Supervision

techniques for IT
risk and cyber
JUNE 27, 2019

Frank Adelmann
Financial Sector Expert (Cyber Security)
Monetary and Capital Markets Department - Financial Supervision
and Regulation (MCMFR)
International Monetary Fund

INTERNATIONAL MONETARY FUND 1

 How to regulate cyber-risk?
 Usage of existing regulation relating to technology and/or operational risk vs. new regulation
dealing with unique nature of cyber-risk

 High-level policy considerations of Financial Stability Institute:

► 1. Incorporate cyber-risk into the enterprise-wide risk management framework

► 2. Require banks to develop an effective control and response framework

► 3. Consider existing technical standards on cyber- and information security as starting points for
any regulation
► 4. Promote cyber-security awareness among bank staff

► 5. Further collaborate with the industry in strengthening banks’ cyber-security

► 6. Pursue greater cross-border cooperation and consistency in regulatory and supervisory

approaches to enhance cyber-resilience

 FSB Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory

Practices;
 World Bank Group Financial Sector’s Cybersecurity: A Regulatory Digest and
 BCBS Cyber-resilience: Range of Practices

INTERNATIONAL MONETARY FUND 2

 How to regulate cyber-risk?

Principle
Prescriptive
based

Relative simplicity Complexity

Principles are easier to Rules imply more
stipulate and are more Principles detail and are difficult
stable + to maintain
Outcome-focused
Flexibility/ Rigidity/Certainty
Uncertainty rules More difficult to
Easier to dispute + adapt
Easier to supervise
Open to interpretation Baselines
More suitable for More suitable for less
advanced markets advanced markets

INTERNATIONAL MONETARY FUND 3

 How to regulate cyber-risk?

Rules should describe the desired outcome

 “What” instead of “How”
 Describe the capability we want the institutions to develop
 Avoid technology-specific details

Examples
 For critical data and systems institutions must be able to determine at any time and
without undue delay who accessed them, when the access occurred, and what were
the operations performed.
 Users with system and application administration privileges must be protected
against impersonation attacks involving password theft.
 Data must be classified according to defined confidentiality requirements.

INTERNATIONAL MONETARY FUND 4

 Which topics should a cyber risk management
framework cover? (Baselines)
 Assignment of cyber risk management responsibilities to the board and senior management.
 Documented cybersecurity program/policy and governance.
 Designation of independent Chief Information Security Officer (CISO) or equivalent.
 ICT/Cybersecurity awareness.
 Identification of critical information assets, threats and vulnerabilities.
 Assessment of control effectiveness.
 Identity and access rights management.
 Software Development Lifecycle.
 Security event logging and monitoring.
 Malware prevention.
 Security reviews (such as vulnerability scans, penetration or red team testing).
 ICT continuity and operational resilience.
 Vendor and outsourcing risks management
 Cyber incident reporting
 Cyber threat intelligence.
 Adequate number and know-how of cyber/information security professionals.
 …

INTERNATIONAL MONETARY FUND 5

 EBA Guidelines on ICT and security risk
management
• IT governance and strategy • Information security
 Governance  Information security policy
 Strategy  Information security function
 Use of third party providers  Logical security
 Physical security
• ICT risk management framework  ICT operations security
 Organisation and objectives  Security monitoring
 Identification of functions, processes and assets  Information security reviews, assessment and
 Classification and risk assessment testing

 Risk mitigation  Information security training and awareness

 Reporting
 Audit • ICT Project and Change management
 ICT project management
• ICT Operations management  ICT systems acquisition and development

 ICT Incident and problem management

INTERNATIONAL MONETARY FUND 6

 EBA Guidelines on ICT and security risk
management
• Business continuity management
 Business impact analysis
 Business continuity planning
 Response and recovery plans
Example on how to
communicate
 Testing of plans
baseline
 Crisis communications
expectations to the
industry
• Payment service user relationship
management

https://eba.europa.eu/-/eba-consults-on-guidelines-on-ict-and-security-risk-management

INTERNATIONAL MONETARY FUND 7

 How important is cyber risk in the supervisory
risk assessment and evaluation process?

