ICT security and cyber risk monitoring
Objective of ICT security and cyber risk monitoring
The objective of information and communication technology (ICT) security and cyber risk monitoring is to promote the availability of safe, secure, reliable and at the same time innovative financial services. Therefore, the digital operational resilience of the financial market is one of the supervisory priorities of Latvijas Banka. Market participants are tasked with developing and enhancing their capabilities to defend against growing and evolving cyber threats by strategically planning ICT protection and responding effectively to ICT vulnerabilities and security incidents, thereby ensuring the protection and viability of ICT. This includes both the necessary technological resources and the awareness and knowledge of the capabilities to protect themselves – both for the financial institution itself and for society at large.
Cyber threats
The main cyber threats of concern to the European Union Agency for Cybersecurity (ENISA) are:
- ransomware: 60% of affected organisations may have paid ransom demands;
- malware: 66 disclosures of zero-day vulnerabilities observed in 2021;
- social engineering: phishing remains the most popular technique, but is increasingly complemented by fraudulent text messages and phone calls;
- various threats against data: increasing in proportion to the volume of data compiled;
- threats against availability: the largest distributed denial-of-service (DDoS) attack ever was launched in Europe in July 2022, as well as threats to the internet – destruction of infrastructure, outages and rerouting of internet traffic;
- disinformation and misinformation: the spread of AI-enabled disinformation and deepfakes is on the rise, and the spread of disinformation is evolving as a service;
- supply chain targeting: third-party incidents accounted for 17% of the intrusions in 2021 compared to less than 1% in 2020 (source: Threat Landscape — ENISA (europa.eu)).
ICT governance challenges and opportunities
Digital transformation of the financial market
Technological developments and the recent Covid-19 pandemic have contributed to the transformation of businesses and the development of remote financial services. At the same time, the increasing variety and number of technologies and their interdependencies make it even more difficult to track and assess their compliance with the security requirements. The digital environment is constantly evolving and the security solutions that provided protection in the recent past may not be sufficient today.
In a first harmonised attempt to build supervisory knowledge at European level, in 2022, European Central Bank (ECB) Banking Supervision launched two initiatives in this field:
- it engaged with consultants, banks, banking associations and technology companies to gain a general overview of market trends;
- it conducted a survey among 105 large banks under direct ECB supervision to assess the status of their digital transformation.
Meanwhile, in the insurance sector, the digital transformation strategy endorsed by the European Insurance and Occupational Pensions Authority (EIOPA) addresses the challenges posed by the digitalisation of the insurance and pensions sector, while enabling stakeholders to harness the benefits that arise from new technologies and business models.
However, digitalisation processes inevitably involve challenges such as the organisation's ability to manage a large portfolio of ICT projects, testing new unproven technologies, lack of personnel experience and expertise, lifecycle management of obsolete technologies, cross-border collaboration with suppliers. All these need to be taken into account during the implementation and adaptation of ICT risk controls when undertaking ambitious digitalisation projects, although these challenges could be generally addressed by implementing the requirements of the new Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector.
As financial market services become more digitalised, the threats and damage that can be caused by cyberattacks increase. However, whatever resources are invested in securing ICT infrastructure, it should be assumed that it will never be completely secure and the possibility of vulnerabilities will always exist.
Impact of geopolitical threats
During 2022, Latvijas Banka analysed the impact of the geopolitical crisis caused by Russia's invasion of Ukraine. Since the beginning of the invasion, the number of cyberattacks, in particular the number and intensity of distributed denial-of-service (DDoS) attacks, have risen significantly, and attack areas have been targeted.
In parallel, phishing campaigns and ransomware attacks continue to threaten customers using remote services, as the nature of cyberattacks is changing rapidly. Artificial intelligence solutions and cloud services are being added to the attackers' arsenal in line with geopolitical tensions, enabling more sophisticated attacks while improving their social engineering attack methods and the effectiveness of ransomware.
ICT and security risk management framework
ICT and security risk management requirements
ICT and security risk management requirements for all financial market participants are set out in the "Regulation on Information Technology and Security Risk Management".
To help financial market participants assess their information technology (IT) and security risk management processes, the Financial Technology Supervision Department of Latvijas Banka has prepared easy-to-use recommendations for the self-assessment of IT and security risk management.
The recommended checklist for IT and security management self-assessment will help financial market participants self-assess their IT and security management processes against the requirements set out in the "Regulation on Information Technology and Security Risk Management".
Incident reporting requirements
According to the "Regulation on Reporting of Major Payment Service Incidents", payment service providers are obliged to report all major payment service incidents.
