|
[...]When it comes to financial risk-taking, we all acknowledge that markets fail to deliver socially optimal results on their own, hence regulation and supervision are needed. The same argument applies to cyberspace. Financial firms have their own reasons to protect themselves. They do not want to lose their credibility and their customers because of a cyberattack. But this is not enough. Cyber vulnerabilities have extensive negative externalities - individual entities such as financial institutions do not have the incentives nor the means to internalise them all. Authorities need to rectify this.
The nature of cyberspace is such that externalities are not contained within national borders, or within any single sector. One important source of cyber risk for supervised entities is their increasing reliance on third-party suppliers who fall outside the jurisdiction of financial authorities.
In the past, attackers have leveraged vulnerabilities in the IT systems of third parties to strike financial institutions. In the G7 Fundamental Elements For Third Party Cyber Risk Management in the Financial Sector published last year, we introduced tenets on the appropriate management of third-party risk. We must now accelerate work on implementation. When it comes to third parties who operate in regulated sectors, such as energy and telecoms, the different authorities must step up their coordination and cooperation efforts.
There are two dimensions to cooperation.
First, within each country there needs to be a cohesive national system of cyber defence that allows different authorities to work together effectively. In this context, governments have a natural role as coordinators.
Attacks are getting more sophisticated. Some involve resourceful actors, such as nation-states and terrorist organisations. The financial sector remains a prime target, and we cannot effectively mitigate the risk by simply mandating supervised entities to follow good practices. Complex attacks can be deployed via obscure tools. Even large financial institutions with excellent (and expensive) defence systems can be lost in the face of cutting-edge threats; they can, of course, work out some of the technical details, but they might miss some of the broader, systemic elements, simply because they ignore relevant information: precedents that affected other sectors; attacker tactics; and effective defences adopted elsewhere. This kind of information is generally available only to intelligence agencies and the military. Cross-sector, nationwide as well as international cooperation is therefore essential.
There needs to be a mechanism within each country that allows appropriate public bodies to coordinate and jointly support, each within its own mandate, the victims of a cyber campaign. In the European Union, the Network and Information Security (NIS) Directive takes this course.
Second, cooperation must extend beyond borders given the nature of many of the attacks and the interconnectedness of the financial system. This will always be a challenge because disclosing vulnerabilities to entities from another jurisdiction might endanger national security. Nonetheless, we need to find feasible solutions to this problem, since this kind of infosharing might prove crucial in order to respond to some attacks. [...]
In the EU, a new regulation (currently under approval) will introduce a mechanism of cybersecurity certification for many products, too. This is an important step, but it would be more effective if G7 countries could converge at least on a subset of requirements. If a service is not safe according to our own laws, it should not be on the market - and there should be a reasonable degree of convergence between laws in like-minded jurisdictions. [...]