Financial Sector Cyber Resilience Workshop

Mexico City, 6-7 November 2019

 

The Center for Latin American Monetary Studies (CEMLA) and the World Bank Group organized the Regional Workshop on Financial Cyber Resilience in Mexico City, Mexico on November 6 and 7, 2019. The Workshop was attended by over 70 participants representing Latin American and Caribbean central banks, international organizations and Mexican industry representatives.

The objective of the Workshop was to discuss policy and practical experience related to cyber resilience, with emphasis in regional developments and the European Central Bank cyber security framework.

Session I - International frameworks for cyber resilience in the financial sector

This session was devoted to identify the most relevant standards and international guidance that the financial sector is using to deal with cyber threats. It was discussed how regulators have increased their efforts on cyber resilience thanks to best practices and international standards like the G7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector, the CPMI-IOSCO Cyber Guidance, the NIST framework, among others.

During this session, it was discussed that harmonizing practices at a global scale will be key to ensure that financial authorities set a common shield against the cyber organized crime. It was largely discussed as well on which are the concepts and approaches that should be considered as minimum requirements in the international financial sector to protect against cyber risk.

Session II - Developing and implementing a national cyber resilience strategy for the financial sector

This session served to showcase how a central bank can establish a national strategy with key financial industry stakeholders to embrace cyber concerns with a multilateral perspective. This approach is relevant given that the financial system is comprised of different types of entities, ranging from banks to financial market infrastructures to critical service providers. Given the potential impact of a cyber incident on the increasingly interconnected system, it is important that authorities develop and implement national cyber resilience strategies for their respective financial sector, encompassing a range of tools and initiatives, in an integrated and holistic manner.
In this respect, the experience of Mexico has been remarkable as it proves that paying greater attention to oversee channels and providers of data transmission as well as to foster cyber intelligence sharing among the market infrastructures, financial entities and third-party service providers, both underpin the capacity for incident response and prevention.

Session III/IV - Cyber Resilience Oversight Expectations (CROE) for FMIs (I)

This set of sessions was led by the European Central Bank (ECB) and was focused in the presentation of the framework entitled as the Cyber Resilience Oversight Expectations (CROE). The CROE is the policy toolkit that the ECB developed elaborating on the CPMI-IOSCO Cyber Guidance for Financial Market Infrastructures.

This session provided an in-depth technical perspective on the different elements of the CROE, combining technical concepts, oversight and supervisory approaches. The concepts that were highlighted along the sessions are related to the elements that comprise the CROE framework, namely: Governance, Identification, Protection, Detection, Response and Recovery, Testing, Situational Awareness and Learning and Evolving.

Session V - Legal and regulatory aspects of cybersecurity

This session presented various legal and regulatory issues around cyber resilience, including those related to data protection and the concerns about the impact caused by cyber events to lose information assets. Some of the examples that were elaborated in the session include the electronic theft and data corruption, in special that related to the financial sector’s end users.

Overall, this session provided an overview of the types of legal considerations that should be borne by authorities to foster adequate risk management frameworks by financial institutions and other industry player with the aim of ensuring data and cyber security.

Session VI - Roundtable: Existing efforts and practices of cyber resilience in Latin America and the Caribbean

This roundtable focused in learning from the existing arrangements, practices and efforts in central banks and banking supervisory authorities to run a cyber security strategy. In particular, to learn from the governance and institutional arrangements that lay the foundations for an effective cyber resilience framework.

During this roundtable, it was presented and discussed how each central bank may decide on which monitoring and policy tools are necessary to face a growing number of cyber threats. On an extensive basis, the roundtable allowed to better understand the importance of harmonizing practices on a cross-border basis and develop a threat intelligence framework overseas.

Keynote presentation: CPMI Strategy on “Reducing the risk of wholesale payment fraud related to endpoint security”

This special presentation was facilitated by one of the Co-Chairs of the CPMI Working Group on wholesale payments security. The CPMI Strategy on “Reducing the risk of wholesale payment fraud related to endpoint security provides a common ground for central banks worldwide to raise awareness on the negative effects of cyber and fraud risk at systemically important payment systems. In particular, the strategy is intended to promote adherence by the participants and operators of the wholesale interbank funds transfer systems in each country.

