Thank you again for the introduction. This is basically a bit of my, my CV, just not to brag about the main point really is been around a couple of places I've worked with in cybersecurity quite a bit.
And, and perhaps the most important one from a personal perspective is the little gray box at the bottom. The fuse expressed this claim, or even though I worked for the European investment bank, what I'm going to present today is pretty much related to my own experience. And then the things that I have seen along my way. So it's not related, not official statement from the E I B whatsoever. Good. Let me jump straight into the agenda. It's it's obviously not much sitting the scene.
I'm gonna, you know, bring us all align with some of the cyber threats that we are facing specifically in, in my fear with the E I, then I'm gonna dive a little bit into the regulatory landscape and then I can, I'm, I'm happy that actually people interested in this one, because usually people roll with their eyes.
When, when we talk about these things, but personally to me, a regulation helps a great deal, actually getting our thoughts straight, how to structure our programs for cyber regulation.
Some of the ones that I'm going to introduce to you, you may know them already, but some of them are quite prescriptive and that can really help us to, to drive and develop a roadmap for cyber students. And then obviously at the end, we are gonna have a nice summary slide. Let me start with some of the cybersecurity trends that, that we've we've, we've been encountering recently. And then I took this particular slide from, from the annual cybersecurity landscape landscape report of the EO cybersecurity agency.
Cause it corresponds quite well with, with the things that we are seeing on a regularly basis, main concern to me and to my colleagues. And I'm sure you would share with me is, is the topic of fishing image messages that carry malware somewhere that once they, they broke through the parameter, into your inboxers can, can run havoc and cause us a lot of harm.
Another thing, obviously, something that that has, has moved us over the past couple of months is everything related to COVID 19.
And the fact that we had to send people home to work from the safety of their homes, I've seen organizations and we were struggling with it as well. When we went into a teleworking mode in March this year, that companies weren't really prepared for, for such a move.
I think it's quite unprecedented when you look into this and the, the, the thing that we were lucky with is we, we had without back in 2019, a seamless remote access facility, which basically allowed our, our people to use their own laptops and to work from anywhere in the world without, without having, you know, to use their own personal equipment.
We see an uptick in, in the events related to distributed denial of services, which I think in the second or third, not third quarter, early third quarter has seen quite a number of financial European financial institutions being affected, impacted that.
And last, but certainly not least is the good friends, the state sponsored threat agents that try to break into our networks and to, you know, exfiltrate information and data from there.
There's another one from the European law enforcement agency, Europe, they're pretty much coming to the same result and some aspects, even, even more specific ransomware is, is the number one threat that they have identified. They go beyond Sping, something we have seen as well. You see a lot of ins unsecured, unsafe, remote access protocols that allow an attacker to break into an internal network. We have seen a lot of Citrix incidents RDPs that were abused over the past couple of months. And in basically years, data compromises is one of those results out of this.
And I already spoke about the de attacks. Now you may say, Stephan, this is all good. And it's very nice, but it's really nothing new.
So what, what, what is it? Well, the fact is that indeed it was new, but it was a trigger a point for, for the regulator to look into how can we actually address these cybersecurity concerns?
And in the context of the banking crisis, back in the 2007, 2008, I mean the whole topic of financial resilience came up and over the past couple of years, the consideration tool towards cyber resilience, the notion of cyber resilience has, has grown and back into in June, 2016, the committee on payments, marked infrastructure effort of them CPMI together with the international organization of security commissions Yoko, they released their first guidance paper on cyber resilience was called cyber guidance.
And it build around five key concepts, which when you look into all these subsequent legislations and regulations are found everywhere, the first point, it's quite obvious. You need to have the buyin, the support from your senior management, your top management, you don't, they don't recognize cyber resilience as a, a crucial element upon as part of their risk management framework.
You don't even have to start with it. You may have heard of the two hour recovery objective.
