andregulations on operational risk management inmostnationaljurisdictions..

Management failures occur because too manypeoplestillseecybersecurityasatechnicalmatter,reserved for the exclusive domain of informationtechnology (IT) specialists. As Crisanto andPrenio (2017) suggest, regulations that actuallydeal mostly with corporate governance mattersmake cybersecurity more visible to Boards andManagement,therebyprovidingstrongerincentivestothemtotakeresponsibilityforit.

Traditionalwaysofthinkingaboutoperationalrisk,incorporatedinsomeregulationsoncyberrisk,maynotbefullyadequatetodealwiththenewreality.Principle 25 of theBaselCommittee onBankingSupervision(BCBS)(2012),forexample,includesamongitsessentialcriteriatheprovisionthat“Thesupervisor requires banks’ strategies, policies andprocesses for themanagement of operational risk(including the banks’ risk appetite for operational risk) to be approved and regularly reviewed bythe banks’Boards.”However, given the systemicmagnitude of cybersecurity risk derived from the

3 http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPACybersecurityInitiative.aspx


44I. ARE CYBER-SPECIFIC REGULATIONS NECESSARY?

system’s interconnected nature, it is unclear whythe degree of cyber risk taken by an individualinstitution should depend in any sense on theBoard’s risk “appetite” for operational risk. Thepresence of negative externalities would suggestsetting minimum standards regardless of such“appetite,”oranyothersubjectiveconsideration.4

Technical complexity (in the number of potentialentrypointsforanattackerandinthediversityof

services),thecapacitytodealwithit,andthepotentialsystemicimpactofcyberincidentsarelikelytobeproportionaltothesizeofthefinancialinstitution.As such, some of the emerging guidelines andregulations fully apply to large institutions only.5 Sinceaninterconnectedsystemisasstrongastheweakestof itsnodes,somejurisdictionsmaywellchoose to consider subjecting all interconnectedinstitutions to the same minimum cybersecuritystandards,regardlessofsize.

4 For example, the average delay in departures, and the proportion of luggage lost, could indeed be left to an airline’s “risk appetite,” but the frequency of crashes probably should not.

5 Standards set forth by the FRB-OCC-FDIC (2016), for example, would apply to all U.S. bank holding companies with total consolidated assets of $50 billion or more.


5

II. COORDINATION AMONG AUTHORITIES

“...each distinct aspect of cybersecurity (…cyber crime, intelligence, military issues, Internet governance, or national crisis management) operates in its own silo, belonging, for instance, to a specific government department or ministry. Each of these silos has its own technical realities, policy solutions, and even philosophies.”

Klimburg (2017)

Principle2oftheBCBS(2012)requiresthebanksupervisor topossess“operational independence”,and the first essential criteria for the observanceof such a principle requires that “no governmentor industry interference ... compromises theoperational independence of the supervisor,”and that the “supervisor has full discretion totake any supervisory actions or decisions onbanksandbankinggroupsunder its supervision.”These requirements are fully consistent with thesupervision of managerial behaviors. However,the regulation and supervision of ICT risks, aswellas theresponse to incidents,mayrequire theinterventionofotherstateagencies.

Many countries have already published nationalcybersecurity strategies, frequently identifyingthe state agencies in charge of setting minimumstandards and responding to a cyber incident.References tobanksecuritycanalreadybe foundin the following country strategies: Australia,Austria,Bangladesh,BruneiDarussalam,Canada,China, Colombia, the Arab Republic of Egypt,France,Ghana,Ireland,Italy,Japan,Jordan,Kenya,Malaysia,Micronesia,Morocco, theNetherlands,New Zealand, Nigeria, Norway, Poland, Qatar,the Russian Federation, SaudiArabia, Singapore,Slovakia, Slovenia, Sweden, Switzerland, the

United Kingdom (UK), and the United States(US).6Nationalcybersecuritystrategiesandlegalframeworks should clearly specify the respectiveresponsibilities of the financial sector and otherauthorities, such as national security agencies.Without such clarity, jurisdictional conflicts arebound to arise when issuing new cybersecurityregulations or, even worse, when handling cyberincidentsinthefinancialsector.7

A new reference guide is being developed by ahostoforganizationstoserveasasinglesourcetoguide countries in developing their own nationalcybersecuritystrategies.Thisguideshouldalsohelpfinancial sector authorities better understand thenatureoftheinstitutionalstructurerequiredtodealwithcybersecurity.Itiscurrentlybeingpreparedby the International Telecommunication Union(ITU), a United Nations agency, in partnershipwith the Commonwealth Cybercrime Initiative(CCI), the Commonwealth TelecommunicationsOrganisation (CTO), ENISA, the Geneva Centrefor Security Policy (GCSP), the University ofOxford’s Global Cyber Security Capacity Centre(GCSCC),Intellium,Microsoft,theNorthAtlanticTreaty Organization (NATO)’s CooperativeCyberDefenceCentreofExcellence (CCDCOE),the Organisation for Economic Co-operation

6 http://www.itu.int/en/ITU-D/Cybersecurity7 An important example of a legal framework that clarifies the roles of different state agencies is EU (2016), naturally in-

cluding cross-border considerations in the European Union


66II. COORDINATION AMONG AUTHORITIES

and Development (OECD), the Organization ofAmerican States (OAS), the Potomac Institute,RANDEurope,theUnitedNationsConferenceonTradeandDevelopment(UNCTAD)andtheWorldBank.