Between 2020 and 2022, the number of incidents has increased but their impact has weakened – service recipients have been affected to a lesser degree and individual outages have been shorter, but the share of incidents caused by outsourced service providers has grown.
Around 10% of all major incidents in 2019–2022 were caused by cyberattacks, mainly distributed denial-of-service (DDoS) attacks, while the rest were caused by internal problems and failures of external service providers.
Internal incidents with prolonged business function disruptions, mainly due to software and hardware failures, remain the main threat.
Outsourcing monitoring requirements
IT outsourcing requirements for all financial market participants are set out in Sub-paragraph 3.5 of the "Regulation on Information Technology and Security Risk Management".
In addition, the use of outsourcing by credit institutions is regulated by the "Regulation on the Use of Outsourcing", which establishes the requirements for assessing the materiality of outsourcing and for the coordination of material outsourcing.
For non-bank market participants, outsourcing is regulated by:
- Chapter VIII of the Insurance and Reinsurance Law;
- Division F1 of the Financial Instrument Market Law;
- Section 29 of the Law on Payment Services and Electronic Money.
On-site and off-site inspections
In accordance with the supervision plan developed by Latvijas Banka for financial market participants, on-site inspections of ICT and security risk management are carried out.
Continuing the off-site approach to the supervision inspections and assessment process for credit institutions, it is planned to apply the ICT risk management assessment method also to the supervision process for insurance corporations, investment management companies and pension funds. This will provide important data for the prioritisation of supervision work as well as allow for a broader cross-sectoral analysis.
DORA – the new ICT security framework for financial entities
Necessity to introduce DORA
DORA, or the Digital Operational Resilience Act, is Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector that entered into force on 17 January 2023.
The increased use of technology in the digitalisation process not only provides business opportunities for existing and new market participants, but also promotes a rise in risks. The framework aims to mitigate the risks associated with the digital transformation of the financial sector by setting common rules for all market participants. The rules apply to a wide range of financial institutions, including important ICT third-party service providers such as cloud service providers, telecommunication operators, software developers and other digital service providers.
Critical third-party service providers with cross-border reach and high concentration risk and systemic impact will be subject to centralised supervision at European level.
The categories of financial entities licensed in Latvia that must comply with the new framework from 17 January 2025 are:
- credit institutions;
- insurance corporations;
- investment management companies;
- investment firms;
- insurance brokers that are large companies;
- payment institutions;
- electronic money institutions;
- managers of alternative investment funds;
- crowdfunding platforms;
- central securities depositories;
- crypto-asset service providers (after the adoption of the European Union regulation).
Regulatory framework under DORA
The DORA requirements are divided into five pillars and will be detailed in regulatory technical standards (RTS) and implementing technical standards (ITS), which are in the public consultation phase and are expected to be approved in 2024.
The first pillar of standards consists of essentially refined existing regulatory requirements and defines in detail two groups of standards.
The ICT Risk Management RTS set out harmonised requirements in relation to the existing risk framework for financial entities, based on the Guidelines on ICT and security risk management issued by the European Banking Authority.
The ICT Risk Management RTS are expected to harmonise the incident reporting framework, including incident classification and reporting requirements, and establish a common reporting format.
| ICT Risk Management Framework | ICT Incident Reporting |
|
RTS "Risk Management" |
RTS "Incident Classification" |
DORA also includes three new regulatory areas with significant implications for financial entities:
- risk management of third-party ICT providers – this is also expected to subject the third-party providers of critical ICT services of financial entities to regulatory requirements;
- operational resilience testing – this is expected to harmonise and standardise digital operational resilience testing requirements – following a risk-based approach, companies should implement assessments, testing, methodologies, solutions and tools that are appropriate to the size, business and risk profile of the company;
- European supervisory framework – this will ensure the overall functioning of the mechanism from a cross-border perspective and the supervision of critical third-party service providers by a single supervisor in cooperation with national competent authorities.
| Digital resilience testing | Risk management of third-party ICT providers | Framework for the monitoring of critical service providers |
|
RTS "Threat-Led Penetration Testing" |
ITS "Supplier Information Register Form" |
RTS "Harmonisation of Monitoring Conditions" |
DORA is directly applicable, but in order to provide a legal basis for supervision, to define the supervisory authorities and their responsibilities, the relevant amendments to the national framework will be made in Latvia in 2024 and are planned to be developed and submitted to the Ministry of Finance for approval (Laws and regulations | Ministry of Finance (fm.gov.lv)).