It was underlined in the presentation that endpoints in each wholesale payments system over the world represent a link in the chain, and it is therefore important to ensure that global efforts are taken to fight against the cybercrime and with that, work towards an enhanced cyber security at the individual institution level, but also contributing to build a safer and better prepared ecosystem.

Session VII - Enhancing financial sector resilience – exercising, mapping and collaboration

In this session, the central banks of Argentina and Canada elaborated on how their respective institutions have gained knowledge and raised awareness on cyber, by means of becoming more practical in terms of exercising the cybersecurity.

The presentations made at this session allowed to see the importance of the interconnectedness of the financial system as a trigger for broader cyber sector-wide resilience as a collective effort. Both central banks explained the institutional and practical aspects of carrying out market-wide exercises to fully understand operational interdependencies through mapping, as well as the cross-authority collaboration items that are needed for an incident response and to build upon the experience of exercising.

Session VIII - Cyber testing – Threat intelligence based ethical red-teaming – how and why

This session provided detailed insight on testing and how authorities can adopt this for their financial system. It focused on red-teaming exercises and how a threat intelligence framework is useful to update a cyber resilience framework.

It was largely discussed that to test the effectiveness of a strategy, central banks and core actors should carry out intelligence-led red team testing frameworks for their financial market, as well as other type of testing techniques which will allow to identify weaknesses in people, processes and technologies. It was concluded that central banks need to equip with the staff and collaboration schema to develop intelligence-led red team testing and with that helping financial entities and other stakeholders to assess its protection, detection and response capabilities.

Session IX - Building trust through public-private partnerships

This session helped to set out how relevant is to build public-private partnerships c to deliver effective collaboration in the financial sector. There were two presentations, one delivered by a private sector representative and other by a central bank. Both presentations focused on the need to be better coordinated and communicated in order to deal with the rapidly evolving threat landscape, and the increased digitalization and globalization.

It was stressed that there is a real need for all the relevant stakeholders (which include regulators, financial entities and the cybersecurity sector) to establish domestic, regional and international channels to exchange ideas at a strategic and Board level on how best to tackle the new cyber challenges. It was mentioned that CEMLA have developed a community of regional central banks that has helped to share best practices and tools, encourage information sharing, and identify gaps and weaknesses in the ecosystem which require collaborative thinking to catalyze effective solutions in Latin America and the Caribbean financial sector.

Session X - Incident Response

This session was devoted to discuss a case study on lessons learned after recovering from an incident would illustrate the key elements of such strategy to avoid loss of trust and reputational risk.

It was presented and then discussed that by focusing exclusively on prevention will provide a partial solution to cyber resilience, while responding to an incident requires a framework that addresses classification of incident, scalation, coordination and communication strategies. Therefore, it is important that detection and testing becomes key aspects of the security controls and framework led by financial entities. It was concluded that, all the above is of particular relevance for systemically important financial infrastructures.

Session XI - Fundamental principles of cyber information and intelligence sharing

This session set out how authorities can approach and foster information sharing practices within their jurisdictions, focusing on: the core objectives of information sharing; what levels, types and attributes of information should be shared (within a common taxonomy); who such information should be shared with; when (in terms of frequency) such information should be shared; the format for sharing such information; and how such information should be shared.

It was largely discussed that cyber threats are borderless, evolving, readily scalable and increasingly sophisticated, threatening to disrupt a more interconnected global financial system. Consequently, financial entities are required to be dynamic and agile, to address cyber risk.

Session XII - How to Conduct an Incident response and crisis management exercise

This session was devoted to learn from the World Bank’s Crisis Simulation Exercises with focus on the critical dimension of crisis management process: communication among decision-makers. It provided a general overview of what comprises cyber crisis simulation, involving scenarios requiring participants to understand and respond to cyber incidents, taking the business continuity decisions that they cannot delegate to IT staff and dealing with the impact on the affected institutions and the rest of the financial system.

This session provided an opportunity for financial sector authorities and senior market participants to discuss the relevance of critical decisions within existing legal and operational crisis management arrangements. It was concluded that identifying the problems to be solved requires timely and precise information sharing among those with access to the relevant facts and those with the legal powers and technical knowledge to enhance the management of crisis after a cyber incident.