This counts actually from this June, 2016, cyber guidance paper, it basically mandates that an organization, financial market infrastructure, a significant bank should be able to resume operations after two hours where they have been where the system were shut down. It's quite an ambitious objective. The notion of threat intelligence and rigorous testing was, was announced already in this paper, back in 2016 and the need to raise cyber cyber culture.
Cyber awareness was, was, was mentioned there because that's phase at cyber resilience is yeah, a lot of cybersecurity, but more business continuity and, and involvement from the business side. I mean, there is a fact you might, we might all have eventually that black sworn event where, you know, something has broken through our defense and wiped us clean pretty much like what happened to mass back in 2017 and what do we do then?
There is no, it, there is nothing. And then business is required to look into alternative plans.
But if they start looking into plants, the time things happened, it's probably a little too late. And the last issue that the cyber guidance document had highlighted was indeed the fact, the FMI, the banks, the critical banks, they're not on their own it. They have to look into their impact on other banks. They have to look into what can a service provider actually introduce in terms of risks to my organization.
And this is something that has again developed into all the other legislations that, that the EU and the national states in the have come up with over the past couple of years, I wanted to refer to something that, that was actually quite, quite recently launched. And it's, what's celebrated as the EU security union strategy came out in July, 2020, and basically provides an integrated approach to ensure security at both the physical and for digital environments.
And it center arounds these four different pillars.
If you like a future proof security environment by enhancing cyber security and protecting the critical infrastructure and the public spaces, it's about tackling evolving threats coming from cyber crime, legal online content and hybrid threats and protecting Europeans from terrorism and organized crime. I mean, there have been lots of news recently where this has obviously played against European citizens and building a strong European sec security ecosystem through cooperation and information exchange.
So this is something which the commission is, is planning to develop and is trying to achieve focuses on new technologies and their potential misuse for current purposes. And what are the opportunities they offer to modernize law enforcement? You may have seen in the news, there is currently an initiative going on where the governments of, of, of, of different EU members states try to find ways to get access to end-to-end encrypted messages.
So we might actually see a shift, a paradigm shift.
So that actually what we often accuse the American authorities of that, even European comments and authorities, we try to get access to confidential information that we have submitted via WhatsApp, via telegram, and the, like in this context, another regulation, very recent, actually the newest one it's from this September, 2020, and it's the commission adopted this new digital finance package, which includes digital finance and retail payment strategies and legislative reports on crypto assets and digital resilience.
It's, it's, it's a mouth where the door regulation basically door operational resilience act the bids on existing information and communication technology, risk management requirements that were already put in place. Some of you may have been exposed to European banking, authority guidelines on outsourcing arrangements on, on I C T and information risk management. And this is basically an attempt of the European commission to consolidate all these different legislations that are in place.
And an interesting point to me is that it focuses quite a bit on I C T third party service providers.
So those guys that basically have outsourced some of your business to the cloud services providers, and they're now being heard accountable. And more than that, they're even gonna be supervised by a supervisory entity, which of course then has an impact on the way these ICT third party providers are going to respond to these requirements right now, when the ECB or the, the local legislator visits a bank and attempt or wants to find out if we comply with the banking regulations, the third party is they are byproduct, they're being asked, but they're not directly supervised and monitored.
This is gonna change with the store regulation. And I think this is something which is, which is quite important. Another aspect, which I thought is, is quite interesting is the fact that the door regulation is going to impose and harmonize a new I C T incident classification and reporting scheme, which basically means if there are specific requirements, if there also an instance, critical incidents, no matter what they are being classified will have to be reported to a central UB and basically then being processed from them.
Okay.
Then there is slightly older one, the security act back act from, from 2019. And this has helped to strengthen the position of one of the, the very important agency is the one on cyber security, which is called Nissan. Now don't ask me why ina is cyber security agency. I think it's the old world European network information security agency. I don't think they have changed the name really, but the, the point of this, of this EU cybersecurity act was in my eyes twofold.
