Cybersecurity in the Digital Economy Challenges and Threats to the Financial Services Sector

Transcription

1 Cybersecurity in the Digital Economy Challenges and Threats to the Financial Services Sector 15 April 2015, Brussels Memorandum

2 involved in cybersecurity to work on Dr Steve Purser Head of Core Operations Department, ENISA (Moderator) In his opening remarks, Mr Purser said that it is important to define the problems before looking at solutions, and pointed out that all solutions are a combination of three elements: people, process and technology. He sees a tendency in the industry to focus on the technological tools, but these are useless if not used in the right way. This, he said, frequently does not happen due to a lack of scalability, flexibility and usability all of which need to be improved in the area of cybersecurity. Finally he said that prioritization of management is key, and he encouraged the people two separate axes: the strategic axis and the tactical approach. Such an approach is necessary, said Mr Purser, to enable efficient partitioning of staff and ensure appropriate apportioning of resources. Martin Mühleck Programme Officer, Trust and Security, DG CONNECT, European Commission Mr Mühleck gave an overview of EU policies in the area of cybersecurity. He introduced the European Cybersecurity Strategy, which was published in It gathers together all the policy items and initiatives to be launched for a variety of public and private stakeholders, industry groups,

3 consumers and users where the security of the digital economy is at stake. A key component of the strategy is the Network and Information Security (NIS) Directive, which is currently in trialogue with the Commission, the Council and the European Parliament. It deals with three main topics: capacity building among the Member States to prepare them adequately for incidents; stipulation of obligations for the Member States to cooperate and share information; and requirements for special sectors such as banking and financial infrastructures for reporting of any grave cybersecurity incidents. After the adoption of the Directive the Commission will monitor its implementation in Member States. Mr Mühleck stressed the need for the Commission to fully engage with all stakeholders, as the Directive alone will not solve all the problems and issues. With this in mind, the Commission launched the NIS Platform with three working groups: risk management, information exchange & reporting, and research & innovation. First drafts of documents are available, and delegates were encouraged to read them and provide their feedback. Edwin Aoki Chief Architect and Technology Fellow, PayPal Mr Aoki said that PayPal continues to invest millions of dollars to protect users security while endeavouring to ensure a balance with convenience to provide the frictionless payment methods that over 160 million PayPal users expect. DMARC is one such innovation, co-developed by PayPal. It

4 authenticates senders and provides mail rejection and reporting at the receiver, so that users are never exposed to malicious content. Today DMARC effectively protects billions of users from phishing attacks. Another initiative PayPal is been actively supporting since years is F.ID.O (Fast Identity Online) for simpler, stronger authentication. Its pluggable local authentication takes advantage of a wide range of access methods including secure PIN, biometrics, and new methods as they are developed. It frees users from passwords that are hard to remember, often used across several sites, and sometimes insecure. Mr Aoki said that PayPal supports regulatory efforts to increase security in the digital area, such as the NIS Directive, to establish a high-level of network information and security across the EU. However, as the industry is confronted with the fast pace of technology innovation, he considers that regulation must retain an inclusive, technology-neutral and global approach that protects consumers while avoiding a patchwork of multiple (or conflicting) national standards and requirements. He warns against overlapping of reporting obligations, and strongly recommends keeping the dialogue amongst stakeholders in the financial services, technology providers and regulators to craft policies that strike the right balance between security and innovation, and which can create new opportunities for everyone in the emerging digital economy.

5 Darren Argyle Global Chief Information Security Officer, Markit Mr Argyle welcomes the NIS Directive to help the collaboration and sharing of information, as he regards information sharing as the most important aspect of tackling cybercrime. He presented some ideas of what might need to be considered when tackling cybercrime. Traditionally most resources have been spent on protection, but he thinks there will be a shift so that by 2020 around 60% of security investments will deal with detection and response. This is an acknowledgement that a%ackers are already in the environment today and what needs to be done is to stop them reaching their ultimate objective, which is accessing an entire network s sensitive information. He thinks more needs to be done in the preparation phase, where simulation will become hugely important. Data classification is necessary, so that you know what level of protection to put around certain data. Awareness and education also needs to be improved, and Mr Argyle stressed the need to develop people-centric rather than technologybased security. In the recovery phase, business continuity planning (BCP) is an integral part of information security, so that enterprises can recover as quickly as they can detect. Finally, he recommended two recently published reports: one from Verizon Business Associates, and the more technical Internet Security Threat Report from Symantec.

6 Bruno Schröder Technology Officer, Microsoft BeLux Mr Schröder displayed an empty slide with the title The Un-Hackable Environment, as it does not exist. A few years ago Microsoft realised that prevention is not enough, the attacker often is already inside the environment. So the question now is how to remain secure when a cyberattacker has already penetrated your environment? Mr Schröder outlined the challenges. The threat landscape is constantly evolving, which means that Risk Assessment Frameworks are extremely critical for technology suppliers. The complexity of security requirements and the multiple regulations applicable are extremely challenging, so he called for a new dialogue among regulators with technology suppliers. This dialogue needs to be more forward thinking as to how technology can meet the needs of the financial sector. Microsoft continually monitors the security landscape and is constantly thinking about how to adapt its technology platforms two or three years down the line. He believes strongly that the future is the only way forward, with companies like Facebook and Amazon likely to completely change the payment landscape in the next five years, using the Cloud infrastructure connected to point of sale applications. This will lead to a number of new and different scenarios such as digital intimacy, the online advisor and many other new entrants. Mr Schröder believes that these developments need to be anticipated from a regulatory perspective.

7 Panel discussion The first question from the floor was whether, in the light of the NIS Directive, EU or national regulators will be required to play a role in the cyber aspects of financial services. Mr Mühleck said implementation by Member States of the NIS Directive will be key, as they will be responsible for monitoring its implementation. He said that over the next three or four years, how implementation works for international companies will be closely monitored to ensure a fully European approach. A question was asked on how Europe can compete with new players, for example from the US, which have less strict regulations regarding data protection and privacy in areas such as cloud computing, geo-localisation and analytics. Mr Mühleck said that Europe should offer high data regulation and security as a competitive advantage, so that data stored on a European territory under European rules should give users greater trust. Mr Aoki said that uniform and consistent reporting requirements are needed given the global nature of digital services providers: such requirements will assist in meeting the high level of trust and confidence that European customers demand, providing a regulatory framework that supports digital innovation. Mr Purser wondered what might be the biggest future challenges to security in the financial industry. Understanding where sensitive data is, prioritizing the investments, and protecting the critical infrastructure, said Mr Argyle, while Mr Schröder sees the dynamic nature of data, which banks need to integrate in how they operate, as the key challenge. Mr Purser himself sees the challenge as getting the optimal balance between opportunity and risk. Mr Argyle agrees, and thinks that a

8 bank needs to define its risk appetite done on it. He also believes that it is up front, get buy-in, and then important to move beyond traditional disseminate this across all business a c c o u n t c r e d e n t i a l s t o o t h e r units. mechanisms that would allow for the In a delegate s view, the biggest appropriate level of sharing and challenge is the Directive on Payment control with third parties. Mr Schröder Services, in which the codes used to mentioned that authentication of users access a bank account could be and how we deal with validation of openly transmitted to third-party individuals is certainly an important providers. Mr Aoki pointed out that this topic that needs to be addressed in the Directive is still in the trialogue phase future. and clearly requires more work to be Sponsored by: Media Partner: