Cybersecurity in the Digital Economy Challenges and Threats to the Financial Services Sector



Similar documents
How To Discuss Cybersecurity In European Parliament

CYSPA launch event - Turkey

How To Write An Article On The European Cyberspace Policy And Security Strategy

EU Cybersecurity: Ensuring Trust in the European Digital Economy

EU policy on Network and Information Security and Critical Information Infrastructure Protection

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

How To Understand And Understand The European Priorities In Information Security

Partnership for Cyber Resilience

EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final}

A NEW APPROACH TO CYBER SECURITY

Cybersecurity. Are you prepared?

Microsoft s cybersecurity commitment

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cloud Computing Security Considerations

NATIONAL CYBER SECURITY AWARENESS MONTH

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015

Cyber Europe Key Findings and Recommendations

Council of the European Union Brussels, 5 March 2015 (OR. en)

Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me?

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

OUTCOME OF PROCEEDINGS

Council of the European Union Brussels, 4 July 2014 (OR. en) Mr Uwe CORSEPIUS, Secretary-General of the Council of the European Union

Cybersecurity The role of Internal Audit

Collateral Effects of Cyberwar

Into the cybersecurity breach

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Cyber Risk and Insurance What companies need to know

Prof. Udo Helmbrecht

COMMISSION STAFF WORKING DOCUMENT. Report on the Implementation of the Communication 'Unleashing the Potential of Cloud Computing in Europe'

Cyber Risk to Help Shape Industry Trends in 2014

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Lith Networking and Network Marketing Safety

Cyber Security - What Would a Breach Really Mean for your Business?

COMMISSION OF THE EUROPEAN COMMUNITIES

Phone: Fax:

FINRA Publishes its 2015 Report on Cybersecurity Practices

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

UNITED NATIONS COMMISSION ON SCIENCE AND TECHNOLOGY FOR DEVELOPMENT (CSTD)

Partnership prospectus

CYSPA - EC projects supporting NIS

Cyber Security in Europe

National Cyber Security Strategies

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Deception scams drive increase in financial fraud

Managing cyber risks with insurance

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

Towards defining priorities for cybersecurity research in Horizon 2020's work programme Contributions from the Working Group on Secure ICT

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Cyber Security and the Board of Directors

CYBERSPACE SECURITY CONTINUUM

Honourable members of the National Parliaments of the EU member states and candidate countries,

National Cyber Security Awareness Month. Week Two: Creating a Culture of Cybersecurity at Work

Cybersecurity Issues for Community Banks

CYBER SECURITY FOUNDATION - OUTLINE

Address C-level Cybersecurity issues to enable and secure Digital transformation

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Risk & Responsibility in a Hyper-Connected World: Implications for Enterprises

How To Write A Cybersecurity Framework

State of Security Survey GLOBAL FINDINGS

Cyber Security and Privacy - Program 183

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Cyber-Intelligence and Cyber-Espionage

Cyberspace Situational Awarness in National Security System

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

REPORT. Next steps in cyber security

The X-Factor in Data-Centric Security. Webinar, Tuesday July 14 th 2015

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

PREPARE YOUR INCIDENT RESPONSE TEAM

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

CO-CHAIRS SUMMARY REPORT ARF CYBERCRIME CAPACITY-BUILDING CONFERENCE BANDAR SERI BEGAWAN, BRUNEI DARUSSALAM APRIL 27-28, 2010

Examining the Evolving Cyber Insurance Marketplace

Transcription:

Cybersecurity in the Digital Economy Challenges and Threats to the Financial Services Sector 15 April 2015, Brussels Memorandum

involved in cybersecurity to work on Dr Steve Purser Head of Core Operations Department, ENISA (Moderator) In his opening remarks, Mr Purser said that it is important to define the problems before looking at solutions, and pointed out that all solutions are a combination of three elements: people, process and technology. He sees a tendency in the industry to focus on the technological tools, but these are useless if not used in the right way. This, he said, frequently does not happen due to a lack of scalability, flexibility and usability all of which need to be improved in the area of cybersecurity. Finally he said that prioritization of management is key, and he encouraged the people two separate axes: the strategic axis and the tactical approach. Such an approach is necessary, said Mr Purser, to enable efficient partitioning of staff and ensure appropriate apportioning of resources. Martin Mühleck Programme Officer, Trust and Security, DG CONNECT, European Commission Mr Mühleck gave an overview of EU policies in the area of cybersecurity. He introduced the European Cybersecurity Strategy, which was published in 2013. It gathers together all the policy items and initiatives to be launched for a variety of public and private stakeholders, industry groups,

consumers and users where the security of the digital economy is at stake. A key component of the strategy is the Network and Information Security (NIS) Directive, which is currently in trialogue with the Commission, the Council and the European Parliament. It deals with three main topics: capacity building among the Member States to prepare them adequately for incidents; stipulation of obligations for the Member States to cooperate and share information; and requirements for special sectors such as banking and financial infrastructures for reporting of any grave cybersecurity incidents. After the adoption of the Directive the Commission will monitor its implementation in Member States. Mr Mühleck stressed the need for the Commission to fully engage with all stakeholders, as the Directive alone will not solve all the problems and issues. With this in mind, the Commission launched the NIS Platform with three working groups: risk management, information exchange & reporting, and research & innovation. First drafts of documents are available, and delegates were encouraged to read them and provide their feedback. Edwin Aoki Chief Architect and Technology Fellow, PayPal Mr Aoki said that PayPal continues to invest millions of dollars to protect users security while endeavouring to ensure a balance with convenience to provide the frictionless payment methods that over 160 million PayPal users expect. DMARC is one such innovation, co-developed by PayPal. It

