CEMLA and FSI hosts regional training and policy discussion events on financial stability for Latin American and Caribbean Central Banks. The policy discussion meetings are aimed at senior staff to exchange experiences and views on key financial stability and related issues.

The Center for Latin American Monetary Studies (CEMLA), in joint with the Association of Banking Supervisors of the Americas (ASBA) and the Financial Stability Institute (FSI) of the Bank for International Settlements, organized the Meeting on Cyber Security on November 3 and 4, 2020.

The (digital) Meeting was attended by over 70 participants representing 32 Latin American and Caribbean central banks and financial supervisory agencies.

The objective of the Meeting was updating the regional community on recent practices and policy developments in cyber security, particularly in the areas of cyber resilience testing and cyber incident response and recovery.

 

Session 1. Cyber resilience testing

This session was focused on discussing the developments in cyber range, table top, and threat lead penetration exercises, and their importance to build capacity in central banking and financial supervision for cyber resilience testing.

It was largely discussed that to test the effectiveness of a cyber resilience framework, authorities and other key stakeholders in the financial system should carry out a wide range of testing exercises based on specific targets. This would allow central banks and to identify in detail weaknesses across a wide range of endpoints.

Moreover, it was underscored that preparedness is a central piece in cyber resilience. Criticality of certain services and infrastructures in the financial system, makes extremely important to resort to in-depth and lively testing to assess how well financial system’s participants, authorities and other related parties are prepared for stealthier and aggressive cyber attacks.

It was concluded that is of the greatest relevance having identified the range of objectives, exercises and resources, coordinating and communicating in an effective manner, to enhance cyber testing practices.

 

Session 2. Cyber incident response and recovery

This second session of the meeting was devoted to exchange views on cyber incident response and recovery, more specifically on domestic approaches and international guidance related to how to build cyber resilience by deploying response and recovery measures under the leadership of central banks and financial supervisory agencies.

It was named that information sharing, mitigation and restoration are some of the most relevant capacities that need to be developed in achieving cyber incident response and recovery. At the same time, it was also acknowledged the importance of become increasingly resilient to support financial stability goals in case of cyber incidents.

It was discussed that responding to cyber incidents requires a framework that addresses classification of incident, scalation, coordination and communication strategies. Therefore, it is important that detection and testing becomes key aspects of the security controls and framework led by financial entities. It was concluded that, all the above is of particular relevance for systemically important financial infrastructures.

 

Takeaways

The organizers concluded that the meeting overcame the expectations set and allowed regional central banks and financial supervisory agencies to enhance their awareness on the role of coordination among authorities, and that further action will continue to be necessary toward achieving a sound cyber resilience framework, domestically and overseas.

 

Tuesday 3 November

 

Cyber resilience testing

Welcome and introduction

- Pascual O’Dogherty, ASBA

- Raul Morales, CEMLA

- Jermy Prenio, FSI, BIS

 

Presentations by speakers

- Sameh Mekhail, BIS (experience with cyber range exercises)

- Mara Misto, Central Bank of Argentina (cyber resilience exercises in Argentina)

- Wiebe Ruttenberg, ECB (undertaking an effective red team testing)

Q&A

 

Wednesday 4 November

 

Cyber incident response and recovery

Welcome and introduction

- Pascual O’Dogherty, ASBA

- Raul Morales, CEMLA

- Jermy Prenio, FSI, BIS

 

Presentations by speakers

- Joshsua James González Díaz, SFC Colombia (supervisory expectations and practices in Colombia)

- Martin Boer, IIF (overview of CIRR practices of global banks)

- Yasushi Shiina, FSB (main elements of the CIRR consultation)

Q&A

 

Sameh Mekhail (BIS)
Sameh is a Senior Security Professional at the Cyber Resilience Coordination Centre (CRCC) at the Bank for International Settlements (BIS). He is responsible for the BIS CRCC custom-built cyber range exercises as well as for performing outreach cyber resilience activities for the central bank community. He also leads the cyber advanced analytics team developing advanced detection techniques using machine learning and AI and acts as tier-3 cyber security analyst. 

Sameh is a CISSP and CISA certified, holds a BSc in Computer Science and an MBA in Corporate Strategy from the University of Strathclyde.

 

Mara I. Misto Macías, Senior Manager Information Security Standards for Financial Institutions Senior Manager
Mara Misto Macías had been senior manager on information security standards for financial institution at the Banco Central de la República Argentina (BCRA), since 2018. Her duties include the issuance of regulation on Information technology and information security by the BCRA, coordination of cyber and crisis simulation exercises and its impact on financial stability. Previously, she held the positions of CISO at the central Bank of Argentina, which she joined in 2005.