 The malicious use of Information and Communication Technologies (ICT) has the
potential to disrupt financial services, undermine security and confidence and endanger
financial stability.
 The systemic risk ramifications of a cyberattack could be substantial.
 The cyber threat landscape is highly dynamic and rapidly changing.

 Clear roles and responsibilities for the supervisor for cyber risk management
 Risk-based approach in order to identify vulnerabilities of the sector and ensure cyber
resilience of supervised firms
 Monitoring and adjustment of risk assessments
 Early breach detection, first response, containment, forensic analysis, switchover to
trusted backup data and processing facilities, and return to normal operation

INTERNATIONAL MONETARY FUND 8

 What does the off-site supervisor need to know?

 Clear understanding of what cyber risk means and how it could harm a bank’s
viability
 Experts that are able to challenge the supervised firms
 Good knowledge of the institutions governance and strategy on ICT
 Understanding of ICT risk in the institution’s risk management framework
 Knowledge of the institutions ICT/cyber risk profile, including critical assets and
processes, relevant threats, existing vulnerabilities and mitigating controls
(considering confidentiality, integrity, availability and agility requirements)
 Functioning of the 3 lines of defense of the supervised institutions
 Understanding of bank’s dependencies

The role of the supervisor in establishing cybersecurity

standards should be to codify industry practices where
they are mature and augment where necessary.

INTERNATIONAL MONETARY FUND 9

 What does the off-site supervisor need to know?

 Understanding of the cyber risk profile of supervised firms

 Cyber risk control maturity level expectation
 Assurance the implementation of control requirements
in the expected maturity
 Supervisory measures to be taken in case of shortcomings
 Awareness of potential risks associated with using third party
providers

A framework developed by the US Federal Financial Institutions Examination Council (FFIEC) covering the cyber
risk profile and cyber control maturity assessment is one example of a standard that can be adopted by
supervisors. https://www.ffiec.gov/about.htm

INTERNATIONAL MONETARY FUND 10

 Source:
Cybersecurity Supervising a Moving Target Seminar for Senior Bank Supervisors from Emerging Economies Federal Reserve Board of Governors October 21, 2016
Gwynne Williams Senior Examiner and IT Learning Programs Coordinator Federal Reserve Bank of Richmond
INTERNATIONAL MONETARY FUND 11
 What does the off-site supervisor need to know?

Source:
Cybersecurity Supervising a Moving Target Seminar for Senior Bank Supervisors from Emerging Economies Federal Reserve Board of Governors October 21, 2016
INTERNATIONAL MONETARY FUND Gwynne Williams Senior Examiner and IT Learning Programs Coordinator Federal Reserve Bank of Richmond 12
 What does the off-site supervisor need to know?

Source:
Cybersecurity Supervising a Moving Target Seminar for Senior Bank Supervisors from Emerging Economies Federal Reserve Board of Governors October 21, 2016
Gwynne Williams Senior Examiner and IT Learning Programs Coordinator Federal Reserve Bank of Richmond
INTERNATIONAL MONETARY FUND 13
 Stocktake of leading supervisory practices (ECB 2016)

 Central coordination of IT risk supervision

 A comprehensive IT risk assessment framework to assess banks and prioritise
activities
 Use of self-assessments and questionnaires
 Issuing more detailed guidance to the market
 Use of red-teaming techniques to assess cyber preparedness
 Actively promote information sharing between banks and between banks and
regulators
 Thematic/horizontal supervisory approach to key risk areas
 Provide training activities for non-IT supervisors
 Performing in-depth on-site inspections

INTERNATIONAL MONETARY FUND 14

 What else?

