DIGITAL TRANSFORMATION OF THE RETAIL PAYMENTS ECOSYSTEM

Similar documents
G7 Bar Associations and Councils

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Commonwealth Cyber Declaration

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Wiebe Ruttenberg & Emran Islam DG Market Infrastructure & Payments. From Cyber Threats via Cyber Security to Cyber Resilience

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cyber Security and Cyber Fraud

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

13967/16 MK/mj 1 DG D 2B

FSOR. Cyber security in the financial sector VISION 2020 FINANCIAL SECTOR FORUM FOR OPERATIONAL RESILIENCE

Endpoint Security for Wholesale Payments

ENISA EU Threat Landscape

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Security and resilience in Information Society: the European approach

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

The University of Queensland

CHAIR S SUMMARY: G7 ENERGY MINISTERS MEETING

TO INSPIRE, CONNECT AND EMPOWER TO TURN BACK CRIME

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

National Policy and Guiding Principles

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

RESOLUTION 130 (REV. BUSAN, 2014)

Cyber Security in Europe

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Directive on Security of Network and Information Systems

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber Security Strategy

Cybersecurity & Digital Privacy in the Energy sector

Ms. Izumi Nakamitsu High Representative for Disarmament Affairs United Nations

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Directive on security of network and information systems (NIS): State of Play

RESOLUTION 130 (Rev. Antalya, 2006)

Commonwealth Telecommunications Organisation Proposal for IGF Open Forum 2017

Provisional Translation

DHS Cybersecurity: Services for State and Local Officials. February 2017

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

IMPORTANT GLOBAL CYBERLAW TRENDS 2017

NEXT GENERATION SECURITY OPERATIONS CENTER

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

UNITAS Crisis communication exercise report

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

CENTRAL BANK OF THE REPUBLIC OF KOSOVO. Strategic Plan for the period

Principles for a National Space Industry Policy

EU policy on Network and Information Security & Critical Information Infrastructures Protection

General Framework for Secure IoT Systems

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

The UNISDR Private Sector Alliance for Disaster Resilient Societies

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Regional Development Forum For the Arab States(RDF-ARB) 2018

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

WORKSHOP CYBER SECURITY AND CYBERCRIME POLICIES FOR AFRICAN DIPLOMATS. Okechukwu Emmanuel Ibe

BEST PRACTICE GUIDELINES ON POLICY AND REGULATORY INCENTIVE FOR AFFORDABLE ACCESS TO DIGITAL SERVICES

EGM, 9-10 December A World that Counts: Mobilising the Data Revolution for Sustainable Development. 9 December 2014 BACKGROUND

ENISA s Position on the NIS Directive

Itu regional workshop

First Session of the Asia Pacific Information Superhighway Steering Committee, 1 2 November 2017, Dhaka, Bangladesh.

DG GROW meeting with Member States in preparation of Space Strategy 8 th July Working document#1: Vision and Goals

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Package of initiatives on Cybersecurity

10025/16 MP/mj 1 DG D 2B

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

The Interim Report on the Revision of the Guidelines for U.S.-Japan Defense Cooperation

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

EISAS Enhanced Roadmap 2012

SOC for cybersecurity

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Discussion on MS contribution to the WP2018

Preparatory process of the second High-level United Nations Conference on South-South Cooperation

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

WHO-ITU National ehealth Strategy Toolkit

Executive Insights. Protecting data, securing systems

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

Securing Europe's Information Society

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Cybersecurity, safety and resilience - Airline perspective

PEOPLE INNOVATION CAPITAL INFRASTRUCTURE AGILITY. New Brunswick Growth Opportunity. Cybersecurity

Clarity on Cyber Security. Media conference 29 May 2018

Security in India: Enabling a New Connected Era

COUNTERING IMPROVISED EXPLOSIVE DEVICES

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Qatar s National ICT Plan

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

The Windstream Enterprise Advantage for Banking

OUTCOME DOCUMENT OF THE INTERNATIONAL CONFERENCE ON CYBERLAW, CYBERCRIME & CYBERSECURITY

Challenges in Developing National Cyber Security Policy Frameworks

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Transcription:

