Excerpts from statement by Sabine Lautenschläger, member of the Executive Board of the European Central Bank, at the G7 2019 conference on “Cybersecurity: Coordinating efforts to protect the financial sector in the global economy”, Paris, 10 May 2019.
We see a number of trends in the financial sector related to cyber risk:
- First, the close interconnection and complexity of the financial system creates vulnerabilities which can be exploited by cyber attackers.
- Second, attackers seem to be gaining an ever deeper understanding of how the financial system operates. This enables them to swiftly detect and exploit weaknesses more efficiently and should be a concern for us all.
- Third, both banks and financial market infrastructures are struggling to find staff with the skills and experience needed to fend off cyber-attacks. Indeed, the skills gap extends well beyond the financial sector. All relevant stakeholders need to urgently work on strategies to make sure that our workforce has the right skills for our future economies, and that our society is able to reap the benefits of innovation.
- Finally, true innovation is always disruptive. Fintech might disrupt financial markets in positive ways. But it also comes with risks: fiercer competition could lead some market players to embrace and adopt new technologies, services or methods before fully grasping the related risks – cyber-risks in this case.
Banks, in particular, should aim to simplify their IT landscape. Simpler IT landscapes have a smaller attack surface. And the easier these systems are to understand and maintain, the better they can be protected. And, last but not least, we see that a significant number of FMIs still lack dedicated cyber incident response plans.
To facilitate the proportionate implementation of the guidance, the ECB published the Cyber Resilience Oversight Expectations, or CROE for short, in December 2018. A tool for FMIs and overseers alike, the CROE sets out three levels of increasingly demanding expectations, tailored to the size of the FMI.
To complement the CROE, the ECB has also developed another tool: the European threat intelligence based ethical red team testing framework (TIBER-EU). By means of “ethical hacking”, red teaming helps to assess a financial institution’s ability to withstand a cyber-attack. TIBER-EU serves to guide authorities and financial institutions in conducting threat-intelligence based red teaming, and to avoid duplication through the emergence of similar pan-European tests.
But testing the resilience of individual FMIs or banks may not be sufficient. The financial system is highly interconnected and any cyber-attack could thus trigger contagion. This is why the ECB hosted a market-wide crisis communication exercise, UNITAS, in June 2018. UNITAS facilitated a discussion among pan-European financial infrastructures on a scenario in which a cyber-attack resulted in a loss of data integrity and a knock-on effect on other financial infrastructures.
The exercise revealed that there were weaknesses at the European level, which are now being followed up on by the Euro Cyber Resilience Board for pan-European Financial Infrastructures, or ECRB for short.
The number of reported cyber incidents has been rather low, the most frequent type being Distributed Denial of Service attacks (DDoS). Other reported incidents were related to unauthorized access, accidental data leakage and phishing attacks. In many cases, there was a delay between the onset of the attack and its detection. Finally, we see that attackers gained access to banks’ systems by exploiting both technological vulnerabilities, such as missing IT security measures, and human ones, such as insufficient staff awareness.
Although the number of reported cyber incidents has been rather low, I would not dare to conclude cyber threat levels are low, or even decreasing. I rather think that it is a matter of time until we experience a major attack.