Welcoming remarks
Serafín Martínez Jaramillo, CEMLA
Aquiles Almansi, The World Bank

Session I - International frameworks for cyber resilience in the financial sector
Joshua Magri, Bank Policy Institute
Vijay Maree, ITU

Session II - Developing and implementing a national cyber resilience strategy for the financial sector
Alejandro De los Santos, Banco de México
Luis Urrutia, Banco de México

Session III - Cyber Resilience Oversight Expectations (CROE) for FMIs (I)
Emran Islam, European Central Bank
Constantinos Christoforides, European Central Bank

Session IV - Cyber Resilience Oversight Expectations (CROE) for FMIs (II)
Emran Islam, European Central Bank
Constantinos Christoforides, European Central Bank

Session V - Legal and regulatory aspects of cybersecurity
Jesús Yáñez, ECIJA Abogados, España
Pablo Palazzi, Universidad San Andrés, Argentina
Jonathan Mendoza, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales

Session VI - Roundtable: Existing efforts and practices of cyber resilience in Latin America and the Caribbean
Raúl Morales, CEMLA

Keynote presentation: CPMI Strategy on “Reducing the risk of wholesale payment fraud related to endpoint security”
Lawrence Sweet, CPMI Member

Session VII - Enhancing financial sector resilience – exercising, mapping and collaboration
Andrew Griffiths, Bank of Canada
Mara Misto, Banco Central de la República Argentina

Session VIII - Cyber testing – Threat intelligence based ethical red-teaming – how and why
Emran Islam, European Central Bank

Session IX - Building trust through public-private partnerships
Martin Boer, Institute of International Finance
Emiko Hidaka, Banco Central de la República Dominicana

Session X - Incident Response
Wilson Henríquez, Equifax
Aquiles Almansi, ICCR

Session XI - Fundamental principles of cyber information and intelligence sharing
Alejandro De los Santos, Banco de México
Kristel M. de Nobrega, Centrale Bank van Aruba

Session XII - How to Conduct an Incident response and crisis management exercise
Aquiles Almansi, World Bank

Closing remarks
Banco de México, The World Bank and CEMLA
Serafín Martínez Jaramillo, CEMLA

 

Josh Magri, BPI
Josh is the principal architect and co-lead of the FSSCC Cybersecurity Profile initiative. Additionally, he serves as SVP and Counsel for BITS at the Bank Policy Institute. Previously, he served as Vice President and Counsel for Regulation and Developing Technologies at the Financial Services Roundtable/BITS. In these roles, Josh has overseen regulatory, advocacy, and policy efforts on issues related to cybersecurity, data security and privacy, financial technology (“FinTech”), and developing technologies.

Vijay Maree, ITU
Vijay Mauree joined the ITU headquarters in Geneva, in 2010. He is currently the main focal point for Digital Financial Services at the Standardization Bureau in ITU. He has coordinated the work of the ITU-T Focus Group Digital Financial Services the ITU-T Focus Group on Digital Currency including Digital Fiat Currency and the Financial Inclusion Global Initiative (FIGI). Prior to joining ITU, Vijay worked for 16 years at the National Computer Board in Mauritius where he was responsible for setting up the Mauritius Computer Emergency Response Team (CERT-MU), the Government Data Centre and played a leading role in the elaboration of the National ICT Strategic Plan. 

Emran Islam. Market Infrastructure Expert, ECB 
Emran is a Senior Market Infrastructure Expert at the European Central Bank (ECB). In his role, Emran co-ordinates the cyber resilience work for the Eurosystem. He was a part of the team that developed TIBER-EU, the Cyber Resilience Oversight Expectations (CROE), established the Euro Cyber Resilience Board, developed and operationalized the market-wide cyber exercise (UNITAS) and is currently developing the Cyber Incident and Information Sharing Initiative (CIISI-EU). Emran participates in various international groups, including the G7 Cyber Expert Group, the CPMI Task Force for Reducing the risk of wholesale payments fraud related to endpoint security, the FBS Cyber Lexicon Working Group, the CPMI-IOSCO Cyber Working Group, the ESRB Systemic Cyber Working Group and the World Bank FIGI. He was involved in the G10 Oversight of SWIFT and was the overseer of STEP2-T and EURO1. Prior to joining the ECB in 2015, Emran worked at the Bank of England for 5 years, where he was the supervisor of CHAPS, Bacs and FPS, as well as leading on the cyber work for UK FMIs.

