IMF-CEMLA-ASBA Workshop: Achieving cyber resilience in the post-COVID era in Latin America and the Caribbean

June 23, 2021
Videoconference

 

 

The Center for Latin American Monetary Studies (CEMLA), the International Monetary Fund (IMF) and the Association of Supervisors of Banks of the Americas (ASBA) organized the “IMF-CEMLA-ASBA Workshop: Achieving cyber resilience in the post-COVID era in Latin America and the Caribbean”, to provide a forum for discussion of the key areas of focus going forward to ensure that regulators and the financial sector can enhance its cyber resilience within the new paradigm post-COVID.

 

This joint Workshop was aimed at bringing together central banks and financial supervisory authorities, to discuss the most relevant concerns and challenges, to protect the cybersecurity in Latin American and Caribbean financial systems, during and after the COVID-19 pandemic. The agenda comprised the following topics: 1) Overview of cyber threat landscape and potential financial stability implications; 2) Building effective cyber regulation and supervision; 3) Approaches to building the cyber resilience of the financial sector including application of endpoint security strategy and 4) Cyber Resilience Enablers: testing, exercises and information sharing.

The Workshop was attended by over 200 participants representing heads, senior staff and experts of cybersecurity and related areas from CEMLA and ASBA Associates.

Session 1. Overview of cyber threat landscape and potential financial stability implications

In this session, it was presented the context and evolution of the cyber security agenda for central banks and financial supervisory agencies. It was underlined that the financial system is dependent on digital financial infrastructure and a cyberspace, leading to a complex and interconnected global financial ecosystem. This has resulted in a more expanded attack surface. Not surprisingly, the presence of high value assets and data in the financial systems, together with this larger surface, has resulted in a growing number of incidents and threats. In particular, the high level of interconnectedness across financial institutions, markets and supporting infrastructures, and particularly the interdependencies of their IT systems, constitute the major challenge for an effective regulation and supervision. In this presentation, it was also shown how major cyber incidents have displayed the capacity to be widespread not necessarily constrained by geographical boundaries. Furthermore, attackers become increasingly sophisticated, highly resourced, and very persistent, making even more vulnerable the financial system and the economy to this type of operational disruptions.

Session 2. Building effective cyber regulation and supervision

During this session, it was presented the foundational aspects for central banks and financial supervisory agencies to respond to the challenging task to secure the financial system perimeter against the sophisticated and stealthier cybercrime. In this respect, it was highlighted that central bank and financial authorities have important mandate for financial stability, however they are currently adapting to a very different environment, with an increasing number of complexities and new forms of risk that deserve a forceful response ahead. In this respect, an effective cyber security framework is necessary from a regulatory and supervisory point of view. More importantly, the macro perspective of a central bank should be at the forefront in the attention to cyber-attacks at a national scale. Such an evolving framework should respond to the current state of development of the financial system as an interconnected operational network with multiple critical nodes. It also needs to pay special attention to the value of data and services handled by institutions, markets and infrastructures and how critical such information and services are for the financial system and the overall economy.

Session 3. Approaches to building the cyber resilience of the financial sector

During this session, a group of senior representatives from Chile, Colombia, Dominican Republic and Mexico shared their experience in dealing with the challenges during the COVID-19 pandemic. The discussion in this session helped to learn that Currently central banks have to go beyond, in order to promote awareness and action against cyber risk. Central banks are required to have a more active role. It was explained that the change in the paradigm in cybersecurity since, now, it is not limited to network security, information system security and cybersecurity threats but must include information security control, and at the same time, the change requires that the strategy focus in the information flow.

It was presented how central banks and financial authorities have been making efforts to address cybersecurity and cybercrime through General Provisions, Cyber Security Programs and creation of mechanisms with the purpose of defining immediate actions for prevention, detection of cyber security incidents that affect the entities in this subject.

The session concluded with an important discussion on post-pandemic challenges and its implication for cyber resilience. For instance on the returning to normal (or hybrid) processing in which it will be crucial to strike a balance of safety and smooth operation. In this process, a high level of cyber-resilience will remain necessary to successfully face any cyber threat ahead.