7

III. MANDATORY REPORTING AND INFORMATION SHARING

Previous sections assume a common understanding of what is meant by words such as“cyber”,“risks”and“incidents,”asusedbytheG7(2016),theInternationalOrganisationofSecuritiesCommissions(IOSCO)(2016)andIBM(2017),amongothers.Tounderstand

howdifferentorganizationsutilize these terms requiresknowing their respective“taxonomies”(languages)isrequired.Allstakeholdersneedprecise,commonlanguagestoshareinformation,eitherofthemandatorykind,betweensupervisoryinstitutionsandauthoritiesor,topreventthespreadofcyberincidents,voluntarilywithotherpotentiallyaffectedentities.

Taxonomies are languages or conventions forinformation sharing, and there aremanyof them.Forinstance,ICTspecialistsfrequentlyworkwithMITRE Corporation’s “Common Attack PatternEnumeration and Classification” (CAPEC), a“comprehensive dictionary and classificationtaxonomy of known attacks that can be used byanalysts, developers, testers, and educators toadvance community understanding and enhancedefenses”.8 Regarding mechanisms of attack,CAPEC identifies 118 different mechanisms tocollect and analyze information; 152 to injectunexpected items;156 to engage in deceptiveinteractions; 172 to manipulate timing and state;210toabuseexistingfunctionality;223thatemployprobabilistic techniques; 225 that subvert accesscontrol; 255 that manipulate data structures; and262 thatmanipulate system resources. Regardingdomains of attack,CAPECidentifies403differenttypes of social engineering; 437 on the supplychain; 512 on communications; 513 on software;514onphysicalsecurity;and515onhardware.

Verizon offers the “Vocabulary for EventRecordingandIncidentSharing”(VERIS)tohelporganizations “collect and share useful incident-relatedinformationanonymouslyandresponsibly.”9

VERIS is a set of metrics designed to provide acommonlanguagefordescribingsecurityincidentsinastructuredandrepeatablemanner,namely:the“who” (threat actors), the “what” (victim assets),the“why”(threatmotives),andthe“how”(threatactions) of each cybersecurity incident.10. TheVERISCommunityDatabase (VCDB) isanopenand free repository of publicly-reported securityincidentsinVERISformat.11

Another taxonomy available for the automatedsharing (primarily among computer systems,not among people!) of threat information instandardized format was originally developed bythe US Department of Homeland Security. It iscurrently maintained by an open community12,and is composed of the freely available TrustedAutomated Exchange of Indicator Information(TAXII), the Cyber Observable Expression(CybOX), and the Structured Threat InformationExpression(STIX).

Apart from highly specialized units in financialsupervisory agencies, none of these taxonomiesarelikelytobeveryusefulforinformationsharingamong financial sector authorities, or betweenthem and the Boards and SeniorManagement of

8 CAPEC: Common Attack Pattern Enumeration and Classification—A Community Resource for Identifying and Under-standing Attacks, https://capec.mitre.org/.

9 “Veris: The Vocabulary for Event Recording and Incident Sharing” at: http://veriscommunity.net.10 “Vocabulary for Event Recording and Incident Sharing” at: https://github.com/vz-risk/veris.11 VCDB raw data is available at: https://github.com/vz-risk/VCDB12 Oasis Cyber Threat Intelligence” at: https://wiki.oasis-open.org/cti/.


8III. MANDATORY REPORTING AND INFORMATION SHARING

supervisedinstitutions.Inthiscontext,theEuropeanBanking Authority (EBA) (2017), for example,asksEuropeanbanksupervisors tomap identifiedICTrisksintothefollowingfiveriskcategories:

• Availability and continuity risk: the risk thatthe performance and availability of systemsanddataareadversely impacted, including theinability to timely recover due to a failure ofhardwareorsoftware,managementweaknesses,oranyotherevent.

• Data integrity risk: the risk that data storedand processed are incomplete, inaccurate orinconsistentacrossdifferentsystems.

• Change risk: theriskarisingfromthe inabilityoftheinstitutiontomanagesystemchangesinatimelyandcontrolledmanner.

• Outsourcing risk: the risk that engaging athirdparty, or anothergroup entity (intra-groupoutsourcing), to provide systems or relatedservices, adversely impacts the institution’sperformanceandriskmanagement.

• Security risk:theriskofunauthorizedaccesstosystemsfromwithinoroutsidetheinstitution.

Data integrity, and services availability andcontinuity are some of the dimensions that may,for many different reasons, go awry with theICT systems of a financial institution. In otherwords, services can be disrupted and/or data compromised. Physical and logical (“bugs”) canimpact ICT systems, and institutions can fail toproperlymanage the constantly changing state oftheirICTsystems,13,and/ortheexternalprovidersofoutsourced services.Additionally, ICTsystemscanfailbecauseofsecurityreasons, that is,whensomeone from inside or outside the institutionintentionallydoessomethingthatdisruptsservicesoraffectsdataintegrity.

The EBA’s first four “ICT risks” remain, at leastconceptually, reasonably well defined over time,but“security”riskskeepmutating.AsillustratedbytheCAPECtaxonomy,thereareliterallythousandsof ways (by combining different “domains” and“mechanisms”ofattack)thatafinancialinstitution’sICT systems can be compromised. Attacks canoccur without penetrating ICT systems; or bypenetratingthemwithorwithouthackingthem;byinsidersoravarietyofoutsiders;withorwithout“social engineering”; with or without physicalaccesstothem—andmanymorewaysyet tobediscovered.

Oncean incidenthasaffected the ICTsystemsofasupervisedinstitution,EBA’staxonomyprovidesa language to communicate possible answers asto what has happened (services disrupted and/ordata integrity affected?) andwhy it hashappened(autonomous system malfunction, or inadequatemanagement of own and/or third-party systems,and/or malicious third-party intervention?).Although only some supervisory agencies mayhavethe internalcapacity tomakeproductiveuseof strictly technical information, as described forexamplebythetaxonomiesofCAPECorTAXII-CybOX-STIX,allsupervisorsneedataxonomytodescribe the impacts of an incident. Once again,EBA offers a helpful taxonomy of the possibleimpactsofanincident,asfollows:14

• Financial impact including (but not limitedto) loss of funds or assets, potential customercompensation, legal and remediation costs,contractualdamages,lostrevenue;

• Business disruption,considering(butnotlimitedto)thecriticalityofthefinancialservicesaffected;the number of customers and/or branches andemployeespotentiallyaffected;

• Reputational impact based on the criticalityof the banking service or operational activity

13 The state of ICT systems keeps changing because, in addition to new applications or new features in existing ones, they constantly undergo security updates. Any of these changes can break a system at any time.

14 To understand the essentially linguistic (conventional) role of all taxonomies, these impacts are what other parties would perhaps prefer to call the risks associated to an ICT incident.


9

affected(e.g.,theftofcustomerdata);theexternalprofile/visibilityoftheICTsystemsandservicesaffected(e.g.mobileoron-linebankingsystems,pointofsale,ATMsorpaymentsystems);

• Regulatory impact, including the potential forpublic censure by the regulator, fines or evenvariationofpermissions;and

• Strategic impact,ifstrategicproductsorbusinessplansarecompromisedorstolen.

Supervisory taxonomies facilitate informationsharing among supervisors, and between themand supervised institutions. Given the potentialregulatory impact,however,supervisedinstitutionshave limited incentives to voluntarily reportincidents. Consequently, some jurisdictions makesuch reporting mandatory. The European Union(EU)(2016),forexample,regulatesthemandatorynotificationofasignificant incidentasfollows:

“Bankingcorporationsshallnotify,withoutundue delay, the competent authority ofincidents having a significant impact onthe continuity of the essential servicesthey provide, or in case that there is areasonablelikelihoodofmateriallyharmingbusiness operations. Notifications shallincludeinformationenablingthecompetentauthority to determine any impact of the incident. Notification shall not make thenotifyingpartysubjecttoincreasedliability.”Furthermore, it specifies the followingparametersasdeterminingthemagnitudeoftheimpact:“(a)thenumberofusersaffectedby the disruption of the essential service;(b)thedurationoftheincident;and(c)thegeographicalspreadwithregardtotheareaaffectedbytheincident.”

Itisimportanttonotethatinadditiontoestablishingamandatoryreportingrequirement,theEU(2016)states its precise purpose (to enable the competent authority to determine any impact of the incident),and it also defines how to account for such animpact.Withoutstatingtheprecisepurposeofthenotification, in many countries the supervisoryauthority could easily become liable for whatit does—or does not do— in responding to anincident. As suggested in section II, respondingto an incident is likely to eventually become theresponsibility of other state agencies, such as aComputer Emergency Response Team (CERT)or a Computer Security Incident Response Team(CSIRT), possibly associated with a nationalsecurity agency. This in turn may also requiremandatoryreporting,withadifferenttaxonomy.15

Reporting on the impact of an incident to thesupervisoryauthorityshouldnotbeconfusedwiththe voluntarily sharing of technical informationthat could help other institutions take preventiveactions. To deal with the limited incentive toreveal problems there are different initiatives,either private or in public-private partnerships, tovoluntarily share information about incidents onananonymizedbasis.Crucially,thiscanbedoneinalanguagethatfacilitatesthetakingofimmediatepreventiveactions.Forexample,onesuccessstoryconcernstheInformationSharingAnalysisCenters(ISACs) in the United States, which includes afinancial services ISAC automatically sharinginformationamongmembersutilizing theTAXII-CybOX-STIXtaxonomy.

