Regional Meeting on Cybersecurity Issues

By suggestion of the Banco Central de Reserva del Perú, CEMLA organized the Regional Meeting on Cybersecurity Issues with the participation of the Committee of Payments and Market Infrastructures (CPMI), the European Central Bank and Banco de Mexico. The meeting was held on February 5, 2019 with the attendance of 23 institutions.

The key messages that emerged in the sessions meeting are summarized below:

 

The CPMI’s work on the risk of wholesale payment fraud
Takeshi Shirakami, CPMI Secretariat

The objective of the session was to inform about a) the key challenges regarding the wholesale payment fraud and b) describe the CPMI strategy developed to address this issue.

Key challenges regarding the wholesale payment fraud:

  • Importance of the endpoint concept as a starting point to strengthen cybersecurity and address the related risks.
  • The central bank as a relevant actor (user, overseer, operator, supervisor of payment systems) is key to reduce the risk of wholesale payments fraud.
  • CPMI survey evidenced that there are knowledge gaps, inconsistencies in approaches, and important opportunities to reduce the risk of wholesale payments fraud.
  • CPMI strategy and its analytical framework, highlights each possible stage around fraud: preventing, detecting, responding to and communicating about it.  

 

CPMI strategy 7 elements:

  • Identify and understand the range of risks.
  • Establish endpoint security requirements.
  • Promote adherence.
  • Provide and use information and tools to improve prevention and detection.
  • Respond in a timely way to potential frauds.
  • Support ongoing education, awareness, and information sharing.
  • Learn, evolve, and coordinate approaches for strengthening endpoint security.

Concluding Mr. Takeshi provided some examples regarding the operationalizing of the strategy, such as a) promote the engagement and cooperation among relevant stakeholders and procure commitment of them; b) establish a clear allocation of tasks, responsibilities, and action program; and c) support flexibility in determining how best to operationalize the strategy.

Finally, Q&A time allowed Mr Shirakami and Mr Holden (CPMI Secretariat member) to delve into specific strategy specifications and recommendations. In that sense, one recommendation was regarding communication, noting that keeping an updated contact list it is crucial during an incident episode and it is a basis for preparing a viable, effective strategy. Additionally, it was mentioned that in the future it would be necessary to develop research further on the interconnectivity among payment systems in order to prevent fraud.  


Operationalizing the CPMI strategy for reducing the risk of wholesale payments fraud related to endpoint security 
Takeshi Shirakami, CPMI

 

Cyber Resilience for Eurosystem Market Infrastructure
Francisco Tur Hartmann, ECB

The objective of this session was to describe the Eurosystem Cyber Resilience model and focused on the financial market infrastructures (FMIs) resilience. 

Eurosystem has develop and / or adopt strategies and best practices aiming to enhance the cyber resilience. The Action Plan on Cyber Resilience (APCR), established in 2017, is aimed to enhance the Eurosystem capabilities regarding detection, prevention, responses and recovery against cyberattacks. In the same vein, there is a defense model that involves 3 lines of defense, the first within the TARGET Services operation, the second within the Market Infrastructure Risk Coordinator (MIRCo) and the third at the Eurosystem’s Internal Audit Committee. Additionally, to the APCR and the defense model, the Eurosystem follows the CPMI-IOSCO Guidance on Cyber resilience for FMIs and complements them with the named Eurosystem Cyber Resilience Oversight Expectations (CROE). Likewise, there are other related workstreams and collaboration that add to the aforementioned efforts, such as Eurosystem Market Infrastructure Connectivity Guidance, the EU Threat Intelligence-based Ethical Red Teaming Testing Framework (TIBER-EU).

In this context, the APCR reports cyber resilience enhancements in the following areas: a) security services, b) security testing, c) data recovery, d) non-similar facilities, e) software integrity, f) enhanced security awareness, g) Information sharing and cyber threat intelligence.

Finally, Mr. Tur highlighted the APCR role as catalyst; the importance that the FMIs gain trust among them and with the relevant authorities; and the concept of flexibility regarding the cyber resilience model.


