The regulatory rationale
A catalyst for criminals
As organisations globally adopted remote working at the start of the pandemic, the use of mobile and remote access capabilities to gain entry to both internal and third-party systems, including for financial services, increased dramatically. While this proved essential for business continuity, it also presented multiple points of entry for criminals looking to exploit uncertainty, anxiety and new, largely untested working environments and practices.
While cybersecurity was already a priority before the pandemic, the cyber threat has increased dramatically, with a surge in COVID-related phishing campaigns, business email compromise (BEC), ransomware and denial of service attacks reported. For example, Standard Chartered’s Cyber Defence Centre recorded a 31.6% increase in cyber security incidents, of which 77.6% were phishing incidents. These heightened risks create additional challenges for businesses, but also greater urgency amongst regulators.
Scope, scale, and structure
Adapting to a changing threat
At the same time as organisations globally try to mitigate the impact of new and increasing cyber threats on their own business, regulators are stepping up to support them by focusing on a number of core areas:
- Protecting core applications and networks, particularly given that employees’ home environment is likely to be less secure than their corporate offices. While many companies have had established protocols for patching systems, securing connections and monitoring of suspicious activities etc. these measures may be less effective in a remote working environment.
- Ensuring resilience through contingency planning and periodic testing within the business and across supply chains and third-party providers.
- Accelerating response and recovery through robust processes for organisations to identify and report on any security compromise, data breach or cyber incident to the regulators quickly. Again, while these practices were already well-established before the pandemic, widespread remote and hybrid working is an additional consideration that needs to be factored into these processes.
This is especially crucial for financial services. In the UK, for example, the Bank of England’s CBEST framework1 assesses the resilience of an organisation’s security controls and culture using accredited penetration test companies to mimic cyber attackers. The European Central Bank (ECB) has also published Threat Intelligence Based Ethical Red-teaming (TIBER) which follows a similar framework and intent to CBEST. Furthermore, the European Commission is proposing a new Digital Operational Resilience Act (DORA). This introduces new rules for financial entities but also expands the regulatory reach to technology service providers.
In Singapore, the Monetary Authority of Singapore (MAS) has focused on robust foundational controls, encouraging organisations to balance the need for security with their drive to innovate. For example, in August 2019, MAS issued a Notice 655 for Cyber Hygiene2, which outlines legally enforceable cyber security requirements for banks. The Notice introduces essential controls such as multi-factor authentication, secure administrative accounts and security patching, which are also effective practices in safeguarding information assets.
Building a blueprint for your business
Looking at your business through a ‘Threat’ lens
Criminals are looking for any opportunity to exploit human and technical weaknesses. Business leaders therefore need to:
- Identify critical assets and sensitive data
- Determine what value cyber-criminals could gain e.g. the value of financial assets is different to data, and security mechanisms will differ
- Explore in detail how these assets and data are currently stored and accessed, including controls applied by third parties (e.g. cloud and outsourcing providers)
- Pinpoint potential weaknesses and implement resolution plans.
However stringent these plans, they will be effective only if employees – who are the ‘weakest link’ in any cybersecurity strategy – become the first line of defence. This requires a regular and sustained programme of employee awareness training on how to work securely – including in a remote working environment – and how to identify, thwart and report malicious attempts.
Working with a trusted bank with extensive expertise in managing data and transactions securely can contribute significantly to managing cyber risks. Every request for proposal (RFP) and regular review meeting should seek to understand how banks balance innovation and cybersecurity, their investment track record in security and fraud prevention, their approach to client education and information sharing, and partnerships with stakeholders to strengthen financial ecosystems.
Building the blueprint for the industry
A collaborative approach to tackling cyber threats
In addition to individual efforts by corporations, banks and regulators, there is growing global collaboration on cybersecurity regulations. For instance, the Financial Stability Board (FSB), which represents ministries of finance, central banks, supervisory and regulatory authorities from 25 countries, published a toolkit containing effective practices on cyber incident response and recovery3 for financial institutions.
We also expect to see financial regulations continuing to reach beyond the financial sector to fintechs, telecoms and cloud service providers, reflecting the growing role of non-bank players in the financial ecosystem. For example, the Cyber Security Agency (CSA) of Singapore has launched a ‘Cybersecurity Labelling Scheme’ for consumer internet of things (IOT) devices, such as home routers, as part of ongoing efforts to raise cyber hygiene. The Association of Banks in Singapore (ABS) has also launched an industry-level ‘Cloud Computing Implementation Guide’ which provides practical considerations for governing, designing and securing cloud services.
Championing change with Standard Chartered
Sharing best practices to counter evolving cyber threats
It is vital that regulators continue to challenge organisations’ cyber security policies, practices, testing and response mechanisms, and set best practices. The difficulty for international organisations, however, is that as every country’s regulator and cyber agency set their own rules and requirements, compliance can become very challenging. This is exacerbated further in instances where regulators set rules around data onshoring and localisation.
Given that cybercrime is borderless, we particularly welcome international collaboration on cybersecurity, such as through the FSB, which will help in establishing a baseline of effective practices on cybersecurity for adoption by member jurisdictions. We continue to work closely with regulators across our footprint to encourage harmonisation and principle-based regulations with the aim of streamlining, whilst also strengthening, the global approach to cyber risk.
Consequently, in 2019, Standard Chartered co-sponsored a comprehensive Capacity Building Toolbox on Cyber Resilience4 in partnership with the Carnegie Endowment for International Peace, SWIFT Institute, the IMF, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Cyber Readiness Institute, and the Global Cyber Alliance. Available in seven languages, this Toolbox provides checklists and practical guides for key business functions to help them lead their organisations’ cybersecurity strategies, protect their organisations and their customers, secure third party connections and respond to incidents. This was a significant example of how organisations with a common purpose can work together to share complementary expertise, engage customers and proliferate best practices.