authenticates senders and provides mail rejection and reporting at the receiver, so that users are never exposed to malicious content. Today DMARC effectively protects billions of users from phishing attacks. Another initiative PayPal is been actively supporting since years is F.ID.O (Fast Identity Online) for simpler, stronger authentication. Its pluggable local authentication takes advantage of a wide range of access methods including secure PIN, biometrics, and new methods as they are developed. It frees users from passwords that are hard to remember, often used across several sites, and sometimes insecure. Mr Aoki said that PayPal supports regulatory efforts to increase security in the digital area, such as the NIS Directive, to establish a high-level of network information and security across the EU. However, as the industry is confronted with the fast pace of technology innovation, he considers that regulation must retain an inclusive, technology-neutral and global approach that protects consumers while avoiding a patchwork of multiple (or conflicting) national standards and requirements. He warns against overlapping of reporting obligations, and strongly recommends keeping the dialogue amongst stakeholders in the financial services, technology providers and regulators to craft policies that strike the right balance between security and innovation, and which can create new opportunities for everyone in the emerging digital economy.

Darren Argyle Global Chief Information Security Officer, Markit Mr Argyle welcomes the NIS Directive to help the collaboration and sharing of information, as he regards information sharing as the most important aspect of tackling cybercrime. He presented some ideas of what might need to be considered when tackling cybercrime. Traditionally most resources have been spent on protection, but he thinks there will be a shift so that by 2020 around 60% of security investments will deal with detection and response. This is an acknowledgement that a%ackers are already in the environment today and what needs to be done is to stop them reaching their ultimate objective, which is accessing an entire network s sensitive information. He thinks more needs to be done in the preparation phase, where simulation will become hugely important. Data classification is necessary, so that you know what level of protection to put around certain data. Awareness and education also needs to be improved, and Mr Argyle stressed the need to develop people-centric rather than technologybased security. In the recovery phase, business continuity planning (BCP) is an integral part of information security, so that enterprises can recover as quickly as they can detect. Finally, he recommended two recently published reports: one from Verizon Business Associates, and the more technical Internet Security Threat Report from Symantec.

Bruno Schröder Technology Officer, Microsoft BeLux Mr Schröder displayed an empty slide with the title The Un-Hackable Environment, as it does not exist. A few years ago Microsoft realised that prevention is not enough, the attacker often is already inside the environment. So the question now is how to remain secure when a cyberattacker has already penetrated your environment? Mr Schröder outlined the challenges. The threat landscape is constantly evolving, which means that Risk Assessment Frameworks are extremely critical for technology suppliers. The complexity of security requirements and the multiple regulations applicable are extremely challenging, so he called for a new dialogue among regulators with technology suppliers. This dialogue needs to be more forward thinking as to how technology can meet the needs of the financial sector. Microsoft continually monitors the security landscape and is constantly thinking about how to adapt its technology platforms two or three years down the line. He believes strongly that the future is the only way forward, with companies like Facebook and Amazon likely to completely change the payment landscape in the next five years, using the Cloud infrastructure connected to point of sale applications. This will lead to a number of new and different scenarios such as digital intimacy, the online advisor and many other new entrants. Mr Schröder believes that these developments need to be anticipated from a regulatory perspective.

Panel discussion The first question from the floor was whether, in the light of the NIS Directive, EU or national regulators will be required to play a role in the cyber aspects of financial services. Mr Mühleck said implementation by Member States of the NIS Directive will be key, as they will be responsible for monitoring its implementation. He said that over the next three or four years, how implementation works for international companies will be closely monitored to ensure a fully European approach. A question was asked on how Europe can compete with new players, for example from the US, which have less strict regulations regarding data protection and privacy in areas such as cloud computing, geo-localisation and analytics. Mr Mühleck said that Europe should offer high data regulation and security as a competitive advantage, so that data stored on a European territory under European rules should give users greater trust. Mr Aoki said that uniform and consistent reporting requirements are needed given the global nature of digital services providers: such requirements will assist in meeting the high level of trust and confidence that European customers demand, providing a regulatory framework that supports digital innovation. Mr Purser wondered what might be the biggest future challenges to security in the financial industry. Understanding where sensitive data is, prioritizing the investments, and protecting the critical infrastructure, said Mr Argyle, while Mr Schröder sees the dynamic nature of data, which banks need to integrate in how they operate, as the key challenge. Mr Purser himself sees the challenge as getting the optimal balance between opportunity and risk. Mr Argyle agrees, and thinks that a

bank needs to define its risk appetite done on it. He also believes that it is up front, get buy-in, and then important to move beyond traditional disseminate this across all business a c c o u n t c r e d e n t i a l s t o o t h e r units. mechanisms that would allow for the In a delegate s view, the biggest appropriate level of sharing and challenge is the Directive on Payment control with third parties. Mr Schröder Services, in which the codes used to mentioned that authentication of users access a bank account could be and how we deal with validation of openly transmitted to third-party individuals is certainly an important providers. Mr Aoki pointed out that this topic that needs to be addressed in the Directive is still in the trialogue phase future. and clearly requires more work to be Sponsored by: Media Partner:

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information