Disponible en Español
October 13, 2022
In an economic and financial landscape that has changed significantly, due to the digital transformation that COVID-19 pandemic triggered, the financial sector and regulators face complex challenges in ensuring a high level of cyber resilience in the face of cyber-attacks. Thus, this workshop discussed key issues that support regulators with the analysis of the financial sector to improve its cyber resilience within the new paradigm.
The workshop had the welcoming words of Gerardo Hernández del Valle and Caio Fonseca Ferreira, where both remarked the importance of technological advances and how these forces the financial sector to adopt new security measures to reap the benefits of them.
The first dissertation was given by Tamas Gaidosch, Senior Cyber Security Expert at IMF, talking about the general landscape in cyberthreats. He started by mentioning the Ukrainian war case, were there were cyberattacks against two big financial institutions (FI) in Ukraine. Those FI had their IP addresses hijacked (by means of a BGP hijacking attack), but due to previous measures - more specifically an information campaign - the users were safe.
Later, he mentioned the example of the Apache LOG4J module vulnerability in which the attackers trick the web service to execute malicious code to create a backdoor or steal data from users, a situation that even involved the White House.
Tamas called 4 prevailing attack vectors: credentials, phishing, exploiting vulnerabilities and botnet. Incidents happen due to three key factors: Vulnerabilities, Threat actors and Attack Vectors.
Finally, he mentioned that there has been a steep increase in vulnerabilities through the years due to a combination of factors such as profitability of incidents, complexity of systems, etc. In a regional case, the root causes of incidents are from human factor, followed by regulation in processes and lastly by technologic advances.
The second session was in charge of Alejandro De Los Santos, Head of Cybersecurity at Banco de México, and Fernando Romero, Head of Information Security Standards in Entities at Banco Central de Argentina.
In the first block, Alejandro gave a summary on the creation of DCiber (Cybersecurity Directorate) of Banxico. Said division looks to face cybersecurity problems with a holistic approach, not only focusing in technological characteristics.
DCiber has two big authority roles: as regulatory and as promoter. As regulator it takes care of four key aspects: cybersecurity control, networks and telecommunications, accounts and passwords, and cybersecurity incidents. As promoter, it looks to update strategies, attachment to better practices and international standards, and to motivate collaboration between authorities.
After this, Fernando started his block by showing the normative context of cybersecurity in Argentina, emphasizing management of security in electronic channels. There needs to be several actions regarding this, such as awareness and qualifications, access control, integrity and registry, control and monitor, and incidents management.
Later, he showed that cybersecurity guidelines (April 2020) are a basis, but they need to be updated from time to time. It is important to notice that information security management normative had an operative viewpoint, because it was created by the government, therefore it needs to improve to include cyberattack protection.
In respect to recently normative measures taken to mitigate pre-approved credit fraud, they used a reliable user verification, and monitoring contact points established with clients and changes to these ones.
They also obligated PSP (payment service providers) to fulfill certain conditions, such as identity verification, association of accounts or instruments to users and strong authentication. They look towards implementing consent (with expiration) for linkage between digital wallets and accounts.
Future challenges include the adoption of a cybersecurity framework, stablishing understandable terminology for multiple users, improving qualifications and awareness, and education on the benefits of information sharing.
The third session was in charge of Rangachary Ravikumar, Senior Financial Sector Expert at IMF, and he started mentioning the importance of acknowledging the rise of ICT adoption in all facets of life, developments in technology and its interconnections and dependencies. He also said “We want to reap the benefits but manage the challenges and risks, that´s why comprehensive national cybersecurity strategy is needed.”
He later mentioned the phases for the development of a national cybersecurity strategy.
Then, he showed the advances on the development on strategies in LATAM countries at 2020, being Ecuador, Perú, Guyana, Surinam, Barbados and Belize countries developing a strategy while Trinidad and Tobago and Panamá where the first ones to develop one (2013).
He presented the basic elements needed to propose a national strategy for the financial sector and then showed two successful examples: United States and Canada. At last, in a survey account of 55 different countries, 34.5% said their central bank does not have a cyber strategy for the financial sector, and 25.5% said it does not have one but is under development.
In the fourth session Emran Islam, Senior Financial Sector Expert at IMF, started talking about the types of tools that advanced economies are applying, since supervision and regulation are not enough.
One important tool is information sharing, as it is key to motivate financial entities to share information and intelligence because it helps raise awareness on ICT risks, minimize its spread, and support financial entities defensive capabilities. Later the speaker presented the example as how the mentioned protocol works in Europe.
Another crucial point is the conduction of a broad range of cyber resilience testing, such as red teaming, penetrations tests and crisis management drills. He presented an example, UNITAS, where some central banks and financial market infrastructures from Europe posed a scenario of cyber-attack, observed reactions, draw conclusions, and provided recommendations. There are multiple frameworks for these tests, such as TIBER, CBEST, CORIE.
Lastly, coordination is a must. There must be insurance that agencies and stakeholders within the financial sector are motivated to coordinate activities, establishing collective governance is recommended.
Director en funciones de la
Dirección de Infraestructuras de
los Mercados Financieros
Centro de Estudios Monetarios Latinoamericanos (CEMLA)
Gerardo Hernández del Valle is the Acting Director of the Directorate of Financial Markets Infrastructures
at CEMLA. He holds a degree in Electrical Engineering from Universidad del Tepeyac. From Columbia University, New York, he holds a M. A. in Statistics, a M. Sc. in Probability and Statistics, and a Ph.D. in Probability and Statistics. His research interests focus on: Financial Mathematics, Heat Equation, Econometrics, Complex Variable, Stochastic Differential Equations.
Caio Fonseca Ferreira
Jefe Adjunto de la División de Supervisión y Regulación Financiera del Departamento de Mercados Monetarios y de Capitales Fondo Monetario Internacional (FMI)
Mr. Caio Ferreira is the Deputy Chief of the Financial Supervision and Regulation Division of the Monetary and Capital Markets Department. Since joining the IMF in 2015 he has been actively engaged in policy, diagnostic and capacity development work in several countries across the globe. He has over 25 years’ experience across several aspects of financial stability, including the international framework for financial regulation and supervision and systemic risk analysis. He is currently coordinating work to strengthen the cybersecurity of the financial sector and incorporate climate risks into the prudential framework. He has been actively involved in several international supervisory and regulatory forums and is a former member of the Basel Committee on Banking Supervision. Prior to joining the IMF he was the Director of the Prudential and Foreign Exchange Regulation Department at the Central Bank of Brazil. He holds a PhD in Economics and a M.Sc in Finance from Sao Paulo University.
Experto Senior del Sector Financiero en la División de Regulación y Supervisión Financiera Fondo Monetario Internacional (FMI)
Tamas Gaidosch joined the IMF in 2017 as Senior Financial Sector Expert in the Financial Regulation and Supervision Division. His responsibilities include designing and rolling out IMF’s global Cyber Risk Technical Assistance program for financial sector regulatory and supervisory authorities, participating in financial sector surveillance, developing policy recommendations, and representing IMF on cybersecurity matters in international standard setting bodies. Before joining the IMF Tamas was in charge for IT Supervision at the Central Bank of Hungary (2015-2017) where he led the policy development and compliance assurance work regarding IT and cybersecurity in the financial sector of the country, including banking, insurance and securities industries. Prior to that position Tamas was a partner at Deloitte (2013-2014) being in charge for the firm’s Enterprise Risk Services in Central Europe. Earlier he worked at KPMG (1999-2013) in several Risk Consulting managerial and leadership roles, finally as Head of Risk Consulting in Hungary. Tamas started his career at IBM (1994-1999) as a system architect focused on electronic banking and security solutions for the financial sector. He holds a Ms. C. degree in Computer Science, is an Executive MBA (Ecole des Ponts ParisTech), a Certified Information System Auditor (CISA), a Certified Information Security Manager (CISM), and a Certified Information Security Professional (CISSP). He co-authored two books on networking technologies and their security aspects and contributed to the development of ISACA’s CISM Review Manual.
