With vulnerability rising, financial regulators globally call for safety net
View(s):The business and technology innovations adopted by the financial services companies to propel growth, innovation, and cost optimization have presented heightened levels of cyber risks. These innovations have introduced new vulnerabilities and complexities into the financial market infrastructures (FMIs) and ecosystem. The rapid adoption of ATMs, kiosks, Internet, mobile, cloud, and social media technologies as alternate channels have also increased opportunities for attackers. Further, the trend towards outsourcing, offshoring and third-party contracting have further diluted institutional control over IT systems and access points.
Cyber-attacks are also becoming more sophisticated as the attacker’s understanding of the value chains in financial services improves. Since January 2016, a malware called Odinaff has targeted several SWIFT users and financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations which provide support services to these industries are also of interest.
The cyber-attacks on financial market infrastructures (FMIs) can be a source for financial shocks such as liquidity dislocations, credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets. The central banks of all sizes have also experienced security breaches varying different magnitudes. The motives for cyber-attacks are not limited to theft and often extend into a more sinister realm. The financial sector is also a key target because of its access to capital.
Given the news about the recent bank thefts carried out over the SWIFT messaging system, cyber- security has in the recent past moved swiftly up the list of priority issues in several countries as regulatory authorities seek to address cyber-security threats and enhance cyber resilience.
The Federal Financial Institutions Examination Council (FFIEC) has repeated the previous recommendations that the banks should review their risk management practices and controls over interbank messaging and wholesale payment networks, including authentication, authorization, fraud detection and response management. However, the global standard setting bodies such as the International Organization of Securities Commissions (IOSCO) and the Committee on Payments and Market Infrastructures (CPMI) have issued a “Guidance on cyber resilience for financial market infrastructures” to address the cyber resilience of FMIs. The key concepts built into the Cyber Guidance include the following:
- Board and senior management attention is critical to a successful cyber resilience strategy and ensure sound cyber governance.
- The ability to resume operations quickly and safely after a successful cyber-attack is paramount.
- FMIs should make use of good quality threat intelligence and rigorous testing.
- FMIs should aim to instill a culture of cyber-risk awareness and demonstrate ongoing re-evaluation and improvement of their cyber-resilience at every level within the organization.
- Cyber-resilience cannot be achieved by an FMI alone; it is a collective endeavor of the whole “ecosystem”.
While these guidelines are aimed directly at FMIs, it is important that FMIs actively reach out to their participants and other relevant stakeholders to promote the understanding and support of resilience objectives and their implementation. The level of cyber-resilience, which contributes to an FMI’s operational resilience, can be a decisive factor in the overall resilience of the financial system and the broader economy. Hence, the safe and efficient operation of FMIs is essential to maintain and promote financial stability and economic growth. Further, these guidelines will have implications for the way in which central banks exercise oversight over both national and international payment FMIs, regulate and supervise the financial institutions, and monitor financial stability. Regulatory authorities must consider the possibility of systemic risks in the financial ecosystem, such as hackers bringing down a critical financial infrastructure for a prolonged period and the consequences of such an event.
Further, no guidance from the regulators can cover all risks and necessary actions for all regulated firms. It is management’s responsibility to understand the specific IT-related risks that the firm faces and to ensure that these are sufficiently mitigated in line with the firm’s risk appetite.
Cyber-security is a terrain with enough non-competitive and mutual interests, where public and private stakeholders can collaborate to build the resilience that is required against a common threat as the cyber-attacks which knows no national borders. Cyber-defenses in the highly interconnected world are literally as strong as the weakest link. All role players from critical infrastructure operators and financial firms through to technologists and law enforcement agencies to regulators and vendors, need to work together to counter the dangers that is faced by FIMs.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at
sujit@layers-7.com)