Cyber security is not just a technical issue but very much a business imperative: CB Chief

Monday, 2 October 2017 00:10 -     - {{hitsCtrl.values.hits}}

Central Bank Governor Dr. Indrajith Coomaraswamy addresses the Cyber Security Summit - Pix by Upul Abayasekara

  • Calls on financial institutions to embed cyber risks in overall enterprise-wide risk management framework at Daily FT-CICRA 5th Annual Cyber Security Summit

Central Bank Governor Dr. Indrajit Coomaraswamy last week emphasised that cyber security threats are growing in volume, intensity and sophistication and defence against those are no more a technical issue but very much a business imperative.

This key observation and several others were shared by the Governor at a packed 5th annual Cyber Security Summit organised by the Daily FT and CICRA Holdings last week at the Cinnamon Grand. 

Following are excerpts of Dr. Coomaraswamy’s speech as Chief Guest at the Summit’s session titled ‘Cyber Security Soundness in Financial Services’:

“There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet” – House Intelligence Committee Chairman Mike Rogers

It emphasises the fact that you need to be extremely “cyber aware” to effectively manage the risks inherent in the “Cyber Age”.

Central Bank Governor Dr. Indrajit Coomaraswamy in conversation with young ex-hackers from UK Darren Martyn (right) and  Jakes Davis who were co-founders of the once infamous hacker groups LulzSec and Anonymous at the 5th Annual Cyber Security Summit organised by the Daily FT and CICRA Holdings. The two were among an expert panel of global speakers at the Summit.  CICRA Group CEO and Director Boshan Dayaratne and Executive Director Vasana Wickramasena are also present 

In today’s world, Information Technology plays an immense role in our daily lives. As a country, ever advancing technology progress allows us to increase our Economic Output through optimisation of time and opportunities.

As you are well aware technological advancement is constantly evolving. Each major technological development has usually made our daily lives easier and enhanced our quality of life. But, technology in mobile, social media, cloud computing, etc. brings a host of new risks as well.

Hence, staying ahead of multiple technologies and the threats associated with them has become increasingly important. Cyber criminals are able to exploit opportunities in abusing new technologies even before the innovators discover these vulnerabilities. Governments and all stakeholders should, therefore, make significant efforts to study emerging cyber threats closely by examining key risk indicators. A very high premium should be attached to constant vigilance in today’s rapidly changing technological landscape.

Governments, businesses, civil society groups and ndividual users can be victims of cyber attacks 

Cyber security threats are growing in volume, intensity and sophistication. It has, therefore, become necessary to work out how to reduce the gap between investments in cyber security and their effectiveness.

In general, cyber security is considered as a holistic set of activities that are focused on protecting an organisation’s vital information. Effective cyber security preserves the confidentiality, integrity and availability of information, protecting it from attack from bad actors, and preventing unauthorised access by those who do not “need to know”. So, in today’s business environment, cyber security is not just a technical issue, it is very much a business imperative. Traditionally, cyber security has focused on preventing intrusions, defending firewalls, monitoring ports, etc. The evolving threat landscape calls for a more dynamic approach.

The cyber attack faced by the Bangladesh Central Bank through the SWIFT messaging system shows that even Central Banks and international payment systems can be vulnerable to these threats. Hackers stole $ 81 million from the Bangladesh Central Bank. As you all are aware, if not for the misspelt name indicated in the SWIFT message and the vigilance of a Sri Lankan banker, the loss would have been much greater. A commercial bank in Vietnam was also attacked using the same method three months after the Bangladesh Bank hacking.

A very high premium should be attached to constant vigilance in today’s rapidly changing technological landscape

Cyber security is about risk management. It is about protecting your business, your shareholders’ investments while maintaining competitive advantage and protecting assets

Cyber security strategies should not hamper business development, innovation and stakeholder/customer convenience. “He who defends everything defends nothing”. It should therefore be a carefully devised balancing act, to ensure delicate management of cyber space. 

Financial Institutions have been in the forefront as targets for cyber attacks. While effectiveness of financial intermediation has been enhanced through technological progress, the potential destructive impact of cyber attacks on the entire financial system has also escalated.

Establishing a framework for data governance can also be identified as a key element of an advanced cyber security system of a financial institution. Clear guidance on how data should be collected, used and stored can prevent unwarranted breaches. Promoting an enterprise-wide cyber security culture will lay a solid foundation to implement such data governance policies.

 



Episodes involving the stealing of personal information from the Federal Reserve Bank, the Reserve Bank of Australia and Czech Central Bank are other examples of the increasing threat landscape. It has been observed that cyber attacks occur due to political, commercial and personal motives. Therefore, Governments, businesses, civil society groups and individual users can be victims of cyber attacks.

The three week long cyber attack which disabled the Government and private sector in Estonia in 2007, the huge distributed denial of service attack which occurred in Myanmar just before the elections, the JP Morgan data breach and leakage of unpublished films from Sony pictures are a few other dark episodes. These attacks have brought into sharp focus the need to protect Financial Institutions from attacks conducted via cyberspace for disrupting, disabling, destroying or maliciously controlling a computing environment/infrastructure/and/or destroying the integrity of data/or stealing controlled information, all with the aim of fraudulently moving large amounts of money from the targeted institutions to the accounts of intended beneficiaries. 

The World Economic Forum’s 2017 Global Risk Report has identified cyber attacks among the top five global risks in terms of likelihood for 2017.

