Uniting on the cyber frontier
Regulators must collaborate to match attackers' speed.
As the Internet becomes a ubiquitous and indispensable medium for business and individual interactions, the resultant interconnectedness has made supervising and regulating cyber risks in jurisdictional isolation more difficult. PHOTO: BLOOMBERG
CENTRAL banks have a long history of cooperation during financial crises. In 1930, the Bank for International Settlements was established to foster international monetary and financial collaboration in times of uncertainty. The Basel Committee on Banking Supervision was founded in 1974 by central banks to converge towards common standards, culminating in the Basel Accords.
Financial regulators are often sensitive to shifts in risks, and act in concert to maintain the safety and soundness of the financial system that they supervise. As the financial threat landscape evolves, cyber attacks have become a growing concern. While the risk is not new, its prominence has heightened considerably. As the Internet becomes a ubiquitous and indispensable medium for business and individual interactions, the resultant interconnectedness has made the task of supervising and regulating cyber risks in jurisdictional isolation more difficult.
The impact of a major cyber attack is not very different from that of a physical one. The difference lies in the medium, that is the Internet, which allows the attack to be carried out stealthily and at a frequency unparalleled in the physical world. The polymorphic, persistent nature and diversity of threat actors make countering cyber attacks an uphill task.
While every financial institution must establish good cyber hygiene to protect itself against threats, strengthening resilience in silo is not enough. Due to the interconnectedness between institutions' systems and business operations, an attack on a weak link in the financial system could have an adverse impact on other bodies, and bring about a domino effect in the entire system. The WannaCry malware outbreak in 2017 which caused severe service disruptions and financial losses globally illustrates the potential for cyber threats to spread rapidly across organisations, likened to a pandemic.
In August 2019, the Monetary Authority of Singapore (MAS) issued a legally binding set of cyber security requirements for institutions to implement after consultation with the industry. MAS conducts regular exchanges with the banks' and insurers' associations through standing committees on cyber security to collaborate on sector-wide initiatives and exchange insights into cyber threats and countermeasures.
However, the fast-changing, borderless and disruptive nature of cyber threats makes it almost impossible for each jurisdiction to deal with them on their own. International standard-setting bodies play an important role in combating cyber threats through greater coordination and collaboration to promote effective regulatory and supervisory practices.
In recent years, different standard-setting bodies have begun to give form to non-financial expectations expounding on cyber resilience. For example, expectations to ensure that critical information technology systems can resume operations following disruptive events were included in the Principles for Financial Market Infrastructures published in 2012 by the Committee on Payments and Market Infrastructure of the International Organisation of Securities Commissions (CPMI-IOSCO).
In 2016, the CPMI-IOSCO published its Guidance on Cyber Resilience, the first such document on cyber security by an international standard-setting body.
More efficient mechanisms are necessary to match the speed at which new cyber threats, techniques and vulnerabilities arise. The Central Banks, Regulators and Supervisory Entities Forum was established in July 2018 to address this challenge.
Supported by the Financial Services Information Sharing and Analysis Centre, the forum facilitates timely sharing of cyber information between regulators and supervisors.
The cloud and concentration risk
Many financial institutions have started exploring the use of cloud computing services, attracted by improved efficiency, security, scalability and cost savings.
However, cloud services are not hazard-free. As more companies subscribe to major cloud service providers, concentration risk may emerge.
The use of shared pools of resources hosted in the cloud could expose multiple financial institutions to a common vulnerability that may result in widespread service outages or security breaches. As institutions' reliance on cloud service providers grows and the latter become systemically important, regulators will have to review their supervisory paradigm.
As financial regulators collaborate to establish common rules, build a culture of information sharing and develop strategies to deal with new and systemic risks, a united frontline will emerge on the cyber frontier. Together, they and the institutions that they supervise will be able to face mounting cyber attacks and ensure the resilience of the global financial system.
- The writer is director and head of Technology Risk Supervision Division at the Monetary Authority of Singapore
- This article appeared in OMFIF's October edition of The Bulletin.
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.