15 Establishing a financial sector CERT or CSIRT as a dependency of the Central Bank is not unthinkable, but in many juris-dictions, it could potentially create significant contingent liabilities.

1010III. MANDATORY REPORTING AND INFORMATION SHARING


11

IV. RESPONSIBILITIES OF THE BOARD

“...we seem conceptually trapped in thinking of the new challenges of cyberspace as being purely technical, instead of being very much human.”

Klimburg (2017)

Principle25ofBCBS(2012)requiressupervisorsto verify that a bank’s strategies, policies andprocesses for themanagement of operational riskareapprovedandregularlyreviewedbytheBoard— and that the Board oversees their effectiveimplementation. Consistent with this generalprinciple, regulations and guidelines specificallydealingwithcyberrisk(forexample,theAustralianSecurities and Investment Commission [ASIC](2015); CPMI-IOSCO (2016); FRB-OCC-FDIC(2016);Ireland(2016);andIsrael(2015))typicallyrequire that the Board of supervised institutions:(i) approve a written ICT strategy aligned withthe institution’s overall business strategy; (ii)approve a comprehensive ICT risk managementframework; and iii) oversee seniormanagement’seffective implementation of both the strategy andriskmanagementframework.

In several regulatorydocuments, theBoard’s roleis expected to go well beyond that of adoptingstrategies and frameworks to encompass theoversightoftheireffectiveimplementation.Ireland(2016),forexample,requirestheBoardto“receivereports on significant cyber incidents”, and sodoes Israel (2015).ASIC (2015) not only asks to“reviewthelevelofBoardandSeniorManagementoversightofcyberrisks,”butalso“howfrequentlyrisksareupdated.”

The Central Bank of Ireland (2016) requiresthe Board to receive “updates on the scenariosconsidered and the development and testing ofdisaster recovery and business continuity plans.”and to understand “what the objectives of these

are in termsofmaintainingavailabilityofcriticalITsystemsandbusinessoperations.”Furthermore,it expects the Board (as a whole) and SeniorManagementto“possesssufficientknowledge and understanding of the IT- related risks facing thefirm,and[to]takestepstoensurethattheserisksarewellunderstoodandproperlymanagedthroughoutthefirm.”Theyshouldalsobeabletodemonstratetosupervisorsthatthesestepshavebeentaken.

Thefindingsofthe“BridgingtheTechnologyGapinFinancialServicesBoardrooms’reportbyAccenture(2015) suggest that the required knowledge and understandingarestillratherscarce.Accordingtothatreport,“only6percentofBoardmembersand3percentofCEOsattheworld’slargestbankshaveprofessionaltechnologyexperience.Inaddition,43percentofthebankshavenoBoardmembers,andnearly 30 percent have only one Board member,with professional technology experience.” Ho(2015)hasananswerforsuchaknowledgegap:theMonetaryAuthorityofSingapore“expectsthattheBoardberegularlyapprisedonsalient technologyand cyber risk developments.” Furthermore,financial institutions “should have in place acomprehensive technology risk and cybersecuritytraining program for the Board. Such a programmay comprise periodic briefings conducted byin-house cyber security professionals or externalspecialists.ThegoalistohelpequiptheBoardwiththerequisiteknowledgetocompetentlyexerciseitsoversightfunction,andappraisetheadequacyandeffectiveness of the financial institution’s overallcyberresilienceprogram.”


1212IV. RESPONSIBILITIES OF THE BOARD

V. RESPONSIRV.


13

V. RESPONSIBILITIES OF SENIOR MANAGEMENT

TheBankofIsrael(2015)servesasarepresentativeexampleofthedutiesofaninstitution’sseniormanagementregardingcybersecurityregulationsandguidelines,asfollows:

• Creating thecyber riskmanagement frameworkandoverseeingitsimplementation;

• Formulatingthecorporatecyberdefensepolicy;• Implementing and consistently maintainingthe cyber risk, including allocating sufficientresources;

• Monitoringtheeffectivenessofthecyberdefense,andcoordinatingwith internalandexternal riskmanagemententities;

• Receivingperiodicreportsoncyberthreats;• Receiving periodic reports on relevant,internal and external cyber incidents and theirimplications;

• Discussing the operative implications of cyberrisks, and providing guidance and control overtheimplementationofanyrequiredchanges.

Senior management needs to receive periodicreportsoncyberthreatsandincidentstodesigntheappropriatecyberriskmanagementframeworkandcyberdefensepolicy,verymuchastheBoardneedsto receive the same information to understandand approve such framework and policy, and tooversee their effective implementation by SeniorManagement.NeitherinthecaseoftheBoardnorthat of SeniorManagement, however, regulationsmakeclearthepointofreceivingreportsoncyber

incidents beyond that of informing eventuallynecessary adjustments in strategies, policies, riskmanagement frameworks, disaster recovery andbusinesscontinuityplans.

