In 2018, the arrival of the EU General Data Protection Regulation dominated the regulatory and privacy landscape, also overshadowing developments in cybersecurity - but there were subtle shifts taking place at the same time, which merit attention.
Operational Resilience Rises Rapidly
The spectre of the 2017 NotPetya ransomware attacks loomed large in 2018 and served as a motivating factor for both financial services (FS) and regulators. This incident and others made FS realize that, while synchronous (instant) replication across a network meets availability needs, this functionality also allows a cyber-attack to impact multiple systems across a network in seconds.
In 2018, this resulted in a trend to develop air-gapped, asynchronous data storage and recovery solutions, to safeguard critical assets and allow them to be recovered in a timely manner after an otherwise catastrophic event.
It also accelerated the development of new forms of industry collaboration, most notably Sheltered Harbor, a US not-for-profit FS-led initiative that aims to mitigate the risk of contagion in the event of a catastrophic cyber-attack.
Member organizations make regular copies of consumer account data in a standard format and, if a major disruption brings down one member bank, another bank can take over, restore accounts, and continue to serve customers. Will Sheltered Harbor also align with the operational resilience goals of UK regulators?
Red Dawn for Robust Readiness
Regulatory interest in resilience was also demonstrated via emerging frameworks for intelligence-led red-teaming. These are gaining traction in FS – in the EU (TIBER-EU), UK (CBEST), Hong Kong (iCAST) and Singapore (Adversarial Attack Simulation Exercises). National supervisors use intelligence from real attacks, with the goal of improving resilience.
This approach – of undertaking practical assessments to obtain empirical evidence that evidences an organization’s cyber capabilities – is being widely adopted by supervisors and oversight bodies across other critically important sectors.
In the UK, the CBEST scheme has successfully raised the profile of cyber risk at the board level. Regulators are seeking to encourage similar approaches in other sectors, including telecommunications (TBEST), government (GBEST) and space (SBEST). Have you learnt from the insights of red team testing in your organization?
Sandboxes Offer Startups Steady Support
UK regulators are innovating new approaches to cyber risk management using sandboxes. The sandbox run by the FCA helps to provide a better understanding of the opportunities and risks of harm that innovation can create. The ICO is watching the FCA’s experiment and is currently calling for evidence and initial views on creating their own regulatory sandbox, with a focus on products and services using personal data in innovative ways.
The increasing maturity of the UK’s cybersecurity startup environment – demonstrated most recently through the launch of the UK Govt-funded London Office for Rapid Cybersecurity Advancement (LORCA) – means that there is growing support for clever ideas that can help to address real FS cybersecurity problems. How are you connected into the innovation pipeline to solve the cyber risk problems of today and tomorrow?
Faults and Failures Face Fines
Late in 2018, the FCA fined a UK financial organization for a November 2016 cyber-attack. They noted that this incident was foreseeable, and the penalty was issued for failing to exercise due skill, care and diligence. Notably, the FCA found the response lacked sufficient rigor, skill and urgency.
This is the first time in more than 18 months that the FCA has levied a penalty for a data breach. It provides a clear signal that the FCA accepts data breaches are inevitable, but sees the response to those breaches as crucial and a core element of post-incident regulatory assessment. Have you practiced responding to incidents so you have comfort you can do so promptly?
Cloudy with a Chance of Contagion
Amongst all the regulatory trends, 2018 also witnessed a turning point in cloud computing, whereby the majority of FS organizations are adopting a cloud-first strategy.
As a result, regulators are expressing concern about concentration risk if a significant number of FS organizations rely on the same cloud service providers.
While this risk can be managed through more rigorous monitoring and information sharing, organizations may find that confidentiality restrictions limit their ability to obtain true clarity on areas of potential concentration risk.
Recommendations
As 2018 comes to a close, what lessons can be identified from the past 12 months? Incidents are inevitable, even in the best organizations, so improving cyber resilience has become a key regulatory priority, and regulators are looking for robust red-teaming and close industry collaboration to achieve this. They are starting to assess organizations more on how they deal with an incident, and less on the fact that an incident happened.
What are you doing to prepare for these changes?