Based on the cyber threat real time map, Sri Lanka has been identified as the world’s 34th most attacked country. The Microsoft Security Intelligence Report has revealed an increase in the number of security incidents reported in Sri Lanka under malicious software in 2016. The most common were Trojans, Worms, Obfuscators and Injectors.

Conducting fora such as this one to ensure that Sri Lanka stays ahead on the cyber security path is, therefore, vitally important. These sessions provide a good platform to share intelligence on current threats, attacks, vulnerabilities and remedies. In fact, the evolving nature of cyber threats calls for a collaborative, networked defence.

Financial services, risk management and new thinking in cyber security

Financial Institutions have been in the forefront as targets for cyber attacks. While effectiveness of financial intermediation has been enhanced through technological progress, the potential destructive impact of cyber attacks on the entire financial system has also escalated.

Financial sector Institutions and payment systems are the key targets of intruders and hackers, as they are the richest sources of confidential data and monetary assets. The task of ensuring confidentiality, integrity and availability of information has become more complex.  The rapidly evolving fintech industry, Digital KYC, Block Chain, Big data, cloud services, etc. have made the regulators’ role more challenging. It is, therefore, essential to emphasise that financial institutions should embed cyber risks in their overall enterprise-wide risk management framework, particularly in their operational risk mitigation mechanism.

New thinking in the cyber security arena describes three fundamental strategies to cope with cyber risk.

Security: Prioritise risks and enhance controls to protect against known and emerging threats.

Vigilance: Detect violations and anomalies through better monitoring of workplace behaviours.

Resilience: Establish the ability to quickly return to normal operations and repair damage to business.

Kevin Mitnick, who allegedly hacked into the US Department of Defence network, once stated, “Companies spend millions of dollars on firewalls, encryption and secure access devices and this is money wasted because none of these measures address the weakest link in the security chain: the people who use administer, operate and account for the computer system that contains protected information.”

Firms need to adopt a holistic approach, while ensuring that the “right basics are in place”. This would serve to mitigate human error and insider threats.

Establishing a framework for data governance can also be identified as a key element of an advanced cyber security system of a financial institution. Clear guidance on how data should be collected, used and stored can prevent unwarranted breaches. Promoting an enterprise-wide cyber security culture will lay a solid foundation to implement such data governance policies.

Outsourcing is another door through which cyber risk can creep into an organisation. Firms should, therefore, seek to mitigate the risk by carefully selecting and managing service providers and by incorporating cyber security and data protection into third party contracts.

Central Bank initiatives

Realising the importance of national initiatives on cyber security preparedness of payment and settlements systems, the Asian Clearing Union member countries have already established their own computer incident response teams at the national level, such as Bhutan’s BtCERT, India’s CERT-In, Myanmar’s MMCERT and Sri Lanka’s SLCERT|CC. In addition, Financial Sectoral CERT initiatives are in existence in India and Sri Lanka.

As the apex financial regulator in the country, the Central Bank of Sri Lanka has ensured that regulated entities have cyber security frameworks in place in accordance with international best practices. The regulatory framework has also sought to ensure that the required room exists for fostering innovations to bring down cost factors.

The CBSL also contributes to the Government’s digitalisation policy. Establishing the Financial Sector Computer Security Response Team, the Financial Sector’s Certificate Authority and issuing regulations under the Payments and Settlements Act to govern mobile payments are key regulatory milestones.

Further, CBSL initiated the Chief Information Officers’ Forum to have an effective dialogue on IT security related issues. The Financial Sector’s Certificate Authority “Lankasign” is another advance in the cyber security architecture. 

The Central Bank envisions promoting its “less cash society” initiative by creating a balance between regulation and innovation as it is the institution that is responsible to the people and the government for the safety and security of public funds as well as for the financial stability of the economy. But this vision can be achieved only through the cooperation of all players in the finance and banking eco-system. All in all, cyber security is about risk management. It is about protecting your business, your shareholders’ investments while maintaining competitive advantage and protecting assets.

I would like to take this opportunity to extend my gratitude to the organisers of the Cyber Security Summit for providing this platform for sharing information and experiences on challenges in the cyber security field; enabling the stakeholders, to devise a multidisciplinary approach to managing growing cyber risks.

According to General Keith Alexander (Head, US Cyber Command), “The loss of intellectual property due to cyber attacks amount to the greatest transfer of wealth in human history, stealing intellectual property will lead to disruption of national infrastructure and damage the image of individuals and the country. Hence, combating cyber crimes has to be considered as a national interest and a responsibility. Time is ripe to make cyber security part of our daily business practices.”

At the same time, it is necessary to reiterate that cyber security strategies should not hamper business development, innovation and stakeholder/customer convenience. “He who defends everything defends nothing”. It should therefore be a carefully devised balancing Act, to ensure delicate management of cyber space.  “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle”. Sun Tzu, The Art of war.

Let’s identify our enemy very clearly; and be prepared to combat cybercrime. Our wholehearted commitment towards collaborative defence will assist us to win the battle to maintain cyber security. The Central Bank, as the regulator, is committed to working closely with you in this challenging endeavour.

The strategic partners of the Cyber Security Summit were Cisco and Visa. The other partners were LB Finance PLC, LankaPay, Airtel, Sri Lanka Insurance, Bayshore, ZeroFox, Ezy Intellect, Nations Trust Bank, Citibank, PrintHub, SriLankan Airlines, Cinnamon Grand, Triad and TV Derana, FM Derana and Ada 24x7.

COMMENTS