Banks need mandatory cyber security tests says RBA, EU Central Bank

Banks could soon face penetration tests instigated by regulators and be subject to the equivalent of an annual cyber-roadworthy certificate under bold reforms canvassed by the Reserve Bank of Australia, JP Morgan and the European Central Bank at SIBOS 2018 in Sydney.

In a discussion dedicated to addressing cyber risk, some of the world’s leading central financial authorities and institutions frankly admitted much more must be done than just creating frameworks and relying on commercial solutions if all financial players are going to be secured.

The set topic for the discussion was meant to be how to secure the "long tail" of smaller financial players from cyber attacks.

However, discussion quickly turned to better cyber intelligence sharing and the need to put smaller financial players on an equal cyber-footing rather than talking down to the smaller fish in the pond.

“I don’t like to say small banks, small infrastructure are less protected … I expect, and we hope, they are equally protected,” said Francisco Tur Hartmann, head of division for the European Central Bank.

According to Tur Hartmann, part of the EU approach has been to put smaller players on similar cyber footings to their bigger rivals.

It’s far from a desktop or self-certifying exercise either; drills are in place to test the sufficiency and speed of human reaction.

The Reserve Bank of Australia (RBA), for one, quite likes the sound of that proactive approach.

“I really like the way the EU approaches minimum security standards and applies them across the board. So as a customer you know that your bank meets a minimum standard. [That] type of framework for testing banks is a fantastic approach,” said Andrew Pade, CISO at the RBA.

“It’s something we could learn. If we were to approach threat based cyber security penetration tests against the banks as a minimum standard, a minimum bar… I think that would be a good approach.”

On the question of cyber intelligence sharing and competitive rivalry between banks, JP Morgan’s Asia Pacific CISO,  David Leach, said not sharing cyber smarts was more an issue of competitive disadvantage than advantage.

“They [criminals] can already collaborate effectively and use that advantage to defeat us… what are we doing?" Leach asked.

“The more we are helping each other out, strategically, tactically and operationally, we get to see what the bad guys are doing to the guy down the street. We should be using that and making it available to other organisations,” Leach said.

He added that while good intelligence could be the by-product of intel sharing activity, or the by-product of an incident, banks didn’t “necessarily need to share the whodunnit of the nitty gritty” in order to come out with sound recommendations what to do next.

The RBA’s CISO also suggested that banks' cyber resilience should be tested like a car’s annual inspection before registration.

"We apply that approach in other areas of our lives. Driving a car … it has to be roadworthy before you can have it on the road for another 12 months," Pade said.

"We have standards [for road safety]. And just because I got my car serviced last week it doesn’t mean I can drive recklessly."

Pade ventured that while he believed tests were a better way forward than "complying to a framework" it was the currency and effectiveness of measures that should be assessed.

Put another way, it is tangible defensive effect regulators are looking for rather than a rubber stamp.

"Cyber security isn’t like a trip to Disneyland where [you can go] 'been there, done that, bought the shirt'. It's an ongoing momentum that always need s to be maintained," Pade said.

The RBA's cyber chief said key questions he always asks his peers were "what are they doing to solve their own problems" because the threats he faces facing "are evolving so fast it takes about six months before I can buy [the security solutions] from IBM."

[For context Pade mentioned IBM as they were part of the panel rather than specifically singling out the vendor.]

Pade questioned if relying on commercial security partners was enough because of the speed and sophistication at which cyber threats unfolded and whether bought solutions arrived in time to abate threats.

"So I have to do something before then, before a commodity is available," Pade said.

Asked which geographies were bowling up the most cyber threat activity, JP Morgan's David Leach provided a diplomatic answer that left few doubts.

"Follow geopolitics, there is a strong nexus. We live in an interesting world right now," Leach said.