Cyber

Question 1

What is the critical role of IT in modern economies according to the study?

Answer 1

Information technology (IT) is essential for the functioning of contemporary economies, with organizations increasingly relying on IT products and services like cloud systems and artificial intelligence.

Question 2

How has the reliance on IT affected exposure to cyber risks?

Answer 2

This reliance has led to heightened exposure to cyber risks, which are defined as the risk of financial loss, disruption, or reputational damage from IT system failures, including malicious incidents like ransomware, hacking, or internal data theft.

Question 3

What is the challenge in cyber risk management for firms?

Answer 3

Firms actively manage cyber risk and invest in cybersecurity, but quantifying the associated costs is challenging.

Question 4

Why are cyber risks considered a systemic concern in the financial sector?

Answer 4

Cyber risks are viewed as a major threat to stability in the financial sector and are considered national security matters in critical economic sectors.

Question 5

What trends in cyber incidents does the study document using its dataset?

Answer 5

The study notes an increase in cyber incidents until 2016 followed by a reduction, which might be due to increased security investments or delays in discovery/reporting. The average cost of incidents has been rising.

Question 6

How do different economic sectors vary in resilience to cyber incidents?

Answer 6

Different sectors show varied resilience, with the financial sector experiencing frequent, less costly incidents. Data breaches are common and expensive, while business disruptions are infrequent but can incur high costs.

Question 7

What factors influence the costs of cyber events?

Answer 7

Factors include the size of the firm, the nature of the incident (intentional or unintentional), and technological capabilities.

Question 8

What is the role of third-party cybersecurity services in managing cyber risks?

Answer 8

The use of services like cloud technology is linked to lower costs of cyber events but increases interdependence and potential systemic risks.

Question 9

How has the financial sector addressed cyber risks, and what are the specific challenges in the cryptocurrency space?

Answer 9

The financial sector’s proactive risk management and regulation have mitigated attack costs. However, the cryptocurrency space, especially crypto-exchanges, has experienced higher costs from cyber events.

Question 10

What does the study reveal about IT spending across various sectors?

Answer 10

The study finds an overall deficit in IT security investment across sectors, except for the finance and insurance sector, which shows adequate spending levels.

Question 11

Pourquoi le secteur financier est-il une cible privilégiée pour les cyberattaques ? Quel pourcentage des cyberattaques mondiales en 2021 a ciblé le secteur financier, selon IBM ? What are the findings regarding cyber-attacks on financial institutions?

Answer 11

• Le secteur financier est ciblé en raison de ses actifs et données de grande valeur, ce qui en fait une cible lucrative pour les cybercriminels.
• En 2021, le secteur financier a subi 22% de toutes les cyberattaques à l’échelle mondiale.
• Around 91% of cyber-attacks target banks, especially retail banking and credit card services. Losses vary and are not necessarily related to the size of the financial institution. Central banks also face significant cyber-attack risks.

Question 12

How are cyber-attacks categorized in the financial sector?

Answer 12

Cyber-attacks are seen as operational risks impacting the confidentiality, availability, or integrity of information or information systems, affecting firms through breaches, business disruptions, fraud, and data breaches.

Question 13

Quel impact systémique les cyberattaques peuvent-elles avoir sur le secteur financier ?

Answer 13

Les cyberattaques peuvent menacer la stabilité financière en affectant des organisations individuelles ou plusieurs composantes du système financier, pouvant entraîner une crise systémique.

Question 14

Quels sont les exemples de services financiers critiques pouvant être perturbés par des cyberattaques ?

Answer 14

Les services critiques incluent la garde de titres, le règlement centralisé, les services de paiement, les systèmes de règlement brut en temps réel (RTGS) et SWIFT.

Question 15

Quelles sont les principales menaces cyber auxquelles le secteur financier est confronté ?

Answer 15

Les menaces incluent

• des perturbations des infrastructures critiques,
• des atteintes à l’intégrité des données,
• des défaillances technologiques,
• des risques liés aux interdépendances opérationnelles et financières,
• l’augmentation de la dépendance aux fournisseurs de services tiers,
• la concentration dans les services cloud,
• et les vulnérabilités liées aux technologies émergentes comme les paiements mobiles sans contact et la finance décentralisée.