DIGITAL TRANSFORMATION OF THE RETAIL PAYMENTS ECOSYSTEM CYBER SECURITY THE BALANCE BETWEEN COOPERATION AND REGULATION KEYNOTE SPEECH BY FABIO PANETTA, DEPUTY GOVERNOR OF BANCA D ITALIA At the joint ECB and Banca d Italia conference Rome, 1 December 2017 Information and communication technologies play a fundamental role for people, businesses and the public sector. Digital transformation is modifying the economic system and the whole of society at unprecedented speed. Innovation is having a powerful effect on the financial sector. The value chain is becoming more complex, and the participation of non-financial providers is increasing. The tech giants as well as the new fintech start-ups are expanding the supply of innovative services to a broad and diverse customer base through new business models. As a result, confidence in the financial sector is no longer based on bilateral trust between customers and service providers but is dependent on the governance of digitalization and especially on the reliability and safety of the products offered. Emerging risks in the digital ecosystem The increasing role of digital platforms is creating enormous benefits for users. At the same time it is offering ill-timed advantages for new groups of hostile agents, such as hacktivists, fraudsters and criminal and terrorist organizations. By exploiting the vulnerabilities within cyberspace, these agents may endanger the provision of digital services or disrupt critical infrastructures. Page 1 The new risks are exacerbated by the complex network of interconnections that forms the digital ecosystem: the Internet of Things is exploding and the number of interconnected devices is expected to grow at an unprecedented

pace, to more than 200 billion in 2020. 1 The area at risk is expanding enormously. Any weakness in security controls, any vulnerability in technology may offer an entry point for cyber attacks. In the financial sector, cyber attacks can create disruptions that propagate instantly and globally with effects that are hard to predict. Recent cyber attacks, like the one against the Central Bank of Bangladesh, exemplify the vulnerabilities of both process and technology that affect interbank payments and core financial infrastructures, which were once considered less exposed to cyber risks. As the Financial Stability Board has emphasized, certain cyber attacks 2 show that the vulnerability of financial institutions is a systemic issue, although it is unlikely as yet to represent a real threat to global financial stability. These attacks were a wake-up call for regulators and financial authorities, emphasizing that the safety of cyberspace is not just a prerequisite for the reliability of financial services but also an essential element of financial stability. Cyber risks threaten the core functions of the financial sector, including banking operations, payments and securities settlement. Central banks and, more generally, public authorities may themselves be on the radar screen of cyber attackers; cyber security is no longer a matter for specialists but a policy priority. The pillars of an effective cyber security strategy In today s world, central banks, regulators and supervisors face the formidable challenge of ensuring that the technological revolution does not undermine trust and confidence in the financial system. This is no easy task: like acrobats walking a tightrope, the authorities must strike the right balance between potentially diverging forces such as innovation, complexity and the safety of the system. This entails enhancing and complementing the traditional regulatory and supervisory approaches with the adoption of an effective toolkit tailored to address cyber risks. Page 2 1 2 From 2 billion in 2006. Source: World Economic Forum, Mitigating Risks in the Innovation Economy. How Emerging Technologies are Changing the Risk Landscape, (September 2017). Such as the Wannacry campaign in 2017 and the Corkow Malware in 2015.

In 2016 the G7 published a set of widely applicable recommendations encapsulating cyber security best practices for public and private financial entities. They were followed last October by the fundamental elements for effective assessment of cyber security for the financial sector. Having in mind these G7 principles, I would like to focus the rest of my speech on the main pillars on which from a central bank s view an effective strategy should be based: regulation, cooperation and risk awareness. The first pillar: regulation Regulation is a crucial component of an effective strategy to ensure sustainable innovation and preserve cyber security. A number of European laws have recently introduced requirements and obligations for both private companies and public bodies in order to increase cyber security in critical sectors of the economy. A general framework is given by the Network and Information Security Directive (NIS-D), which establishes security-related obligations for critical service providers, including credit institutions, stock exchanges and financial infrastructures. To guarantee data protection and the privacy of personal information, the General Data Protection Regulation also imposes strict security requirements for private and public entities, including financial firms. Specifically focusing on the financial field, the second Payment Services Directive (PSD2) has introduced security requirements throughout the payment cycle: from payer authentication to communication between service providers, security risk management by financial firms and the reporting of major incidents to the authorities. The European Banking Authority (EBA) was delegated to issue secondary regulation. The Guidance on cyber resilience for financial market infrastructures was published by CPMI-IOSCO in 2016. To ensure its harmonized implementation within the euro area, the Eurosystem has delivered a cyber resilience strategy that national supervisors must adopt to enhance the cyber resilience framework of financial institutions. Page 3 However, regulation alone is not sufficient to protect the financial system from cyber risks. Indeed, excessive reliance on regulation may even have undesirable side effects owing to the complex interactions between different regulatory levels, such as domestic versus international legislation or