Mara Misto Macías holds an academic degree in Computer Science, and a graduate degree in Management Development from Universidad de Buenos Aires (UBA). In addition, she obtained a graduate degree in Information Security and Cryptography from Instituto de Enseñanza Superior del Ejército (IESE).

Misto Macías is a professor of Strategic Management in Information Security I in the Information Security graduate program of Universidad de Buenos Aires and a professor of Cybersecurity Management and strategy at University of CEMA.

 

Wiebe Ruttenberg, Senior Adviser, DG Market Infrastructure & Payments, European Central Bank
Wiebe Ruttenberg started his career in 1994 as a Policy Adviser to the Minister of Finance of the Netherlands on Energy, Telecom and Infrastructure Issues.

In 1999 he joined De Nederlandsche Bank (DNB) to become Project Secretary for the National 2002 Euro Changeover Project. After finalisation of the euro changeover he became Head of the Payments Policy Department at DNB.

From 2006 till 2015 Wiebe Ruttenberg was Head of the Market Integration Division at the European Central Bank, driving policy issues from an integration and innovation perspective on payments, securities and collateral. The creation of the Single Euro Payments Area (SEPA) was under his responsibility. He was also member of the Market Infrastructure & Payments Committee of the European System of Central Banks (ESCB), chaired its Payment Systems Policy Working Group and managed the Secretariat of the Euro Retail Payments Board.

Currently he holds the position of Senior Adviser, focusing on technological innovation and cyber resilience within the financial sector. He chairs the ESCB Task Force on Cyber Resilience Strategy for Financial Market Infrastructures, manages the Secretariat of the Euro Cyber Resilience Board and is member of the European Systemic Cyber Group of the European Systemic Risk Board. The European cyber testing program TIBER-EU and the European Cyber Information and Intelligence Sharing Initiative (CIISI-EU) are under his responsibility.

 

Joshsua Gonzalez, SFC Colombia
Joshsua González Díaz is an adviser since 2017 for the Operational Risk and Cybersecurity Department of the Financial Superintendence of Colombia - SFC -. His work is related to the evaluation and diagnosis in cybersecurity and business continuity of the entities. It also participates in the development of standards and circulars related to these aspects. Additionally, he works as a research professor at different universities in Colombia such as Los Andes University, Javeriana University and University Externado of Colombia, and international ones such as the National University of Asunción.

Joshsua is a Systems Engineer from the Pontificia Universidad Javeriana, holds two different MSc, one in Information Security from Los Andes University and the otherone in Computer Law from the University Externado of Colombia.

 

Mr. Martin Boer, Director of Regulatory Affairs, Institute of International Finance (IIF)
Martin Boer is the Director of Regulatory Affairs at the IIF. He advocates and contributes to the IIF work on regulatory consistency, impact assessment, prudential capital and liquidity standards, insurance regulation and the growing area of non-bank/non-insurance regulatory issues. He is also the IIF lead on issues surrounding Cyber Security, including regulatory developments and the impact on financial institutions and overall financial stability.

Mr. Boer previously served as the Secretary General of the European Financial Services Round Table, a Brussels based industry organization comprising the CEO’s and Chairmen of Europe’s 22 leading banks and insurance companies. Before that he served in various positions at ING Group, as the Global Head of Public Relations in Amsterdam and a Senior Manager of Public and Government Affairs in Brussels. He has also worked as a consultant for UNDP in Namibia and as a journalist at The Financial Times and Bloomberg News. Mr. Boer holds a B.A. in Philosophy from the University of California, Santa Barbara and a Master’s Degree in International Political Economy from Columbia University in New York.

 

Yasushi Shiina, Member of the Secretariat, Financial Stability Board
Yasushi Shiina is a member of Secretariat at the Financial Stability Board (FSB) since August 2010. He has been supporting the work on supervisory and regulatory cooperation, non-bank financial intermediation, and cyber resilience at the FSB. Prior to joining the FSB Secretariat, he was director for international banking regulations at the Financial Services Agency of Japan (JFSA) and was the JFSA's representative on key Basel Committee on Banking Supervision (BCBS) working groups. He has also chaired BCBS work on ratings and securitisation as well as Pillar 3 (public disclosure). At the JFSA, he has also been involved in supervision of financial institutions and served as a JFSA representative on the Senior Supervisors Group. Before joining the JFSA in 2002, he worked as a policy staff member at the Bank of Japan and as a consultant at the Boston Consulting Group. 

Mr. Shiina received degrees from the London School of Economics and from Keio University in Tokyo. He also received Master of Law from Keio University, M.B.A from INSEAD and MSc. in finance from London Business School.

 

- FSI

- FSB