Question 16

Quels sont les efforts entrepris pour renforcer la résilience opérationnelle du système financier face aux risques cyber ?

Answer 16

Les efforts comprennent

• l’évolution réglementaire,
• l’élaboration de cadres de supervision,
• la coopération entre les autorités de supervision et de sécurité de l’information,
• l’adoption d’outils communs et une coordination renforcée,
• la gestion de crise,
• l’établissement de canaux de confiance et de communication,
• la coopération bilatérale et les cadres internationaux,
• ainsi que les exercices de simulation réguliers.

Question 17

Comment les autorités réglementaires et de supervision adaptent-elles leur cadre pour gérer le risque cyber ?

Answer 17

Elles ont mis en place des directives et des actes comme le Digital Operational Resilience Act (DORA) de l’UE, et adaptent leurs cadres réglementaires nationaux, comme la France avec l’ACPR, pour standardiser la gestion du risque cyber dans le secteur financier.

Question 18

Quel est le rôle de la coopération entre les autorités de supervision et de sécurité de l’information ?

Answer 18

Cette coopération vise à surveiller le risque cyber, comme l’ECB qui supervise les banques importantes sous le Single Supervisory Mechanism (SSM) pour le risque cyber, et l’ENISA qui favorise l’échange de bonnes pratiques entre les autorités.

Question 19

Quelle est l’importance des outils communs et de la coordination améliorée dans la gestion des risques cyber ?

Answer 19

Ces outils et cette coordination sont essentiels pour gérer les interdépendances opérationnelles et financières dans le secteur financier, incluant

• la systématisation des notifications d’incidents,
• l’harmonisation des taxonomies d’incidents,
• et l’identification des sources de risque systémique.

Question 20

En quoi consiste la gestion de crise dans le contexte du risque cyber ?

Answer 20

Elle comprend le développement de meilleures pratiques et d’outils pour répondre aux incidents cyber, comme ceux développés par le Financial Stability Board et le G7 Cyber Expert Group, et l’intégration du risque cyber dans les outils macroprudentiels comme les tests de stress systémiques cyber proposés par l’ESRB.

Question 21

Comment la communication et la confiance entre les entités privées et les autorités financières sont-elles établies ?

Answer 21

Elles sont établies à travers des groupes de travail et des canaux de communication dédiés pour le partage d’informations et la coordination opérationnelle en cas de crise, comme le groupe de travail ‘Robustness’ en France.

Question 22

Quel est le rôle de la coopération bilatérale et des cadres internationaux ?

Answer 22

La Banque de France et l’ACPR, par exemple, ont établi une coopération bilatérale en matière de cybersécurité avec des autorités financières étrangères, comme un mémorandum d’entente avec l’Autorité monétaire de Singapour, pour renforcer la résilience cyber par le partage d’informations. 

Question 23

Qu’est-ce que le risque cyber et comment est-il classifié par la Banque des Règlements Internationaux ?

Answer 23

Le risque cyber englobe les risques liés au monde numérique affectant la confidentialité, l’intégrité ou la disponibilité des systèmes d’information ou des données.

Il est classé en quatre dimensions :

• causes/méthodes,
• acteurs,
• intention
• et conséquences.

Question 24

Quels sont les défis liés à la quantification du risque cyber ?

Answer 24

La nature en constante évolution du risque cyber le rend difficile à définir et à quantifier, et le manque de transparence dans le signalement des incidents complique l’évaluation de la fréquence du risque et de son impact économique potentiel.

Question 25

Quels sont les impacts directs et indirects du risque cyber ?

Answer 25

Les impacts directs incluent les paiements de rançon et la perte de revenus due aux perturbations opérationnelles. Les impacts indirects comprennent les dommages à la réputation de l'organisation victime et les effets sur les tiers, comme la perte de confiance affectant des secteurs entiers, la perte de données, l'impact sur les chaînes de valeur, ou une augmentation de l'aversion au risque.

Question 26

Quelles sont les estimations de l'impact agrégé du risque cyber ?

Answer 26

Les estimations varient largement, allant de 50 milliards à 650 milliards de dollars annuellement selon le CERS. Une approche Value-at-Risk estime l'impact direct à 6 600 milliards de dollars et l'impact total à 22 500 milliards de dollars, soit environ un tiers du PIB mondial avec une probabilité de 5%.