Constantinos Christoforides, Market Infrastructure Expert, ECB
Constantinos is a Market Infrastructure Expert at the European Central Bank (ECB), whose role and main area of expertise is the continuous monitoring and evolution of the cyber resilience of Target Services, which are the FMIs operated by the Eurosystem. Prior to joining the ECB, Constantinos worked at the Central Bank of Cyprus for 6 years, where he was the Bank’s Information Security Officer and during his employment led specialized cyber security missions for Banking Supervision, co drafted Banking Regulation on information security, led tasks relating to crisis management and Bank Resolution activities and led eDiscovery/Forensic investigations for international disputes. Constantinos was also part of the Task Force on National Critical Infrastructure. Constantinos is a Certified Information Systems Auditor, Certified Information Systems Security Professional and Certified in Risk and Information Systems Control.

Mara Misto, Banco Central República Argentina
Mara Misto Macías is currently strategic manager on information security at the Banco Central de la Republica Argentina (BCRA). Her duties include the issuance of regulation on Information technology and security by the BCRA, coordination of cyber and crisis simulation exercises and its impact on financial stability. Mara is a professor on Strategic Management in Information Security at the Universidad de Buenos Aires.

Pablo A. Palazzi, Universidad San Andres, Argentina
Pablo is a partner at Allende & Brea, Argentina. He is an expert on the areas of intellectual property and internet law including data protection. Mr. Palazzi is author to several publications including, Data Protetion Law (Errepar, 2005), Credit Reporting Law (Astrea, 2008), Unfair Competition Law (Heliasta, 2014) and Computer Crimes (Delitos informáticos, Abeledo, 2016, 3rd edition).

He holds a Law degree at the School of Law of Universidad Católica Argentina and a Master in Law (LL.M) at Fordham Law School in New York. Pablo is an adjunct professor at the School of law of Universidad de San Andrés focusing on courses in IP law and Internet law.

Lawrence M. Sweet, Federal Reserve Bank of New York
Lawrence M. Sweet is Senior Vice President and Senior Payments and Market Infrastructure Policy Advisor at the Federal Reserve Bank of New York. Mr. Sweet has been a member of the Committee on Payments and Market Infrastructures (“CPMI”, formerly “CPSS”) since 1991, and he currently co-chairs the CPMI Wholesale Payments Security Task Force. He is a member of both the CPMI-IOSCO Steering Group and the CPMI-IOSCO Policy Standing Group, and he was a co-author of the CPMI-IOSCO Principles for Financial Market Infrastructures.

Mr. Sweet is a member of the Federal Reserve’s Financial Market Utility Supervision Committee, and a member of a number of other domestic and international committees. Mr. Sweet studied economics at Rutgers College (BA) and Columbia University (MA and M.Phil), and has written and lectured extensively in the field of payments policy and oversight.

Jesus Yáñez, ECIJA Abogados, Spain
Jesús is a partner in the areas of risk and regulatory compliance in Cybersecurity, Privacy and Data Protection and has more than sixteen years of experience in technical and legal advice in these areas of practice. Jesus has led in recent years important consulting projects and legal advice with international vocation to large accounts in the field of Information Security, Compliance and New Technologies. Jesus is CISA and CISM certified by ISACA and is an auditor certified by IRCA.

Law Degree from the University of Valladolid; Master in Law of New Information and Communication Technologies from the Pontifical University of Comillas and Higher Course in Computer Security and Systems from the Rey Juan Carlos University of Madrid.