Dealing with cyber incidents may require takingbusiness decisions thatwould normally notmakesense to delegate to ICT staff. For example, if itisfoundthatunknownmalwarehascompromiseda critical system, who is to be held personallyresponsiblefortakingthedecisiontoshutdownthesystemuntiltheproblemisresolvedor,alternatively,continueprovidingthesystem’sserviceswhileICTstaffwork to neutralize it? This type of businessdecision requireschoosingbetweena (financially,reputationally, regulatorily) costly disruption ofservicesnow,andthepossibilityofacatastrophicdisruption later. Such a problem would seem tofallunderthepurviewofSeniorManagementand/orexecutivemembersoftheBoard.Inthisregard,financial sector regulations on cyber risk do notexplicitlydelineatehowsuchcriticaldecisionsaretobemaderegardingtheresponsibilitiesofSeniorManagement. As discussed in section VII, onlythose regulations dealing with incident responserequireanexplicitassignmentofresponsibilitiesintheincident responseplan.


1414V. RESPONSIBILITIES OF SENIOR MANAGEMENT


15

VI. INFORMATION SECURITY OFFICER

AsnotedinsectionsIVandV,existingregulationsassignconcreteresponsibilitiesregardingICTsecurity/cybersecuritytotheBoardandSeniorManagement.Althoughlesscommon,someregulationsalreadyrequiretheappointmentofanInformationSecurityOfficer,Chief

InformationSecurityOfficer(CISO),orChiefCyberDefenseOfficer.TheNationalInstituteofStandardsandTechnology(NIST) (2017) frameworkassumes itsexistence,and theNewYorkStateDepartmentofFinancialServices(NYSDFS)(2017)requiresaCISO.However,subjecttocertainconditions,thelatterallowsforthehiringofanindependentcontractor.

Israel (2015), Korea (2016) and the GermanFederal Financial Supervisory Authority (BaFin)(2017) provide similar job descriptions forthe CISO. Israel (2015) states that this officer“shall report to a senior executiveof thebankingcorporation, and shall officially be given theauthoritytoinfluenceanydecisionsthataffectthebankingcorporation’sexposuretocyberrisks.”Asthis entails helping tomanage trade-offs betweenbusiness and cybersecurity objectives, all theseregulationsemphasizetheneedtopreventconflictsof interest. BaFin (2017), for example, requiresseparating this function from the internal auditand the areas responsible for the operation andfurtherdevelopmentoftheITsystem.16,aswellasprovidingitwithadequateresources.

AnotherimportantrolefortheCISOistoleadtheinstitution’s continuous learningon cybersecurity.

Israel (2015) asks the CISO to “promote cyberthreats awareness and provide training onmitigationprocessesacrossthebankingcorporationincluding employees, suppliers, partners andcustomers.” Korea (2016) expects the CISO to“developaneducationalprogramtostrengthentheability of executives and employees to deal withinformationsecurity,andtoformulateandexecuteanannualeducationalplan.”Directlyrelatedtothiseducational role, Israel (2015) also requires theCISOto“initiateandexecutecyberexercises.”

Finally, BaFin (2017) creates the obligation foremployeesoftheinstitution,aswellasITserviceproviders,toprovideimmediateandcomprehensiveinformationtotheInformationSecurityOfficeronallknownIT-relatedissuesaffectingtheinstitution.RequiringthisreportingfromITserviceprovidersisrelatedtothehandlingofoutsourcing,asdiscussedinsectionIX.

16 The Chief Information O could, for example, be reluctant to approve IT security features that hinder project delivery.


1616VI. INFORMATION SECURITY OFFICER


17

VII. INCIDENT RESPONSE

CPMI-IOSCO(2016)statesthata“FinancialMarketInfrastructure(FMI)shouldinvolveitsBoardandSeniorManagementappropriately,forexample,aspartofcrisismanagementteams.” However, financial regulations on cybersecurity typically do not explicitly list

incident response responsibilities formembersof theBoardand/orSeniorManagement.Theseresponsibilitiesareexpectedtobeassignedintheinstitution’sincident response plan.EBA(2017),for example, requires “a documented incident management and escalation process, that alsoprovidesguidanceonthedifferentincidentmanagementandescalationrolesandresponsibilities,themembersofthecrisiscommittee(s)andthechainofcommandincaseofemergency.”

NYSDFS (2017) details the required content oftheirincidentresponseplanasfollows:• The internal processes for responding to acybersecurityevent;

• Thegoalsoftheincidentresponseplan;• Thedefinitionofclearroles,responsibilitiesandlevelsofdecision-makingauthority;

• External and internal communications andinformationsharing;

• Identificationofrequirementsfortheremediationof any identified weaknesses in InformationSystemsandassociatedcontrols;

• Documentation and reporting regardingCybersecurity Events and related incidentresponseactivities;

• The evaluation and revision, as necessary,of the incident response plan following acybersecurityevent.