Session 4. Cyber resilience enablers: testing, exercises and information sharing

This final session helped to learn the importance for central banks, financial authorities and the industry to have a good cooperation environment and supporting tools to manage and improve their practices on cyber testing and information sharing. This includes, but is not limited to: improving the incorporation of cyber risk into financial stability analysis; enhancing the consistency of regulation and supervision; improving response and recovery; strengthening information sharing; enhancing the deterrence of cyberattacks; and strengthening capacity development. These minimum features of a cyber resilience framework should be rigorously tested to determine their overall effectiveness before being deployed within a financial institution, and regularly thereafter. In effect, sound testing regimes should produce findings that are used to identify gaps in stated resilience objectives and provide credible and meaningful inputs to the financial institution’s cyber risk management process.

As a closing of the workshop, it was underlined the importance of have a continuous dialogue among central banks and financial authorities to cope with the evolving challenges of an each time more tech-intensive financial system

 

Wednesday June 23, 2021

Welcome and Introduction

Opening Remarks

Introduction to the Workshop

Marina Moretti, IMF


Session 1. Overview of cyber threat landscape and potential financial stability implications

Tamas Gaidosch, IMF

 

Session 2. Building effective cyber regulation and supervision

Rangachary Ravikumar, IMF

 

Session 3. Panel: Approaches to building the cyber resilience of the financial sector including application of endpoint security strategy
  • Alejandro De Los Santos, Banco de México
  • Luis Figueroa, Comisión del Mercado Financiero
  • Miguel Ángel Villalobos, Superintendencia Financiera de Colombia
  • Ruddy Simmons, Banco Central de la República Dominicana / James Pichardo, Superintendencia de Bancos

 

Session 4. Cyber Resilience Enablers: testing, exercises and information sharing

Emran Islam, IMF

 

Tamas Gaidosch

Senior financial sector expert in the IMF’s Monetary and Capital Markets Department, is a cybersecurity professional with more than 20 years’ experience, including probing banking systems to find cyber weaknesses. He formerly led the Information Technology Supervision Department at the Central Bank of Hungary.

 

Rangachary Ravikumar

Experienced Senior Level Central Banker - Expert in Off-site Supervision - Seasoned Bank Supervisor - Cyber Security and IT Examination in Banks - Financial Analysis - Risk Management. Experience in setting up Off-site supervision and analytical systems, Cyber Security and IT examination unit at Central Bank and implementing IT projects. Over three decades of multi-disciplinary experience. Proven leadership.

 

Alejandro De Los Santos

He is an Actuary from the National Autonomous University of Mexico (UNAM), obtained a Doctorate in Applied Mathematics from the University of Toronto, in Canada. He has been working in the Bank of Mexico since 1995. After working 15 years in payment systems, designing optimization models and defining rules and policies for the SPEI system, Alejandro directed the Directorate of Systems where, among other things, he had the responsibility of operate and manage the technological infrastructure of the Bank, develop applications and systems, as well as the information security of Banco de México. Since 2018, Alejandro has been in charge of the Cybersecurity Directorate, where his main function is to define strategies, policies and information security guidelines that will improve the maturity of cybersecurity and resilience of the Central Bank, and the financial system.

Luis Figueroa de la Barra

General Director of Prudential Regulation, has a Master's degree in Economics from the New York University in the United States, and a Business Engineer, with a major in economics, from the University of Chile.

He joined the former Superintendency of Banks and Financial Institutions (current CMF) in 2014, as Intendant of Regulation and as of June 2019, as Intendent of Regulation of Banks and Financial Institutions of the Commission. In 2021, after the new organizational structure of the Commission was inaugurated, he assumed as General Director of Prudential Regulation. He is also currently Chairman of the Technical Committee of the Association of Banking Supervisors of the Americas (ASBA), representing Chile.

He previously headed the Regulatory Office of the Superintendency of Pensions and was Head of the Financial Division of the same institution. He has been an Economist in the Financial Policy Division of the Central Bank of Chile; of the Department of Studies of the Superintendency of Securities and Insurance, and of the Department of Investments of the Ministry of Planning and Cooperation. He was a professor at the University of Chile and has several publications related to the capital market.