Jonathan Mendoza, INAI, México
Jonathan Mendoza Iserte is Secretary for Personal Data Protection of Mexico’s National Institute for Transparency, Access to Information and Personal Data Protection (INAI), where he also worked in different positions since 2014, as Director General of Investigations Inquires and Verification on Personal Data Protection for Private Sector. Prior to INAI, Mr. Mendoza worked as adviser in the Electoral Court of the Federal Judicial Branch of Mexico and was associate lawyer in the Law Firm Basham, Ringe & Correa, S.C. Also, he did his professional practice in different Public Notaries Offices in Mexico, City.

Jonathan holds a Master’s degree on Law from Centro de Estudios de Posgrado en Derecho and a Bachelor of Law from the Universidad Nacional Autónoma de México. 

Alejandro De Los Santos, Cybersecurity Director, Banco de México
Alejandro is currently the Cybersecurity Director at the Banco de Mexico. Among his responsibilities he develops policies, guidelines and strategies to maintain and reinforce information security and cyber-resilience both for the Central Bank and for the Mexican financial system; acting as the CISO for Banco de México.

He joined Banco de México's Payments Systems department in 1995 and was part of the group that designed and implemented SPEI, the Mexican Real-Time Electronic Transfer System; he also participated in the redesign of the Securities Settlement System managed by the Mexican Central Deposit (Indeval). He was head of the Payment Systems Policy and Oversight unit.

Between 2012 and April 2018, he was the IT Director for Banco de México where he was responsible for the management and operations of the IT infrastructure, including data centers and telecom networks. He was in charge of development of enterprise applications. He was also responsible for the Bank's IT security tools and protection.

Luis Urrutia, Legal Director, Banco de México
Luis Urrutia has been the general counsel of Mexico’s central bank, Banco de México since February 2013. Prior to becoming general counsel, he acted as Director of Regulation and Supervision of the central bank since 2010.

He also held the position of President of the Financial Action Task Force (FATF) in 2010-2011, and Vice-President in 2009-2010. In addition, Mr. Urrutia headed the Financial Intelligence Unit, of the Mexican Ministry of Finance and Public Credit, from 2007 to 2010. From 2009 to 2010 he took the Chair of the association of financial intelligence units named the Egmont Group, and in 2008 he acted as President of the Financial Action Task Force of South America (GAFISUD).

Previously Mr. Urrutia acted as Deputy Federal Fiscal Attorney for Financial Affairs in the Ministry of Finance for four years. Mr. Urrutia holds a law degree from the Instituto Tecnológico Autónomo de México (ITAM), and a master’s degree in public policy from the Irving B. Harris Graduate School of Public Policy Studies of the University of Chicago.

Andrew Griffiths, Bank of Canada
Manager of Secretariat, Canadian Financial-Sector Resiliency Group Senior Analyst, Resolution and Crisis Preparedness; Financial Stability, Bank of Canada.

Andrew Griffiths leads the Secretariat function for the Canadian Financial-Sector Resiliency Group (CFRG), a public-private partnership seeking to enhance operational resiliency across the financial sector by determining sources of sector-wide operational risks and developing recommendations to address them. 

Prior to this, Andrew spent several years in the Banking Operations function at the Bank of Canada where he developed a specialty in continuity of operations for the Canadian Payment Clearing and Settlement Systems. In 2017, Andrew played an integral role in the design and execution of a national systemic level operational exercise which focused on escalation, coordination, and communication within the financial sector. 

Andrew holds a Masters of Business Administration from the University of Ottawa’s Telfer School of Management - Executive MBA program.

Martin Boer, Director of Regulatory Affairs at The Institute of International Finance
Martin Boer is the Director of Regulatory Affairs at The Institute of International Finance, a global association of the financial industry, with close to 450 members from 70 countries. He advocates on regulatory consistency, market fragmentation, impact assessment, prudential capital and liquidity standards, insurance regulation, non-bank/non-insurance regulatory issues. He is also the IIF lead on Cyber Security, including regulatory developments, operational resilience, and the impact on financial institutions and overall financial stability.

He previously served as Secretary General of the European Financial Services Round Table (EFR) in Brussels, and served in various positions at ING Group, as Group Head of Public Relations in Amsterdam and a Senior Manager of Public and Government Affairs in Brussels. Mr. Boer holds a B.A. in Philosophy from the UC-Santa Barbara and a M.A. in International Political Economy from the School of International and Public Affairs at Columbia University in New York.