Althoughassigningdecision-makingresponsibilitiesis essential,doing soonly in thecontextofaplanmay be counterproductive if such a plan is notsufficiently general in nature. If the concept of a“plan” is narrowly understood as detailing well-definedstepstodealwithwell-definedcontingencies,suchasfiresorearthquakes,itmaybeunhelpfulintheconstantlyevolvingandunpredictablerealmofcyberincidents.17

17 In a Cyber Crisis Simulation Exercise (CCSE) delivered by the World Bank there were two groups composed of senior op-erational risk staff representing, respectively, the Senior Management teams of two banks facing severe cyber incidents. One of the teams assessed the situation as described in the scenario and responded accordingly; the other had problems because it did not have a “plan” for it!


1818VII. INCIDENT RESPONSE


19

VIII. TESTS AND SIMULATIONS

Cybersecurity regulations and guidelines typically require or suggest regular tests andsimulationsofincidentresponsecapabilities.Forexample,EBA(2017)instructssupervisorsto verify whether a supervised institution’s risk management framework “tests ICT

availabilityandcontinuitysolutions,againstarangeofrealisticscenariosincludingcyberattacksandtestsofback-upsforcriticalsoftwareanddatawhich:

• areplanned,formalizedanddocumented,andthetestresultsusedtostrengthentheeffectivenessoftheICTavailabilityandcontinuitysolutions;

• include stakeholders and functions within theorganization,suchasbusiness linemanagementincludingbusinesscontinuity,incidentandcrisisresponse teams, as well as relevant externalstakeholdersintheecosystem;

• include management; Board and SeniorManagementareappropriately involved in…acrisis management team…and are informedoftestresults.”

The typical technical test, penetration testing,involveshiring “whitehat”hackerswhoattemptto penetrate the institution’s ICT systems usingdifferent techniques, from “sniffing” the networkfor open ports, to different forms of “socialengineering”.18Suchtestingisrequiredorsuggestedby multiple regulations and guidelines, such as:CBEST (2016), Crisanto and Prenio (2017), theUnitedKingdom’sDepartmentforDigital,Culture,Media and Sport (DCMS) (2016), EBA (2017),FRB-OCC-FDIC (2016), IOSCO (2016), Ireland(2016),NIST(2017)andMalaysia(2016).

Crisis simulation exercises involving keystakeholders, such asBoardMembers andSeniorManagement,are intendedas“learning-by-doing”exercises, that is, practicing information sharingandcoordinationamongdecisionmakers.19

18 This could involve tricking staff with emails appearing to come from their bosses with unusual requests, clicking on poi-soned hyperlinks, or downloading attachments containing malware.

19 Major banks have been doing these exercises for years. The World Bank has delivered more than 30 crisis simulations ex-ercises for financial sector authorities since 2008, with scenarios frequently including some and, occasionally only, cyber incidents as triggers of financial instability.


2020VIII. TESTS AND SIMULATIONS


21

IX. OUTSOURCING

Financial institutions increasingly rely on diverse IT service providers.Cloud services, inparticular,areevolvingfromprovidingjust“infrastructureasaservice”(IaaS)to“platformasaservice”(PaaS),andevento“softwareasaservice”(SaaS).

Outsourcing has traditionally been an importantchallenge in operational risk management, andcurrent cybersecurity regulations and guidelinescontaintheusualexpectationsaboutaninstitution’scapacity tomanage it. EBA (2017), for example,expects an institution to have “an effectiveframeworkinplacefor identifying,understandingand measuring ICT outsourcing risk, and inparticular, controls and a control environmentin place for mitigating material outsourced ICTservices that are commensurate with the size,activitiesandtheICTriskprofileoftheinstitution.”A key expectation is that the supervisor assessesthe institution’s capacity to “review the ICT riskmanagement policies and the ICT controls and control environment of the service provider to ensurethattheymeettheinstitution’sinternalriskmanagementobjectivesandriskappetite.”

Institutions of all sizes and risk profiles need torely,atleastpartially,onproprietary(henceclosed-source) software applications developed by thirdparties,whichareinturnnormallybuiltontopofmany different libraries developed by additional

third parties entirely unknown to the bank.Consequently, it may not be particularly realistictoexpectsupervisedinstitutionstobeablereviewtheICTcontrolsofsomany(includingunknown)developers.However,“cloudcomputing”hasfreedthe banks, and many other organizations (partlyincludingtheWorldBank),ofowningandsecurelymaintainingadatacenter.Thelargestprovidersofcloud services in the US and other countries arekey technologyplayers such asAmazon,Google,HP, IBM,andMicrosoft. It isunclearwhetheranindividual bank, including the largest institutions,couldmeaningfully review the “ICTcontrols andcontrol environment” of such service providers.These are also typically outside the regulatoryperimeter, and frequently outside the nationaljurisdiction,offinancialsectorauthorities.

Given the apparently irreversible migration tothe cloud by most financial sector institutions,two interesting questions arise. First,who shouldbe in charge of regulating and supervising cloudproviders?Second,towhatextentdoestherelianceontheincreasinglyhomogeneousservicesofcloudproviderscontributetosystemicrisk?


2222IX. OUTSOURCING


23

X. SUPERVISION

InassessingthequalityofBoardandSeniorManagementoversightofITrisks,Ireland(2016)offers a clear example of the inadequate managerial practices that skillful supervisors canuncoverinthefield,includingthefollowingonesdirectlyrelatedtosectionsIV,VandVII:

• Insufficient alignment between the IT andbusinessstrategies.

