Appearing at Sibos 2020, Fiona van Echelpoel, deputy director general, ECB, dove into the biggest cyber threats facing financial services as the Covid-19 pandemic continues to unfold.
Given her unique standpoint within market infrastructure and payments at the central bank, we asked Echelpoel for more detail on the bank’s observations regarding cyber security and vulnerabilities since the crisis took hold.
What is the most significant digital security issue that has emerged since the Covid-19 outbreak?
While the ECB expects that the Covid-19 pandemic will accelerate digital transformation and innovation in the financial sector, Echelpoel observes that this will further increase the dependence on technology and, if not done properly, may lead to higher cyber risks.
“The Covid-19 outbreak has brought a resurgence in ransomware attacks across various industries, culminating in the death of a patient due to the effects of such an attack on a hospital.
“According to industry sources, ransomware attacks have tripled in Q2 2020 compared to Q1 and further evolved to demand a ransom for Denial of Service attacks. Such attacks are concerning for us as they also use anonymised and untraceable digital assets to receive ransoms.”
Has Covid-19 created more sophisticated cyber hackers, or has it merely provided them with greater surface areas for attack?
Interestingly, Echelpoel notes that the ECB has not seen an increase in the overall number of phishing emails sent to the central bank since the crisis outset. However there is a clear trend toward threat actors exploiting uncertainty and public interest around Covid-19 as a lure across phishing emails and the propagation of malware. She notes that industry reports suggest a slight upward trend in the receipt of these malicious Covid-19 associated emails.
“Such situations highlight the importance of sharing information about cybercrime attempts in order to protect the financial community and the financial ecosystem as a whole.”
Echelpoel points to the work the ECB is carrying out in this area, sharing that the Euro Cyber Resilience Board, chaired by the ECB, is currently implementing the Cyber Information and Intelligence Sharing Initiative (CIISI-EU) to share intelligence and exchange best practices with the aim of protecting the financial systems from cyberattacks.
Insofar as the sophistication of cyber hackers, during the Sibos panel session Echelpoel attended, ‘Covid-19: Open season for cyber hackers?’, Jerry Perullo, CISO, Intercontinental Exchange, said that “though we haven’t seen it yet, we expect that malware will start targeting the ‘remote working’ situation more aggressively.”
The concern is that threat actors will begin to make connections between a personal device being used on home (likely less secure) networks and drill into those expanded and potentially weaker surface areas for attack.
Is it possible to securely run and manage critical payments and securities systems during a pandemic?
Despite progress and collaboration being made in the space, it is clear that areas of vulnerability remain. Attacks such as the DDOS attack which brought down the New Zealand Stock Exchange or Finastra’s ransomware attack earlier this year illustrate that threat actors remain motivated as ever to impede smooth operations of financial systems across the globe.
When asked directly whether it’s possible to manage such infrastructure securely during a pandemic Echelpoel is more positive in her outlook: “In short, I would say yes. But let me elaborate more on that.
“We observed that most of the critical payment and securities systems quickly adapted to the new situation and were able to operate almost entirely remotely. Despite often dealing with highly volatile traffic, they did not experience any significant security issues or operational performance gaps. This is a result of prudent and forward-looking business continuity planning, as well as the increased remote working that we have seen over the past years prior to the Covid-19 pandemic.”
Echelpoel elaborates that the ECB has in place cyber incident reporting schemes across the euro area, which are obligatory for the significant institutions and financial market infrastructures. Notably, she adds that “through these channels, we did not become aware of any impactful cyber incidents related to Covid-19 across the 19 euro-area countries.”
The ECB also has not observed any significant increase of cyber risks across TARGET services in relation to Covid-19.
Are there any unexpected security benefits that have emerged as employees have been required to work from home on ‘unsecure’ networks?
During the Sibos panel mentioned earlier, the question of a ‘regulators role’ opened the discussion to how supervisory bodies and authorities should best approach the challenge. The overarching takeaway from this was that there is more warmth to the idea of collaborative relationships and engagements rather than reactive regulatory behaviour.
While noting that the natural first step “as overseers of financial market infrastructures” was to request that the ECB’s overseen entities raise awareness among their staff about remote working and the related cyber risks, Echelpoel also points to the TIBER-EU framework recommended by the ECB to guide firms in their internal testing processes.
“It is the first EU-wide guide on how authorities, entities, threat intelligence and red-team providers should work together to test and improve the cyber resilience of entities by carrying out a controlled cyberattack.”
Echelpoel explains that the tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence and are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies.
As the outcome of the test is not a “pass or fail”, it is intended to reveal strengths and weaknesses of the tested entity and to allow a for a dialogue between the entity and the regulator being overseen.
“I think this is an important role the regulator plays in the area of cyber security, which must be approached differently to other risks.”
We have also asked Jonathan Pagett, acting CISO, Bank of England, to weigh in on the subject. We look forward to his responses for Part 2 of this series.