Aquiles Almansi, Lead Financial Sector Specialist, World Bank
Aquiles Almansi is a Lead Financial Sector Specialist at the World Bank. Before joining the World Bank in 2002, Almansi was as a Member of the Board at the Central Bank of Argentina, held senior positions at Citigroup Asset Management Argentina, INVESCO Asset Management Latin America, Banque Nationale de Paris-New York, and served as consultant for Citibank's Latin America Training Center, Merrill Lynch, and several Argentine banks. He has also lectured in Economics and Finance at the Universities of Chicago and Michigan-Ann Arbor in the US, and CEMA, San Andres and Di Tella in Argentina. He holds M.A. and Ph.D. degrees in Economics from the University of Chicago, and graduate and undergraduate degrees in Economics from CEMA and UNR in Argentina. Since 2009, Almansi has led more than 40 single and multi-jurisdiction financial crisis simulation exercises. 

Kristel de Nobrega, Centrale Bank van Aruba
Kristel de Nobrega is Manager Information Security at the Centrale Bank van Aruba. Next to the responsibility of securing the Central Banks’ Information systems, her department is also responsible for IT supervision. 

Additionally, the Centrale Bank van Aruba forms part of the National Cyber Security Task Force in charge of setting up the national cyber response. 

Kristel holds a Master’s degree in Information Management, IT –Auditing, and is a Certified Fraud Control Manager. Currently she is pursuing her PhD in Cyber Security/ Cyber Defense. 

She has extensive experience in various industries, namely healthcare, consulting and banking. 

Emiko Hidaka, Central Bank of the Dominican Republic
Ms. Hidaka is an Information Technology professional with more than 22 years of professional experience in the areas of technology infrastructure management, web development, cybersecurity and digital identity.

Since 1997, she is part of the team of the Central Bank of the Dominican Republic, occupying several positions in the Department of Systems and Technology, as part of the team of the Automation Division, where she was responsible for managing the web portal, the intranet and the Institution email In 2011, she started to lead the Division of Access Management and after the creation of the Department of Cyber ​​and Information Security in 2018, she serves as Deputy Director of Identity Management where, in addition to the skills in access management, she has the responsibilities for the management of the digital identity of all the collaborators of the organization.

Finally, Ms. Hidaka has the responsibility of leading efforts to define standards, procedures and the adoption of standards for the management, monitoring and evaluation of the BCRD Information Security Management System.

Wilson Henriquez, Equifax
Wilson Henriquez is the Vice President for International Business Security at Equifax. He has overall responsibility for information security, data protection and vulnerability management in Equifax’s International business space.

Wilson brings more than 20 years of cyber security, risk management and technology experience to this role. Before joining Equifax, Wilson was the Executive Director of Security Innovation & Transformation at Kaiser Permanente. Wilson was a Senior Director for Global Information Security at Visa Inc. where he was responsible for the development and oversight of their secure software development program. Wilson is a graduate of the University of San Francisco and holds a M.S. in Computer Science.

Mr. Armando Manzueta, Central Bank of the Dominican Republic
Armando Manzueta is part of the Team of the Department of Cyber ​​Security and Information of the Central Bank of the Dominican Republic, where he collaborates in the development, monitoring and evaluation of Cybersecurity regulations for the financial system. Armando has more than 8 years of professional experience in the public and private sectors in the areas of software development, cybersecurity, entrepreneurship, productive development, innovation and international cooperation management.

He has contributed to the development of national strategies in the promotion of SMEs and entrepreneurs, development of the software and ICT services industry, and cybersecurity. Likewise, he has worked with different international agencies in development projects such as IDB, Taiwan / ICDF, European Commission and JICA, and also performs voluntary work for the construction and strengthening of digital entrepreneurial ecosystems in different verticals (AgTech, EdTech and Fintech), training young people on issues related to the United Nations 2030 Agenda and other social aspects through the Global Shapers Initiative of the World Economic Forum.

CEMLA and The World Bank with the sponsorhip of the Financial Inclusion Global Initiative arranged the Financial Sector Cyber Resilience Workshop as a regional effort to disseminate and exchange best practices on cyber security.