• The quality and/or frequency of IT-relatedreportingtotheBoardishighlyvariableand,inmanycases,deficient.

• Ingeneral,theboardandSeniorManagementarenot sufficiently informed about the operationalrisk profile of the firm, including IT andcybersecurityrisks.

• Inadequate and/or infrequent testing of disasterrecovery and business continuity plans andfailure to inform theBoard of the outcomes ofthistesting.

Althoughsupervisorypracticesarenotaspubliclyavailableastheregulatorytextsthatsupervisorsmustenforce,EBA(2017)offersdetailed,probablyquiterepresentative, guidelines. Its general provisions,someofwhich touchon themesdiscussed in thispaper,areasfollows:

• “...the frequency, scope and intensity of thesupervisory review of an institution, and alsothe supervisory expectations of the standardsthe institution is expected to meet ...should beproportionatetothesize,structureandoperationalenvironmentoftheinstitutionaswellasthenature,scaleandcomplexityoftheinstitution’sactivities.”

• “...the increasing reliance on outsourced ICTservices and third-party products, often in theformofdiversepackagedsolutions”,results“inmanifolddependencies[,]…potentialconstraintsandnewconcentrationrisks.”

• “...authoritiesshoulduseexistingandavailabledocumentation (for example, relevant reportsand other documents, meetings with riskmanagement, on-site inspection findings) toinformtheirassessment.”

• “...authoritiesmayexcludesomeoftheICTrisksincludedinthetaxonomyifnotpertinenttotheirassessment.”

Itfollowsfromthesegeneralprovisionsthatthekeyconsideration that sets current perceptions aboutthechallengesof ICT risk supervisionapart fromthose of more conventional supervisory tasks istheincreasingrelianceonoutsourcedICTservices.Consequently,thewisdomofEBA’srepresentativeguidelinescriticallydependsonthoseperceptions.20 Theguidelinescoverthefollowingmattersindetail:

• ICTgovernanceandstrategy,including:generalprinciples; development of the ICT strategy;andimplementationoftheICTstrategy,internalgovernance,andriskmanagement.

20 Can each and every financial institution, including the largest and most sophisticated ones, realistically be expected to “review” the ICT controls and control environment of each and every one of the developers writing the code that runs its ICT systems to ensure that no “backdoor” or malware is inserted? (Windows 10 alone currently has more than 40 million lines of proprietary, closed-source code) Can each and every financial institution meaningfully review the ICT controls and control environment of major “cloud” providers, such as Amazon, Google, HP, IBM, and Microsoft? Would an in-house data center (running millions of lines of unknown code written by unknown developers) be easier for an institution to review and for authorities to supervise?


2424X. SUPERVISION

• ICT risk exposures and controls, including:generalconsiderations;identificationofmaterialICT risks; and assessment of the controls tomitigatematerialICTrisks.

Giventhecurrentstateof theglobal labormarketforITspecialists,findingandretainingtechnicallyqualifiedstafftoassessaninstitution’sICTstrategy,and itsexposuresandcontrols,aredaunting tasksformost jurisdictions, includingmajorones.Thisisyetanotherreasontoreflectontheallocationofregulatoryand supervisory responsibilities amongstateagencies,asdiscussedinsectionII.


25

XI. CONCLUDING REMARKS

TheincreasingrelianceonICTtechnologywillrequireacarefuldistributionofregulatoryand supervisory powers between financial sector authorities and other state agencies.Withoutaclear legal framework, jurisdictionalconflictsare inevitablybound toarise in

manycountries.

Due to the contagion potential derived from theinterconnected nature of contemporary financialinfrastructure, traditional concepts such as“proportionality” in regulatory requirementsand supervisory attention, and “risk appetite foroperational risk,” may have to be revised. Aninterconnected system is as strong as itsweakestlink.Hence, itmaybenecessary to setminimumcybersecurity standards for all institutions,independentlyofotherdimensionsoftheirsystemicimportance.

Comparing the responsibilities of the Board andSenior Management, as described in sections IVandV,withthedetailedquestionsthatsupervisorsfollowingguidelinessuchasthoseofEBA(2017)would be inclined to ask, the findings of Ireland(2016)arenotsurprising.Furthermore,Accenture

(2015) reveals that most Board members, eventhose from the largest banks in theworld,wouldlikelyhavetroubleofferingsatisfactoryanswers.Insomelegalframeworks,dealingwiththisproblemmay require writing substantially more detailedregulations regarding the responsibilities of theBoardandSeniorManagement.

Increasing the outsourcing of ICT services is anirreversibletrend,whichcanperhapsdecreasetheICT risk of individual institutions. However, itmightalsocontributetoheightenedsystemicrisk.

Although some regulations explicitly requirecybersecurity training for the Board, SeniorManagement,andemployees,surprisinglythereare no widespread references yet to trainingthe growing number of digital customers offinancialservices.


