How do major regulatory frameworks for financial services differ across the world, and how is this changing?
By Ben Densham, CTO at Nettitude
The operational resiliency of the financial services sector is of paramount concern to governments and regulators across the globe. Identifying cyber threats and security weaknesses that could affect individual firms or Financial Market Infrastructures and their ability to respond to an attack is key to ensuring the stability of the finance sector, which is key to the stability of the global economy.
A catalogue of high-profile breaches suggests that board level engagement and awareness of how to prepare and respond to a cyber event is frequently misunderstood or inadequate. Although these boards believe that they are taking steps to combat the cyber threat, their strategies are frequently poorly grounded and misaligned.
To address this, a number of regulator-driven frameworks for assessing financial institutions’ cyber preparedness, protection, detection and response capabilities has matured, and proliferated across multiple regions around the globe.
However, it has been apparent that these assurance programs have often focused on the wrong assets, at the wrong time, and with the wrong vantage point. Assurance has typically focused on internet facing assets, and less on the core banking platforms that underpin the financial institution. In parallel, the activities have frequently been point in time initiatives, focused on non-production assets, in a highly partitioned manner that addressed a highly defined scope. It is apparent that these assurance activities are not end-to-end, and do not mimic the Techniques, Tactics and Procedures (TTPs) of known real world threat actors.
Standardising cyber assurance: The regulatory response
Over the last four years, global regulators have shown increased interest in operational assessments as they look to seek assurance and confidence in financial markets. This has resulted in the development of a range of regulator-driven frameworks developed in Europe and the Far East. At the heart of regulators’ concerns is the need and commitment to address operational resilience. Existing measures and rules are no longer enough.
As UK finance regulators recognised the potential contagion impacts a cyber event could cause and the importance of cyber resilience, this drove the creation and launch of the CBEST framework in May 2014, a threat-led approach to delivering assurance testing to regulated organisations within the UK financial sector. Outside of the financial services sector, cyber resiliency has also been central to the thinking of many other regulators within the UK. For example, the GBEST scheme was piloted by the UK Government throughout 2017 and 2018, which was largely based on the approach taken within the financial sector. Similarly, TBEST, a scheme for the telecommunications sector, is based on CBEST and many other areas of the UK Critical National Infrastructure (CNI) are developing or implementing similar schemes (e.g. Aviation, Nuclear and Space).
The European Central Bank (ECB) released the European framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) in May 2018, which was built on work by the Dutch National Bank (DNB) within their TIBER-NL framework. This is a much wider reaching programme designed not only for European financial services but also for other sectors. While CBEST set the initial benchmark and introduced the new approach to validating organisations’ cyber resiliency on real operational systems, TIBER-EU has matured this approach and scaled it up.
Frameworks have also been developed in the Far East in Hong Kong (iCAST) and more recently in Singapore with the AASE. Recognising that cyber threats are among the top risks to financial stability, the G7 CEG is seeking to address this and acknowledges that there is an increase in sophistication, frequency and persistence of cyber threats in the financial sector.
How do these regulatory frameworks compare, and what impact are they having in the markets in which they are implemented? How is this likely to develop moving forward? In order to address these questions, we have released our latest Financial Services Briefing Report, A Comparison of Regulator Driven Cyber Resiliency Frameworks and Approaches. This paper provides an overview of cyber resiliency approaches taken by various regulators and financial authorities. It considers the differences between them, and provides guidance and recommendations on how to get the best out of them for your organisation. It also looks at the maturity of threat intelligence-led testing and how the approach should be matured and developed to meet the future demands of the threats faced.
Nettitude delivers comprehensive threat-led assurance services that focus on the financial services industry and wider critical national infrastructure, and regularly contributes to industry and academic research initiatives designed to mature this market segment. We therefore have extensive insight into the future of global cyber security regulation for the financial sector. To learn more, download our full report here.