One to set up a cybersecurity certification framework for digital product services and processes that are being offered here in the European union to give, you know, organizations, companies that provide, or that have a product certified according to this framework, ditch and edge over all their competitors. And to give the assurance to customers of those companies, that these products that they are, that they have procured actually meeting certain minimum requirements.
The other point that the cyber security act was actually making us that the position of inza itself was, was improved because it increases the operational corporation at the U level. And inza is now authorized if not even mandated to handle cybersecurity incident, if EU member states request them to do so. And they coordinate, if there are U wide, large scale cyber attack happening and last but not least every country has a national cybersecurity incident response team.
ANDA's role is to play these aria to these different entities and to make sure they're all being funneled together, and they have a platform to talk and discuss with each other. And then obviously for bank like us, what's important is what the ECD says. And the ECB indeed also had come up with what they call the cyber city strategy for financial market infrastructure back in 20 March, 2017, which based on three pillars, the resilience of an individual FMI then for an entire sector, and then ensuring that there's a strategic dialogue.
And it bases funny, interestingly enough, on the, the June, 2016 guidance paper I was referring to earlier my speech and they transposed these requirements into a framework and then some what they call cyber resilience, oversight expectations. And you see it's pretty much based on cyber on the, this cybersecurity framework with the different elements on recovery identification protection and detection all under the umbrella of governance, but it's enhanced by considerations towards testing, situational awareness, learning and devolving.
And what I really like about the Crow is that's what I call this sense or was that expectations. It comes in different majority levels. So you start with, with the, with the old evolving one, which is, which is probably the, which is the lowest maturity level, and you get very good guidance, how you can actually move up the maturity chain. You can define your roadmap to improve the way you are addressing cybersecurity expectations of the, of, of the ECB.
What they also joined out.
And this was in May, 2018, is that tie U framework tie unit, another ful acronym, threat intelligence based ethical red teaming for, for the European union. It's a framework that needs to be transposed into local law in which basically gives guidance to, to institutions, financial institutions, how to perform next generation penetration test. It's very interesting.
It's very, very documented. We here in Luxembourg, we don't have a local law for this one yet, but countries like Belgium, Denmark, Germany, the Irish, the Dutch, which have contributed to this, to this framework, they all have it and they can actually run these next generation penetration tests against the, these requirements, the role of the CSO in cyber resilience.
It's, it's, it's an interesting topic. So I'm in the first line of defense design. So usually it's in the second line and it's, it's, it's a good thing because I need some oversight because otherwise, you know, I cannot be trusted and then I have to be challenged, but, but what does it mean CSO in cyber resilience terms?
I mean, obviously the important role of the C and this is to identify what's the risk appetite of the organization with regard to cyber resilience and what are the snaps to be taken in order to achieve, you know, the objectives that might be issues with reporting the CRO because CROs, they, based on my experience, they tend to be a little more conservative than, than others. And there might be conflict if the C proposes technological innovation, for example, when it comes to securing backup tips, there are new technologies out there and that might not fly well with a CRO.
This is my closing slide. Then I'm open for questions.
I mean, what I want to bring to your attention is that the word of regulation, governments with regard to cyber is developing is changing. There is no, no, no, no doubt that all of us eventually will have some sort of a security incident happening.
And we need to be prepared to, to act accordingly. We have an, I have to have an agile environment and, and the legislation regulation can help us to develop a roadmap for us to come to a point where, you know, we are actually better prepared than before for, with, with our cyber resilience efforts.
Obviously it is not a technical technological techn technological question. It's a, it's a question that has to be addressed across different functions within an organization.
And, and I've seen talks and discussions for the introduction of what is called the chief resilience officer, which is basically funneling all the different groups to the opinions together and trying to help, you know, to come up with a, with a cyber resilience plan for an organization that really protects the critical processes and it systems. And this one, thank you for attention. I'm for questions.