Miguel Ángel Villalobos

Superintendencia Financiera de Colombia, Office of the Delegate Superintendent for Operational Risk and Cybersecurity.

Ruddy Simmons

Director of Security & Cybersecurity Operation, Operational Security Management, Infrastructure Business Continuity, Identity Management, SOC/Cybersecurity.

James Pichardo

CISO - Superintendencia de Bancos, 15+ years of experience in cybersecurity and information security. responsible for implementing national cybersecurity strategy action plan in the Dominican Republic.

I'm an Electronics and Communications Engineer with a masters degree in Electronic Commerce. My Cybersecurity career evolved from Network Engineering and Systems Administrations roles held previously.

Today I'm focused in making sure organizations of all size have an effective risk-based cybersecurity program, and achieve realistic resiliency levels.

Experience in multiple sectors and verticals: telecommunications, government, academy, financial and entertainment. Had the responsibility of managing Information Security program for a FTSE 100 company in the online gaming business. This has given me a unique view in how Information Security works, allowing me to focus on pragmatic, achievable approaches for implementing Cybersecurity programs.

Emran Islam

Islam joined the IMF in 2020 as a Senior Financial Sector Expert in the Financial Regulation and Supervision Division. In his previous role, Emran was a Senior Oversight Expert at the European Central Bank (ECB) and the lead for developing and operationalising the cyber resilience strategy for the European Union. He was a part of the team that developed TIBER-EU, the Cyber Resilience Oversight Expectations, established the Euro Cyber Resilience Board, developed and operationalized the market-wide cyber exercise (UNITAS) and developed the Cyber Incident and Information Sharing Initiative (CIISI-EU). Emran has been involved in various international cyber groups, including the G7 Cyber Expert Group, the CPMI Task Force for endpoint security, the FSB Cyber Lexicon Working Group, the CPMI-IOSCO Cyber Working Group, the ESRB Systemic Cyber Working Group and the World Bank FIGI. Prior to joining the ECB in 2015, Emran worked at the Bank of England for 5 years, where he was an FMI supervisor, as well as leading the cyber work for UK FMIs (inlcuding the development of CBEST). Emran is a Chartered Accountant, and has previously worked at Goldman Sachs, PwC, IBM and the central government. Emran has a BA and MPhil from the University of Oxford.

Raúl Morales Reséndiz

Is the Manager of Financial Markets and Infrastructures since 2013. In this position, he is responsible for promoting technical cooperation activities among CEMLA members, ranging from the coordination of experts' groups, research and policy analysis, technical assistance, to capacity building events. Mr. Morales was responsible for the establishment of a group of experts in Fintech, aimed at assisting central banks to better understand the implications of new technologies. Other responsibilities of Mr. Morales include the technical secretariat of the groups on payments and market infrastructures, cybersecurity, financial information and accounting regulation, as well as representing the Center in international financial inclusion and fintech task forces. Mr. Morales advised the General Directorate of CEMLA on international affairs from 2013 to 2014 and in 2018. He has been invited as a speaker at several international forums, including the following: SWIFT regional conference, ECB regional conference on retail payments, summit of cyber security, annual SUCRE meeting, Cooperation Council for the Arab States of the Gulf, CGBS annual conference, meeting of the WSBI assembly and other public and private events organized by the national central banks of the region.

He holds a degree in Economics from the National Autonomous University of Mexico (UNAM), a master's degree in Economics from the Monterrey Institute of Technology and Higher Education (ITESM) and a diploma in public policy from Georgetown University.

Marcos Fabian Covarrubias

head of research at the Association of Supervisors of Banks of the Americas (ASBA). Manager of international working groups and projects on financial regulation and supervision matters in Latin American and the Caribbean. Experience in data-based economic and policy analysis, projects design and implementation, and international relations. Fellow at the Financial Stability Institute of the Bank for International Settlements (BIS) on digital transformation policies for the financial sector.