Professional Documents
Culture Documents
techniques for IT
risk and cyber
JUNE 27, 2019
Frank Adelmann
Financial Sector Expert (Cyber Security)
Monetary and Capital Markets Department - Financial Supervision
and Regulation (MCMFR)
International Monetary Fund
► 3. Consider existing technical standards on cyber- and information security as starting points for
any regulation
► 4. Promote cyber-security awareness among bank staff
Principle
Prescriptive
based
Examples
For critical data and systems institutions must be able to determine at any time and
without undue delay who accessed them, when the access occurred, and what were
the operations performed.
Users with system and application administration privileges must be protected
against impersonation attacks involving password theft.
Data must be classified according to defined confidentiality requirements.
Reporting
Audit • ICT Project and Change management
ICT project management
• ICT Operations management ICT systems acquisition and development
https://eba.europa.eu/-/eba-consults-on-guidelines-on-ict-and-security-risk-management
The malicious use of Information and Communication Technologies (ICT) has the
potential to disrupt financial services, undermine security and confidence and endanger
financial stability.
The systemic risk ramifications of a cyberattack could be substantial.
The cyber threat landscape is highly dynamic and rapidly changing.
Clear roles and responsibilities for the supervisor for cyber risk management
Risk-based approach in order to identify vulnerabilities of the sector and ensure cyber
resilience of supervised firms
Monitoring and adjustment of risk assessments
Early breach detection, first response, containment, forensic analysis, switchover to
trusted backup data and processing facilities, and return to normal operation
Clear understanding of what cyber risk means and how it could harm a bank’s
viability
Experts that are able to challenge the supervised firms
Good knowledge of the institutions governance and strategy on ICT
Understanding of ICT risk in the institution’s risk management framework
Knowledge of the institutions ICT/cyber risk profile, including critical assets and
processes, relevant threats, existing vulnerabilities and mitigating controls
(considering confidentiality, integrity, availability and agility requirements)
Functioning of the 3 lines of defense of the supervised institutions
Understanding of bank’s dependencies
A framework developed by the US Federal Financial Institutions Examination Council (FFIEC) covering the cyber
risk profile and cyber control maturity assessment is one example of a standard that can be adopted by
supervisors. https://www.ffiec.gov/about.htm
Source:
Cybersecurity Supervising a Moving Target Seminar for Senior Bank Supervisors from Emerging Economies Federal Reserve Board of Governors October 21, 2016
INTERNATIONAL MONETARY FUND Gwynne Williams Senior Examiner and IT Learning Programs Coordinator Federal Reserve Bank of Richmond 12
What does the off-site supervisor need to know?
Source:
Cybersecurity Supervising a Moving Target Seminar for Senior Bank Supervisors from Emerging Economies Federal Reserve Board of Governors October 21, 2016
Gwynne Williams Senior Examiner and IT Learning Programs Coordinator Federal Reserve Bank of Richmond
INTERNATIONAL MONETARY FUND 13
Stocktake of leading supervisory practices (ECB 2016)
► Visualization Tools
1 - Cyber
Risk Management & Oversight
5 Maturity
Levels
2 - Threat Intelligence
& Collaboration
3 - Cybersecurity
Controls
Baseline Evolving Intermediate Advanced Innovative
4 - Dependency Management
see also EBA Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP):
https://eba.europa.eu/documents/10180/1841624/Final+Guidelines+on+ICT+Risk+Assessment+under+SREP+%28EBA-GL-2017-05%29.pdf/ef88884a-2f04-48a1-8208-
3b8c85b2f69a
Cyber security policies, standards and • Verify that documentation is complete and up to date
procedures are adequate and effective • Confirm that formal approval, release and enforcement are in place
• Verify that documentation covers all cyber security requirements.
• Verify that subsidiary controls cover all provisions made in policies,
standards and procedures.
Emerging risk is reliably identified, • Confirm the reliability of the risk identification process.
appropriately evaluated and adequately • Assess the risk evaluation process, including tools, methods and
treated. techniques used.
• Confirm that all risk is treated in line with the evaluation of the
results.
• Verify that the treatment is adequate or formal risk acceptances
exist for untreated risk
Attacks and breaches are identified and • Confirm monitoring and specific technical attack recognition
treated in a timely and appropriate manner. solutions.
• Assess interfaces to security incident management and crisis
management processes and plans.
• Evaluate (on the basis of past attacks) the timeliness and
adequacy of attack response.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Stephane Nappo
“Technology trust is a good thing, but control is a better one.” Stephane Nappo