Question 27

Why is the financial sector evermore vulnerable to cyberattacks?

Answer 27

The financial sector is highly vulnerable due to its extensive digitization and reliance on digital infrastructures, making it a prime target for cyberattacks. The Boston Consulting Group found that financial entities are 300 times more likely to be targeted compared to other sectors. The shift to remote work during the COVID-19 pandemic further heightened these vulnerabilities.

Question 28

How can cyber incidents impact the financial sector's stability?

Answer 28

Cyber incidents can undermine financial stability by eroding trust in the system's security. This can lead to consequences like massive bank withdrawals, liquidity freezes, and operational disruptions. Studies show varying capacities of financial organizations to absorb significant cyber shocks.

Question 29

What factors influence the systemic impact of a cyber incident in the financial sector?

Answer 29

Factors include the nature of the threat (especially if intended to destabilize the financial system), affected functions (particularly those causing permanent data integrity loss), propagation channels, and the level of preparedness of companies and authorities.

Question 30

Why is regulating cybersecurity important in the financial sector?

Answer 30

Regulating cybersecurity is crucial to align incentives, ensure companies are responsible for their clients' data security, reduce information asymmetry through mandatory incident reporting, and develop certification mechanisms.

Question 31

What regulatory guidance and reporting standards are in place for cyber risk?

Answer 31

In the U.S., the SEC requires listed firms to disclose cyber risks, while the GDPR in the EU mandates breach reporting within 72 hours, imposing substantial fines for non-compliance.

Question 32

How is the Global Cybersecurity Index used in assessing cyber risk?

Answer 32

The ITU's Global Cybersecurity Index assesses cybersecurity preparedness based on factors like legal, technical, and organizational arrangements, with advanced economies generally scoring higher.

Question 33

What is the purpose of the Digital Operational Resilience Act (DORA)?

Answer 33

DORA aims to enhance cybersecurity in the European financial sector, enabling resilient operations in the face of operational disruptions, especially those caused by cyberattacks.

Question 34

What uniform requirements does DORA set?

Answer 34

DORA establishes uniform requirements for network and information system security across financial companies and critical third-party IT and communication technology service providers, including cloud computing and data analytics services.

Question 35

What types of disruptions and threats does DORA focus on?

Answer 35

DORA mandates that companies ensure they can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) disruptions and threats.

Question 36

How does DORA determine the efforts required from financial entities?

Answer 36

The efforts required from financial entities under DORA will be proportional to the potential risks they face.

Question 37

Are there any exclusions in the applicability of DORA?

Answer 37

Almost all financial entities in the EU will be subject to DORA, with auditors temporarily excluded but potentially considered in future reviews.

Question 38

What requirements does DORA impose on third-country providers?

Answer 38

Critical service providers based in third countries offering IT services to EU financial entities must establish an EU subsidiary to allow for proper supervision.

Question 39

What supervisory framework is established under DORA?

Answer 39

DORA includes an additional joint supervisory network to enhance coordination between European supervisory authorities on digital operational resilience.

Question 40

What are the provisions for penetration testing and internal auditors under DORA?

Answer 40

Penetration testing will be operational, potentially involving authorities from multiple EU Member States. The use of internal auditors will be limited to strictly defined circumstances.

Question 41

How does DORA interact with the NIS Directive?

Answer 41

DORA clearly defines rules for digital operational resilience for financial entities, building upon the Network and Information Systems (NIS) Directive and removing overlaps with a lex specialis exemption.

Question 42

What is the context and background of DORA?

Answer 42

DORA was proposed as part of a broader digital finance package, including a digital finance strategy, proposals on crypto-asset markets (MiCA), and distributed ledger technology (DLT), aimed at facilitating technological development while ensuring financial stability and consumer protection.

Question 43

What is the EU's definition of cybersecurity?

Answer 43

Cybersecurity in the EU involves protecting computer systems from malicious attacks or espionage, and includes all techniques and tools to safeguard infrastructures and the confidentiality, integrity, and availability of data in the digital world.

Question 44

How is the European cybersecurity market valued and what is its growth rate?