TARGET services: Strategy to respond to Cyber threats and information security risks
Francisco Tur Hartmann, ECB

 

 

Mexico’s strategy to foster cybersecurity
Alejandro De los Santos, Banco de Mexico 

The presentation was aimed to describe the current cybersecurity strategy at the central bank of Mexico.

Currently central banks have to go beyond their own perimeter, in order to promote awareness and action against cyber risk. Central banks are required to have a more active role. Under such premises Mr. De los Santos explained the change in the paradigm in cybersecurity since, now, it is not limited to network security, information system security and cybersecurity threats but must include information security control, and this concept includes the following: a) governance, b) policies, c) procedures for incident (prevention, detection, response and remediation), d) awareness, and e) collaboration. At the same time, the change requires that the strategy focus in the information flow.

In this context, the regulatory pillars in the Mexican regulation are: a) information security control (it was highlighted that the decision on which set of standards to choose it is not as important as the decision to use one them); b) corporate governance (it is necessary to identify and hold accountable a person who has the authority and vision to influence the organization, implement the cyber security strategy and balance operational and safety priorities. In Mexico it has been established that each commercial bank must have a Chief Information Security Officer); and c) Cybersecurity Response Groups (it is recommended to establish intergovernmental coordination to define protocols regarding prevention and response). 


Developments in the Bank of Mexico’s cybersecurity strategy
Alejandro De Los Santos, Banco de Mexico

 

Introductory remarks
Raúl Morales, CEMLA and Milton Vega, Banco Central de Reserva del Peru

Operationalizing the CPMI strategy for reducing the risk of wholesale payments fraud related to endpoint security
Takeshi Shirakami, CPMI

TARGET services: Strategy to respond to Cyber threats and information security risks Francisco
Tur Hartmann, ECB

Developments in the Bank of Mexico’s cybersecurity strategy
Alejandro De Los Santos, Banco de Mexico

Main findings and closing remarks
Raúl Morales, CEMLA Milton Vega, Banco Central de Reserva del Peru

In early 2017, CEMLA launched the Forum on Cyber Security (FOCOSC) with the aim of promoting the exchange of experiences, practices and relevant information related to cyber risk management in central banking.

The FOCOSC is made of 17 Latin American and Caribbean Central Banks: Argentina, Bolivia, Chile, Colombia, Costa Rica, Curacao and San Martin, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Paraguay, Peru, Uruguay and Venezuela. The central banks of France and Spain participate in the Forum’s activities as observers and CEMLA hosts the Secretariat of the Forum.

Avatar

Takeshi Shirakami

Deputy Head of the Committee on Payments and Market Infrastructures Secretariat, BIS Takeshi has been Deputy Head of the Secretariat since June 2016. Before joining the BIS, he served as chief representative in Frankfurt of the Bank of Japan (BOJ) from 2014 until 2016. 

He joined the BOJ in 1993. At the BOJ he spent many years with FMI policy and oversight of domestic and international FMIs and represented the BOJ at international committees, working groups and cross-border oversight arrangements. 

He also led a supervisory team for Japanese major banks and broker dealers and represented the BOJ at colleges/CMGs and FSB working groups. 

Earlier in his career he was a junior representative at the BOJ Frankfurt office (2000-2003) as well as a member of the CPSS Secretariat at the BIS (2008-2010). He studied law at Kyoto University and economics at the University of Göttingen.

 

Avatar

Francisco Tur Hartmann 

Francisco joined the European Monetary Institute, the forerunner of the European Central Bank, in May 1995. He participated in the development of the TARGET system (the Real Time Gross Settlement system for the euro). 

From 2005 to 2017 he was Deputy Head of Division in the Market Integration area of the Directorate General Market Infrastructure and Payments. Francisco was involved in policy work aiming for further harmonisation and integration of payments at European and global level, including clearing and settlement. 

Francisco is currently Head of Division at the Market Infrastructure Support Division dealing with project management, cyber resilience, system acceptance testing, financial matters and communication. He holds a master's degree in computer science from Universidad Autonoma de Barcelona (Spain)."