 Cyber mapping, to assess interconnectedness of the financial system network (to

estimate the extent, reach and the severity of a cyber-attack on any of the nodes
within the financial system)
► Identify Critical Financial System Agents

► Determine Data Needs

► Assessing Systemic Importance

► Visualization Tools

 Incorporation of cyber risk in stress tests (liquidity and solvency)

 Cooperate and exchange information with other cyber security agencies and
authorities
 Ensure crisis preparedness against cyber risks on the part of the authorities (e.g. via
emergency walk-through exercises)
 … See also for more details:
BCBS Cyber-resilience: Range of Practices from December 2018
https://www.bis.org/bcbs/publ/d454.htm
INTERNATIONAL MONETARY FUND 15
 Off-site supervision: Cyber Risk Profile (example FFIEC)
Inherent Risk Levels

Inherent Risk Categories

INTERNATIONAL MONETARY FUND 16

 Off-site supervision: Maturity Model (example FFIEC)

1 - Cyber
Risk Management & Oversight
5 Maturity
Levels
2 - Threat Intelligence
& Collaboration

3 - Cybersecurity
Controls
Baseline Evolving Intermediate Advanced Innovative

4 - Dependency Management

5 - Cyber Incident Management

and Resilience
Domains
5 Domains Assessment
Factor
Components
Declarative
Statements

INTERNATIONAL MONETARY FUND 17

 Off-site supervision: Risk vs. Maturity (example FFIEC)

see also EBA Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP):
https://eba.europa.eu/documents/10180/1841624/Final+Guidelines+on+ICT+Risk+Assessment+under+SREP+%28EBA-GL-2017-05%29.pdf/ef88884a-2f04-48a1-8208-
3b8c85b2f69a

INTERNATIONAL MONETARY FUND 18

 How to be sure that…?
Cyber Security Goal
Cyber security policies, standards and
procedures are adequate and effective
Emerging risk is reliably identified,
appropriately evaluated and adequately
treated.
INTERNATIONAL MONETARY FUND
Audit Objective(s)
• Verify that documentation is complete and up to date
• Confirm that formal approval, release and enforcement are in place
• Verify that documentation covers all cyber security requirements.
• Verify that subsidiary controls cover all provisions made in policies,
standards and procedures.
• Confirm the reliability of the risk identification process.
• Assess the risk evaluation process, including tools, methods and
techniques used.
• Confirm that all risk is treated in line with the evaluation of the
results.
• Verify that the treatment is adequate or formal risk acceptances
exist for untreated risk
19
 How to be sure that…?
Cyber Security Goal
Attacks and breaches are identified and
treated in a timely and appropriate manner.
INTERNATIONAL MONETARY FUND
Audit Objective(s)
• Confirm monitoring and specific technical attack recognition
solutions.
• Assess interfaces to security incident management and crisis
management processes and plans.
• Evaluate (on the basis of past attacks) the timeliness and
adequacy of attack response.
20
 Roadmap for banks?

1. Plan for the future

2. Prepare for IT with policy and standards
3. Test and test again
4. Become brilliant at the basics
5. Manage your compliance – but remain adaptive
6. Leverage the wider community - collaborate
7. Investigate and implement new technology
8. Train your staff and customers
9. Control and monitor your third-party providers
10. Never become complacent

INTERNATIONAL MONETARY FUND 21

 How important is cyber risk in the supervisory
risk assessment and evaluation?
 “The IT aspects of corporate governance are one of things that CEO’s think they
don’t have to understand - until it bites them!” (Piter Morriss – KPMG)

 “Information is a significant component of most organizations’ competitive strategy

either by the direct collection, management, and interpretation of business
information or the retention of information for day-to-day business processing. Some
of the more obvious results of IS failures include reputational damage, placing the
organization at a competitive disadvantage, and contractual noncompliance. These
impacts should not be underestimated.” (The IIA Research Foundation)

 “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Stephane Nappo

INTERNATIONAL MONETARY FUND 22

 How important is cyber risk in the supervisory
risk assessment and evaluation?
 “Exhaustive prevention is an illusion. We can't secure misconfiguration, shadow IT,
third parties, human error, former employee... Focus on what matters more and be
ready to react.” Stephane Nappo

 “Cyber-Security is much more than a matter of IT.” Stephane Nappo

 “Technology trust is a good thing, but control is a better one.” Stephane Nappo

 “As the world is increasingly interconnected, everyone shares the responsibility of

securing cyberspace.” Newton Lee

INTERNATIONAL MONETARY FUND 23

 Thank you very much for your attention!

INTERNATIONAL MONETARY FUND 24