Reflections on the 2019 SEACEN Policy Summit

This year’s SEACEN Centre Policy Summit in Kuala Lumpur in mid-June was on the very salient topic of “Central Bank Leadership in Combating Cyber Risk.”  As in previous years, a half-day Summit on Day One was open only to central bankers and officials from bank regulatory agencies, while the full-day Summit on Day Two was open to everyone.  Across the two sessions there was a total of 92 attendees, with 19 distinguished presenters and panellists joining six SEACEN faculty staff, serving as moderators, in eight highly informative and interesting sessions. 

The 19 speakers and panellists represented a wide range of prestigious institutions in the public, private and non-profit sector, including Columbia University (New York), the European Central Bank, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Bank for International Settlements, the Committee on Payments and Market Infrastructure, several SEACEN members, the United States Department of Justice, a bank active in Southeast Asia, three private companies using technology to improve financial services and an insurer active in cyber risk insurance. 

The sessions covered matters of pressing importance such as the link between cyber risk and financial stability; cybersecurity information-sharing among central banks, between regulators and their regulated banks and among banks; central bank oversight of cybersecurity preparedness at regulated banks and payment systems; how technology can be used to assess cultural patterns at a bank that may lead to misconduct, including insider threats; central bank leadership in addressing the qualifications and integrity of staff throughout the financial services industry; emerging cyber threats to the financial sector and cybercrime; FinTech and non-traditional financial services providers and their approach to cyber vulnerability; and the emerging world of cyber risk insurance. 

There were many key takeaways from the Summit, grouped around several key themes:

The two-way link between cyber risk and financial stability.  Cyber risk can threaten financial stability through several channels, particularly a lack of financial substitutability (the loss of a key provider or key service), a lack of IT substitutability (IT providers and infrastructure tend to be concentrated), a loss of customer confidence, a corruption of data integrity and through the interconnectedness of financial institutions.  But the direction can also go in reverse.  Financial fragility can increase the risk of a devastating cyber-attack.  Boards and senior management of weak or unstable financial institutions can take their attention off cybersecurity, leading to exploitation by malicious actors, who tend to lurk in the systems of banks and other financial institutions for a long time before striking.  And financial stability supervisors should require banks to conduct “reverse stress tests” – assume that a major credit risk, market risk, operational risk, liquidity risk, or reputation risk event has occurred, and then brainstorm to envision the types of cyber risk events that could have these effects. 

The bad and worsening shortage of information security experts to support financial institutions and their regulators.  The world as a whole faces a skills gap and a shortage of experts to cope with looming cyber threats, a shortage that is expected to worsen over time.  (One estimate is two million unfilled vacancies in cybersecurity.)  Talented young people earn higher salaries and seem to have more satisfying work environments in technology firms (especially FinTechs) than in financial institutions and their regulators.  Small banks, in particular, are especially hard-hit, because the necessary level of prevention and detection supplied by skilled staff is spread over a smaller revenue base.

Cyber threats originating largely from inside the bank.  Like firms in most industries, banks grapple with poor cyber hygiene – laziness and taking shortcuts – increasing vulnerability to attacks by malicious actors, whether inside or outside the bank.  A cultural shift is important, because employees take their behavioural cues more from their peers than their senior management, who may be setting the right tone – even sounding the alarm – but are being ignored.  Cybersecurity training of staff, especially those in the business units, is necessary but not sufficient, as new techniques, such as social engineering (on-line grooming a bank officer or staff member to ultimately reveal login credentials) and whaling (sending bogus, but plausible, emails to a high-ranking bank officer or director) , are emerging constantly that catch staff off-guard.  It may even be necessary to force staff to install necessary software updates or other forms of protection by cutting off their access if they do not comply.  Above all, the bank must identify and secure its core digital assets – data and documents – against corruption.  Even a system of backing up data can be corrupted if it is automatically backing up corrupted data. 

The double-edged sword of outsourcing and partnering.  As banks increasingly outsource key services, they need to step up their outsourcing risk management and ensure that third-party vendors have cyber risk management programs as good as, or better than, the banks themselves.  Financial technology (FinTech) companies will increasingly be partnering with banks, but some FinTechs, in spite of having access to the latest and most efficient cybersecurity technology, unburdened by legacy systems, may be concentrated first on survival and expansion, with cyber resilience a secondary objective.

The critical role of information sharing and cooperation in joint exercises.  Without a doubt, information sharing – of both threat intelligence and actual cyber events – is more important than ever.  Information sharing must be happening among financial sector regulatory authorities, between regulators and their regulated institutions and among financial institutions themselves.  There are many more channels than before; including some noteworthy ones such as the Operational Security Situational Awareness (OSSA) network of 33 central banks, mostly inside but some outside the European Union, managed by the European Central Bank; FS-ISAC for information sharing among financial institutions; and FS-ISAC’s Asia Office’s CERES Forum for information sharing among financial sector regulators.  Work is proceeding on joint cyber-attack simulation tests and common responses by banks to ransomware attacks.  One recommended exercise for banks and their regulators within a jurisdiction is to assume that the most important bank or financial market infrastructure in the economy is hit with a cyber-attack that corrupts its data or disables its key services, and determine how all the other players in the system should protect and react. 

Cyber risk insurance as a mode of transferring risk.  Participants and presenters alike in the Summit stressed that prevention of a cyber-attack is all but impossible, as banks and their regulators can only lower the risks, not eliminate them.  Detection is key, because most major cyber-attacks are “slow burn” – the intruder is lurking in the system for a long time, determining the right time to strike.  With all of these uncertainties present, and the difficulties of specifying metrics and setting a tolerance for risk, many banks are turning to the emerging market for cyber-risk insurance as a mode of transferring the risk.  This market is rapidly developing but is itself grappling with issues arising from a lack of information about the frequency and financial magnitude of cyber-risk events and the usual “moral hazard” problem of insured firms investing less in their own protection.  Here, financial sector regulatory authorities or self-regulatory bodies such as bankers’ associations can assist the insurance industry in pricing coverage and determining appropriate levels of coverage and deductibles, by mandating the collection of key metrics for the insurers to use in their own calculations. 

Concluding Thoughts

An overarching message emerging from the SEACEN Policy Summit on “Central Bank Leadership in Combating Cyber Risk” is that all sectors of the financial services industry – banking, payments, securities, insurance, wealth management, and their regulators and supervisors – must cooperate to the fullest extent possible in increasing their cyber resilience, improving information sharing, and realizing that the entrance of new financial services providers and new access channels for their customers act as a force multiplier for cyber risks in the industry.  Central counterparties (CCPs), which have been so helpful in reducing systemic risks in key markets, are especially vital to secure, because a corrupted CCP can serve as a choke point, causing inability to receive and process transactions cascading throughout the system. 

Indeed, cybersecurity has never been, and certainly is not now, a problem only for “the guys in the server room” to solve. 

Glenn Tasky is the Director of the Financial Stability and Supervision & Payment and Settlement Systems pillar at the SEACEN Centre.