2626XI. CONCLUDING REMARKS


27

REFERENCES

Accenture.2015.Bridging the Technology Gap in Financial Services Boardrooms.

ASIC(AustralianSecurities&InvestmentsCommission).2015.Cyber Resilience: Health Check. Report 429.

BaFin(BundesanstaltfürFinanzdienstleistungsaufsicht–GermanFederalFinancialSupervisoryAuthority).2017.Bankaufsichtliche Anforderungen an die IT (BAIT).Konsultation.

BCBS(BaselCommitteeonBankingSupervision).2012.Core Principles for Effective Banking Supervision.

CBEST(CaliforniaBasicEducationalSkillsTest).2016.CBEST Intelligence-Led Testing, Implementation Guide.

CPMI-IOSCO (Committee on Payments and Market Infrastructures- International Organisation ofSecuritiesCommissions).2016.Guidance on cyber resilience for financial market infrastructures.BankforInternationalSettlementsandInternationalOrganizationofSecuritiesCommissions.

Crisanto,JuanCarlosandJeremyPrenio.2017.Regulatory approaches to enhance banks’ cyber-security frameworks.FSIInsightsonPolicyImplementationNo2.FinancialStabilityInstitute,BankofInternationalSettlements.

DCMS (UK Department for Digital, Culture,Media and Sport). 2016.Cyber security regulation and incentives review.

Dror,Ishai.2017).Cybersecurity Regulation in the Financial Sector. Key concepts in existing and proposed regulations.Unpublishedmanuscript.

EBA(EuropeanBankingAuthority.2017.Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP).

EU (EuropeanUnion), 2016.Directive 2016/1148 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union - NIS.

FinSAC(WorldBank’sFinancialSectorAdvisoryCenter).2017.Cybersecurity

Regulations in the Financial Sector: A Digest.Vienna,Austria:TheWorldBank-FinSAC.

FRB-OCC-FDIC (FederalReserveBoard-Office of theComptroller of theCurrency- FederalDepositInsurance Corporation). 2016.Advance Notice of Proposed Rulemaking (ANPR) Regarding Enhanced Cyber Risk Management Standards for Large and Interconnected Entities. United States: Board ofGovernors of the FederalReserveSystem,Office of theComptroller of theCurrency, FederalDepositInsuranceCorporation.


28REFERENCES

G7(Groupof7).2016.Fundamental Elements of Cybersecurity for the Financial Sector.

Ho,HernShin.2015.CircularNo.SRDTR03/2015.Monetary Authority of Singapore (MAS).

IBM(InternationalBusinessMachines).2017.Security trends in the financial services sector. IBMX-ForceResearch.

IOSCO(InternationalOrganisationofSecuritiesCommissions).2016.Cyber Security in Securities Markets – An International Perspective.

Ireland,CentralBankof.2016.Central Bank Guidance on IT and Cyber SecurityRisks.

ISO/IEC(InternationalOrganizationforStandardization/InternationalElectrotechnicalCommission)-27000.2016.Standard 27000: Information technology – Security techniques – Information security management systems – Overview and vocabulary.

______.27001.2005.Standard 27001: Requirements on Information technology – Security techniques – Information security management systems.

______.27002.2013.Standard 27002: Information Technology – Security Techniques – Code of Practice for Information Security Controls. Second edition.

Israel,Bankof.2015.Cyber Defense Management Directive.

Klimburg,Alexander.2017.The Darkening Web. The War for Cyberspace. Penguin Press: New York.

Korea.2016.Regulation on Supervision of Electronic Financial Transactions.

Malaysia,SecuritiesCommission.2016.Guidelines on Management of Cyber Risk SC-GL/2-2016.

Nelson,Winston.2017.Taxonomy of ICT Risks.Unpublishedmanuscript.

NIST(NationalInstituteofStandardsandTechnology).2017.Cybersecurity Workforce Framework.NISTSpecialPublication800181.

______.2014.Framework for Improving Critical Infrastructure Cybersecurity.Version1.0.

NYSDFS (NewYork State Department of Financial Services). 2017.Cybersecurity Requirements for Financial Services Companies.

Promontory.2017.Comments to ANPR on Enhanced Cyber Risk Management Standards.February15.PromontoryInterfinancialNetwork.

PwC(PricewaterhouseCoopers).2017.Digital Banking Survey.

Somers,James.2017.“TheComingSoftwareApocalypse.”The Atlantic Magazine.September26.


2929

Symantec.2017.Internet Security Threat Report.

Synoptek______.2017.Cybersecurity Outlook for Financial Services Organizations.

Taylor,Charles.2017.Cyber Preparedness for Financial Regulators.Unpublishedmanuscript.

Verizon.2017a.Data Breach Investigations Report.10thEdition.

______.2017b.Data Breach Digest.

Financial Sector’s Cybersecurity: Regulations and …...FINANCIAL SECTOR’S CYBERSECURITY:...

Documents

Transcript of Financial Sector’s Cybersecurity: Regulations and …...FINANCIAL SECTOR’S CYBERSECURITY:...