Answer 44

The European cybersecurity market is valued at over 130 billion euros and is growing at a rate of 17% annually.

Question 45

What are the key threats identified in EU cyberspace?

Answer 45

Identified threats include ransomware, malware, covert mining, email attacks, data threats, denial of service attacks, disinformation, supply chain attacks, and unintentional incidents caused by human error or poor IT configurations.

Question 46

How do cyberattacks impact SMEs and public administrations in the EU?

Answer 46

Cyberattacks affect not only individuals but also SMEs and public administrations, with SMEs being particularly vulnerable due to fewer resources for cybersecurity.

Question 47

What is the role of the EU Agency for Cybersecurity (ENISA)?

Answer 47

Established in 2004 and strengthened in 2019, ENISA works with EU member states and institutions to maintain and improve digital security, providing a framework of technical requirements, standards, and procedures.

Question 48

What does the Directive on Network and Information Systems (NIS) mandate? What is the proposed NIS 2 Directive and its objectives?

Answer 48

- The NIS Directive imposes security obligations on operators in strategic sectors like transport, energy, health, and finance, including the requirement to report incidents to national authorities. - The NIS 2 Directive aims to expand coverage to more sectors and strengthen corporate obligations and national authority surveillance measures.

Question 49

What are the planned Security Operation Centres (SOCs)?

Answer 49

SOCS are AI-assisted centers acting as "digital police."

Question 50

What is the Secure Space Connectivity Initiative?

Answer 50

A constellation of satellites in low orbit to improve connectivity and internet access, ensuring service continuity during cyberattacks, with an estimated cost of 6 billion euros.

Question 51

What is the timeline for implementing the Digital Operational Resilience Act (DORA) in the EU?

Answer 51

The implementation period for most of DORA's requirements is likely to be 24 months, expected to run from the second half of 2022 to the second half of 2024, with discussions on extending the timeline for resilience testing requirements.

Question 52

What are the ICT risk management requirements under DORA?

Answer 52

The Council and European Parliament (EP) agree on proportionality for smaller financial services (FS) firms and delegate rulemaking to the European Supervisory Authorities (ESAs) through Regulatory Technical Standards (RTS). Differences include the EP's push for public reporting of ICT incidents and the Council's emphasis on business impact analyses.

Question 53

What are the ICT incident reporting requirements in DORA?

Answer 53

There's a consensus on introducing harmonized reporting requirements for major ICT-related disruptions, which will likely broaden reporting obligations for firms and may include mandatory reporting of significant cyber threats.

Question 54

What resilience testing requirements does DORA impose on financial firms?

Answer 54

Firms will be required to conduct various operational resilience tests, including advanced testing like Threat-Led Penetration Testing (TLPTs), with the scope and frequency still being determined.

Question 55

How does DORA address third-party risk management?

Answer 55

DORA maintains requirements for firms using third-party providers (TPPs) for critical functions, including key contractual provisions, with additional requirements proposed by the EP.

Question 56

What is the oversight mechanism for Critical Third-Party Providers (CTTP) under DORA?

Answer 56

Certain ICT TPPs designated as “critical” will come under the direct oversight of EU financial authorities, bringing them into the financial services regulatory perimeter.

Question 57

How does DORA integrate cryptoassets into its framework?

Answer 57

DORA includes amendments to align existing EU Directives with the proposed operational resilience framework, integrating Distributed Ledger Technology (DLT)-enabled products into the definition of a financial instrument under MiFID2.

Question 58

What is the role of Level 2 rulemaking in DORA?

Answer 58

DORA delegates authority to the ESAs to develop detailed Regulatory Technical Standards (RTS) on ICT risk management, incident reporting, resilience testing, and third-party risk management.

Question 59

How should firms prepare for the implementation of DORA?

Answer 59

Firms should conduct a gap analysis of existing ICT risk management practices, evaluate current incident management and reporting capabilities, understand resilience testing requirements, and improve mapping and management of third-party provider relationships.

Question 60

What is the significance of DORA for financial services firms?

Answer 60

DORA presents a comprehensive approach to digital operational resilience, requiring significant preparatory work and a proactive approach from financial services firms to comply with the new requirements.