Interview with Mr. Wiebe Ruttenberg, Chair of the Eurosystem Task Force on Cyber Resilience Strategy for Financial Market Infrastructures and Senior Adviser, DG Market Infrastructure & Payments at the European Central Bank.
The following piece appears in the latest WSBI-ESBG News & Views magazine.
Published: BRUSSELS, 12 November 2020
In recent decades, the financial system has become increasingly globalised, digital, and interconnected. The financial system relies critically on information and communication technology (ICT) infrastructure and on the confidentiality, integrity and availability of data and systems. As a consequence, cyber incidents can disrupt even key economic functions. Cyber risk not only affects individual financial institutions and infrastructures, but has an important systemic dimension. Understanding the potential systemic impact of cyber incidents is of the uttermost importance. Mr Wiebe Ruttenberg kindy sits down with News & Views to answer a handful of questions.
Mr Ruttenberg, what is a cyber incident, and what is a systemic event?
WR: That is a good question as not always policy makers use the same definitions when debating cyber issues. The Financial Stability Board (FSB) has addressed this and published its Cyber Lexicon in November 2018.
A cyber incident is an observable occurrence that happens in an information system and not only jeopardises the cyber security of that information system, but also violates its related security policies and procedures, whether resulting from a malicious activity or not. The combination of the probability of cyber incidents occurring and their impact defines cyber risk.
Indeed, cyber risk is a particular kind of operational risk but it has its own unique characteristics, i.e. the speed and scale of its propagation as well as the potential intent of the threat actors.
One could say that a systemic event is the point at which the financial system is no longer able to absorb the shock, in this context resulting from a cyber incident, resulting in an impairment of all or parts of the financial system and in serious negative consequences for the real economy.
Can a cyber incident become a systemic event?
WR: As already publicly stated by our President Ms Christine Lagarde earlier this year, the answer is yes. Her statement was based on work done by the European Systemic Risk Board (ESRB) which has developed an analytical framework to assess how cyber risk can become a source of systemic risk to the financial system.
Though there are not any historical precedents for systemic events arising from cyber incidents in finance, there is the possibility that a systemic event is triggered by the many cyber risks.
The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated actors’ ability to penetrate the networks of large organisations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders, including to entities which are not the primary target or source of disruption. Malicious cyber incidents are becoming more persistent and prevalent, illustrating the high level of sophistication and coordination that threat actors are able to achieve.
An illustration of this is the NotPetya malware incident, which started in the Ukraine in June 2017, but had serious operational consequences for some non-financial companies at global level. Had financial institutions and infrastructures in a global financial centre been targeted and incapacitated by the incident, it could have easily resulted in a systemic event in the financial system.
In general, a cyber incident can evolve into a systemic crisis when trust in the financial system is eroded. A critical point in assessing whether a cyber incident will progress to become a systemic financial crisis lies in the differentiation of whether or not the incident escalates from an operational level into the financial and – finally – the confidence realms.
You mentioned that a cyber incident can evolve into a systemic event when trust in the financial system is eroded. What do you mean here by trust in the financial system?
WR: In order for a cyber incident to raise systemic financial and confidence concerns, either the disruption to critical functions supporting the real economy or the generated (or anticipated) financial losses from the incident need to reach a level where the financial system is no longer able to absorb the shock.
For instance, a perceived irrecoverable destruction, alteration or encryption of account balances of one or several financial institutions could constitute a sufficiently severe shock to the financial system. This could occur through operational disruption, followed by financial losses and loss of confidence in the respective financial institution and possibly the financial system, triggering liquidity freezes, bank runs and panic. The loss of confidence in the integrity of data could in itself trigger similar reactions.
Trust is a key factor: While it takes quite some time for the financial institutions and the financial sector to build it, it can suddenly disappear. As a Dutch saying goes, “trust comes by foot and leaves by horse!”.
How can cyber risks be mitigated?
WR: Over the years already a lot has been done by the financial sector and national, European and international authorities to address cyber risks, at micro and at macro level.
The examples are too many to summarise here, but let me give you a few. As said earlier, the Financial Stability Board (FSB) has developed a Cyber Lexicon to foster a common language and facilitate crossjurisdictional communication on cyber risk. At the European Union (EU) level, the mandate for the European Union Agency for Cyber Security (ENISA) has been strengthened and the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have issued guidelines on how the supervised entities should implement best practices in ICT risk management. The ECB has issued the Cyber Resilience Oversight Expectations for financial infrastructures, and we should certainly not forget the EU Directive on Security of Network and Information Systems (NIS Directive), which addresses various aspects of cyber risk across a range of industries.
Personally, I appreciate very much the initiative taken by the European Commission following the public consultation on a digital operational resilience framework for financial services in the European Union, which closed in March 2020. The now proposed Regulation on Digital Operational Resilience for the Financial Sector – also dubbed DORA – provides a unique opportunity to address the current fragmentation in financial legislation and supervisory approaches in the field of digital operational resilience, cyber resilience included.
Which initiatives have been taking specifically with regards to financial market infrastructures in Europe?
WR: Financial market infrastructures form the backbone of the financial sector and thus the European real economy. Their cyber resilience is of systemic importance. Therefore, the ECB Governing Council approved the Eurosystem cyber resilience strategy for FMIs in March 2017. I mentioned earlier already the Cyber Resilience Oversight Expectations (CROE). Let me highlight three other initiatives stemming from this strategy, i.e. the EU framework for ethical hacking (TIBER-EU), the Euro Cyber Resilience Board for panEuropean Financial Infrastructures (ECRB), and the European Cyber Information & Intelligence Sharing Initiative (CIISI-EU).
TIBER-EU provides for a harmonised way how to test the cyber resilience of a financial infrastructure or a bank, making use of ethical hackers attacking the financial entity’s live production systems. It is currently adopted in 10 EU Member States and more are expected to follow.
Authorities and financial infrastructures have one thing in common, they are all victim of cyber-attacks. The ECRB has been established by the ECB as a forum for strategic discussions between board members of Europe’s largest and most important financial infrastructures, their critical service providers and authorities. Its objectives are to raise awareness of the topic of cyber resilience, catalyse joint initiatives to develop effective solutions for the market, and provide a place to share best practices and foster trust and collaboration.
One initiative stemming from the ECRB is CIISI-EU, an initiative to share vital cybersecurity threat information between Europe’s largest and most important financial infrastructures, selected EU national central banks, ECB, EUROPOL and ENISA. The core objectives of CIISI-EU are to protect the financial system by preventing, detecting and responding to cyberattacks; to facilitate the sharing of information and good practices between financial infrastructures; and to raise awareness of cybersecurity threats.
Let me conclude by saying that ensuring cyber resilience is like an arms race; it is a continuous effort with no end in sight.