economy-wide versus sector-specific rules. Hence, other forms of intervention are necessary, such as cooperation. The second pillar: cooperation Owing to the existence of externalities, individual intermediaries may lack sufficient incentive to contribute to the supply of a common good cyber security that would generate benefits for their direct competitors as well. They may be tempted, therefore, to free ride on the action of other companies and to under-invest in security-enhancing projects. In this situation, central banks, as third parties entrusted with preserving financial stability, may act as a catalyst to stimulate cooperation, centralized cyber threat intelligence and information sharing initiatives. 3 At European level, the recent establishment of the European Cyber Resilience Board (ECRB) under the Eurosystem cyber resilience strategy is a valuable example of virtuous cooperation among public authorities, financial market infrastructures and critical service providers to enhance the cyber resilience of the European financial ecosystem. Financial authorities may also leverage such cooperative initiatives to promote effective practices and tools for cyber risk assessment, including simulations and tests, which are difficult for individual firms to implement in isolation. This is a new paradigm, in which authorities and regulated entities work closely together, complementing compliance with a collaborative approach. This allows the authorities to gain a deep understanding of the level of cyber resilience achieved and of any additional initiatives required. The third pillar: promoting risk awareness The third pillar of action focuses on the human factor, as in cyber security people are still the weakest link. For example, the spread of cyber extortion (ransomware) which is becoming one of the major threats to digital businesses can be attributed to several factors. Some are technical, 4 but the Page 4 3 4 Threat intelligence may support financial institutions in taking the right decisions to prevent cyber attacks, effectively protect their critical assets and respond appropriately in the event of a successful cyber attack. Information sharing about cyber events through trusted channels facilitates a sector-wide response to large-scale cyber incidents (CPMI-IOSCO, Cyber guidance, 2016). We refer to the growth of ransomware-as-a-service, easily and cheaply accessed on the dark-web by cyber criminals, or the availability of crypto-currencies as a ransom payment tool. Today, cyber attacks can easily be organized, even by purchasing as-a-service packages and simple downloads for installation on rogue servers. In 2016, 638 million ransomware attacks were recorded, 167

most significant ones are totally human related: the growing habit of working remotely on personal devices, combined with users lack of attention to cyber risks, can easily open the door for attacks on corporate critical information assets. Employees, consumers and public officials need to be educated about the risks that can arise from new technologies. The financial authorities are in the best position to promote long-term education initiatives and cyber awareness campaigns. The role of the authorities: the experience of the Banca d Italia For central banks, translating all these principles into concrete action means first of all strengthening internal governance and cyber security capabilities. Let me talk about the Banca d Italia s experience in this area. To ensure a comprehensive strategic vision and the alignment of internal and institutional policies, a cyber security steering committee has recently been set up at Board level. Under this governance, the Banca d Italia s three-year strategic plan envisages two specific initiatives: one focuses on protecting the Bank s critical assets by reorganizing security functions inside the IT Department; the other focuses on enhancing the cyber resilience of Italy s financial sector by adapting the Eurosystem cyber strategy in line with the Italian National Cyber Security Framework and keeping an open dialogue with the competent national bodies. On the cooperation front, the Banca d Italia and the Italian Banking Association have sponsored the establishment of the Italian Financial Cyber Security Unit (called CERTFin), which coordinates information sharing and cyber threat intelligence among the participating financial companies, allowing them to share critical information and enhance the awareness of cyber risk beyond what would be possible within the perimeter of their own organization. Since January 2017, CERTFin has examined more than 800 cyber events, sharing with its members any lessons drawn and circulating more than 150 warnings on potential compromises to individual financial firms. It cooperates with similar national and international cyber security bodies. Furthermore, CERTFin cooperates closely with government cyber security agencies, contributing to national cyber security. Page 5 times more than 2015 (source: SonicWall, 2017 annual report - www.forbes.com/sites/leemathews/2017/02/07/2016-saw-an-insane-rise-in-the-number-ofransomware-attacks/#3d5df45558dc).

Conclusions Digital innovation and cyber security are two faces of the same coin and so cannot be addressed separately. Hostile agents and criminals have always existed. However, compared with other threats or other types of crime, cyber attacks are rapidly evolving and, given the central role of cyberspace in modern economies, represent a concrete global risk. In the final communiqué of the G7 meeting held in Bari in 2017 under the Italian Presidency, finance ministers and central bank governors stated that they recognise that cyber incidents represent a growing threat for our economies and that appropriate economy-wide policy responses are needed. No point of cyberspace can be absolutely secure as long as cyber threats persist in the surrounding environment. Transposing this principle into concrete action is challenging and requires us to recognize that cyberspace is a global public good. Ensuring its security, openness, reliability and interoperability falls under the joint responsibility of governments, public institutions, private industry and researchers. How should we tackle this challenge? One answer lies in the words of the Roman philosopher Seneca: Longum iter est per praecepta, breve et efficax per exempla. 5 After two thousand years, this sentence is more than ever pertinent in describing an effective approach to innovation. In the field of cyber security, regulatory or supervisory tools may become less effective unless accompanied by other concrete action: as our experience has shown, the authorities may support joint initiatives with the private sector on information sharing and the promotion of best practices, playing a role as trust-builder to foster the broad and open participation of all stakeholders. This approach may help us respond appropriately to digitalization by reconciling innovation, security and competitiveness. Thank you for your attention. Page 6 5 The way is long if one follows precepts, short and effective if one follows examples.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback