By Achille Deodato, CEO Indigita SA
The press release dated January 3, 2024, unveils the proactive stance taken by the European Central Bank (ECB) towards comprehending how banks respond to and recover from cyberattacks. This approach prioritizes resilience over mere prevention. The valuable insights gained from this initiative may serve as a catalyst for similar endeavours that the Swiss Financial Market Supervisory Authority (FINMA) could consider undertaking.
The ECB's Initiative
The recent initiative undertaken by the ECB involves conducting a cyber resilience stress test on 109 banks under its direct supervision. This effort underscores the critical necessity of addressing cyber threats. The ECB's scenario envisions a successful cyberattack causing disruptions to daily operations, thereby necessitating the activation of emergency procedures and contingency plans.
Current Standpoint of FINMA
In its 2023 Risk Monitor report, FINMA identified cyberattacks as an increasingly prominent risk among various others, stating,
"Cyber risks remain one of the most significant operational risks for supervised institutions."
Furthermore, FINMA's "Circular 2023/1 Operational Risks and Resilience – Banks" dedicates a specific chapter to the management of cyber risks, emphasizing the significance of preparedness and resilience in the face of cyber threats.
In practical terms, banks are required to manage cyber risks by delineating clear tasks, competencies, and responsibilities in accordance with internationally recognized standards and practices. This entails identifying the threat landscape, evaluating vulnerabilities, safeguarding ICT assets and critical data, monitoring and detecting cyberattacks, and ensuring swift recovery post-attack. Banks must also regularly conduct vulnerability assessments, penetration tests, and scenario-based cyber exercises to enhance and continually refine their cyber risk management protocols.
The Crucial Role of Human Factors
It is imperative to acknowledge that while cyberattacks targeting banking systems are a significant concern, vulnerabilities often stem from everyday users.
As emphasized in reports from specialized firms such as McKinsey & Co, Verizon, and Parachute, human error and a lack of awareness are responsible for up to 95% of cybersecurity breaches.
Statistics from FINMA's 2023 Risk Monitor report indicate that 59% of the cyber incidents reported to FINMA in the past twelve months involved identity theft, unauthorized access, or inappropriate use—likely stemming from human errors. Similarly, the same report reveals that 51% of attack vectors targeted individuals rather than systems.
This reality underscores the importance of not only institutional preparedness but also individual awareness and training.
Train, train and continue training
Individuals remain the preferred targets for hackers due to their susceptibility to social engineering tactics and human errors.
Hackers exploit the human element because it is often the weakest link in cybersecurity. As demonstrated by numerous cyber incidents, individuals can inadvertently click on malicious links, fall for phishing scams, or use weak passwords.
Therefore, ongoing training and education are essential to bolster individual awareness and resilience. Regular training programs can equip employees and individuals with the knowledge and skills needed to recognize and thwart cyber threats effectively. This proactive approach not only enhances individual cyber hygiene but also contributes significantly to the overall cybersecurity posture of organizations and institutions, reducing the likelihood of successful cyberattacks.
The ECB's proactive stance on cybersecurity sets an example for regulatory bodies like FINMA, emphasizing resilience and preparedness. Cyber risks remain a top concern, requiring robust strategies. While institutions must manage these risks, individuals are often the weakest link due to human error.
Ongoing training and awareness programs are vital for equipping individuals to recognize and combat cyber threats, contributing to overall cybersecurity resilience.
In this digital age, a combined effort from institutions and individuals is crucial for a safer and more secure future.
What do we do at Indigita
Indigita is at the forefront, collaborating with first-level experts to develop comprehensive cybersecurity e-Learnings. Such educational initiatives targeting banks and asset managers are fundamental in cultivating a culture of cybersecurity awareness and preparedness, from the top levels of management to the day-to-day users, ensuring a robust defence against the ever-evolving cyber threats.