New WSBI-ESBG Innovation & Payments Policy Advisor Matteo Mannino shares some thoughts
The following piece appears in the upcoming edition of WSBI-ESBG News & Views magazine.
Published: BRUSSELS, 22 July 2020
Cyber-attacks and incidents pose a substantial risk to the stability of the overall financial sector. They are increasing both in number and complexity, particularly since the start of the Covid-19 pandemic, as the financial sector is more and more dependent on digital technologies.
Identifying cyber threats properly and protecting from them is a commitment shared by every financial institution. A key success factor is a sound ICT and risk security management framework. However, there are many specific risks that require mitigation solutions, and a well-organised response and recovery plan. Cybersecurity needs to be coordinated at international level. The number of incident reporting requirements varies from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries.
ESBG members have expressed their recommendation to policymakers on how to strengthen digital resilience of the financial sector in a number of occasions. They have recently responded to the European Commission consultations on digital resilience, and on a European digital finance strategy, and they are working on a Financial Stability Board consultation on effective practices for cyber incident response and recovery.
ESBG highlights the negative effects of the current overlapping of reporting obligations regarding cyber incidents. Supervisors have reacted to the cybersecurity threat landscape with a proliferation of cyber security frameworks and regulations of reporting. This has created significant inefficiencies and conflicting direction to financial institutions.
The burden should not be on the financial institution to provide differentiated reports to regulators; it should be the burden of regulators to harmonise the report requirements.
Furthermore, WSBI-ESBG is engaged in organising a number of initiatives aimed at raising awareness on cybersecurity topics. On 18 June WSBI and ESBG members gathered with PwC experts to discuss the Impact of Covid-19 on how organization manage remote workforce, VPN, multifactor authentication. They exchanged on tactical and strategic answers to cyber attacks. An ESBG Spotlight webinar on 7 July tackled cyber resilience and systemic risk from a financial infrastructure-focused approach. It featured a discussion with Mr. Wiebe Ruttenberg from the European Central Bank.
A key take away from those initiatives is that, for cybersecurity matters, banks should not rely on tools only, but rather use people’s knowledge. That is, the particular training of cybersecurity experts, to learn from them how to best defend from cyber attacks and shape the corporate security approach that is needed.