Alejandro de los Santos Santos
Director de Ciberseguridad y CISO Banco de México
Alejandro is currently the Director of Cybersecurity at Banco de México. Among his responsibilities, he develops policies, guidelines and strategies to maintain and strengthen information security and cyber resilience for both the Central Bank and the Mexican Financial System; acting as CISO of the Bank of Mexico, Alejandro joined the Department of the Payment System of Banco de México in 1995 and was part of the group that designed and implemented SPEI, the Mexican System of Electronic Transfers in Real Time; he also participated in the redesign of the Securities Settlement System managed by the Central Securities Depository in Mexico (Indeval) and was head of the Payment System Policy and Supervision Unit between 2012 and April 2018, was IT Director of Banco de México where he was in charge of the administration and operation of the IT Infrastructure including data centers and telecommunications networks, He was in charge of the development of business applications and also responsible of informatic security and protection toolkit of Banco de México.
Rubén Fernando Romero
Jefe de Normas de Seguridad de la Información en Entidades Fondo Monetario Internacional (FMI)
Rubén Fernando Romero es Ingeniero en Sistemas de la Información egresado de la Universidad Tecnológica Nacional Regional Córdoba. Cuenta con un posgrado en e-commerce de la Universidad de Palermo (UP).
He serves as head of Information Security Standards in Entities at the Banco Central de la República de Argentina (BCRA). He joined the Institution in 1998 as an intern in the training program for systems auditors, and since then he has been carrying out different activities related to information security.
He participated in different initiatives related to cybersecurity and technology promoted by the CGIDE group (The Consultative Group on Innovation and the Digital Economy) of the BIS (Bank For International Settlements). In recent years he participated exposing on issues related to information security in different events organized by CEMLA, FORUM, IAIA, among others.
Experto Senior del Sector Financiero Banco Central de la República Argentina (BCRA)
Rangachary Ravikumar, Senior Financial Sector Expert, joined the cyber team of financial regulation and supervision division in Monetary and Capital Markets Department in October 2020. Prior to joining the Fund, Ravikumar worked at the Reserve Bank of India as Chief General Manager, where he was responsible for setting up and operationalizing Cyber Security and IT Examination Group. During his tenure he put in place a cyber security framework, a cyber incident reporting framework and a key risk indicator framework for assessing cyber security. He was a member of the Cyber Lexicon Working Group as well as Cyber Incident Response and Recovery Working Group set up by FSB. During his long career, he was involved in setting up off-site supervision system, implementing risk-based supervision and working as a member of faculty teaching regulation and supervision for over five years at the Reserve Bank Staff College. He also worked at Central Bank of Oman as an Expert in Supervisory / Regulatory functions for more than five years.
He has delivered technical assistance missions on cyber risk for many countries. He has delivered cyber risk supervision courses as well.
Ravikumar has an MBA and he is a CFA, FRM and CISA. He also attended Senior Executive Program at London Business School (2003) and Advanced Management Program at Columbia Business School (2019).
Experto Senior del Sector Financiero en la División de Regulación y Supervisión Financiera Fondo Monetario Internacional (FMI)
Emran joined the IMF in 2020 as a Senior Financial Sector Expert in the Financial Regulation and Supervision Division. In his previous role, Emran was a Senior Oversight Expert at the European Central Bank (ECB) and the lead for developing and operationalising the cyber resilience strategy for the European Union. He was a part of the team that developed TIBER-EU, the Cyber Resilience Oversight Expectations, established the Euro Cyber Resilience Board, developed and operationalized the market-wide cyber exercise (UNITAS) and developed the Cyber Incident and Information Sharing Initiative (CIISI-EU). Emran has been involved in various international cyber groups, including the G7 Cyber Expert Group, the CPMI Task Force for endpoint security, the FSB Cyber Lexicon Working Group, the CPMI-IOSCO Cyber Working Group, the ESRB Systemic Cyber Working Group and the World Bank FIGI. Prior to joining the ECB in 2015, Emran worked at the Bank of England for 5 years, where he was an FMI supervisor, as well as leading the cyber work for UK FMIs (including the development of CBEST). Emran is a Chartered Accountant, and has previously worked at Goldman Sachs, PwC, IBM and the central government. Emran has a BA and MPhil from the University of Oxford.