Bank vault
Image from Shutterstock.com

Canada and other G7 nations have agreed on a set of guidelines for governments to improve cyber security in the financial sector, one of the critical pieces of infrastructure in any country.

Release of the guidelines comes after several breaches of the international SWIFT financial messaging system, including the US$81 million theft via the Bangladesh central bank and the interruption by a Vietnamese bank of the attempted theft of approximately US$1.1 million  through fraudulent SWIFT messages.

This week Symantec warned it has found evidence that that a group using the Odinaff Trojan has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment.

There is no indication that SWIFT network was itself compromised, it adds.

The non-binding recommendations are for countries that generally are more alert to cyber threats than many others — the United States, Great Britain, Germany, France, Italy and Japan — but also more likely to be targets. The statement is a recognition that the countries need building blocks to design and implement and re-evaluate a cybersecurity strategy and operating framework.

“Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts,” the agreement says. “Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system,”

The guidelines include eight elements financial services organizations should follow:

–establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines;

–define and facilitate performance of  governance roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities);

–identify functions, activities, products, and services—including interconnections, dependencies, and third parties—prioritize their relative importance, and assess their respective cyber risks. Identify and implement controls—including systems, policies, procedures, and training—to protect against and manage those risks within the tolerance set by the governing authority;

–establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises;

–have thorough incident response procedures to assess the nature, scope, and impact of a cyber incident, contain and mitigate the incident, notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and  co-ordinate joint response activities if needed;

–be able to resume operations responsibly, while allowing for continued remediation;

–be able to share of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning;

–and not stop learning. That means regularly reviewing cybersecurity strategy and framework including governance, risk and control assessment, monitoring, response, recovery, and information sharing components, —to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

“Cyber threats and vulnerabilities evolve rapidly, as do best practices and technical standards to address them,” warns the paper. “The composition of the financial sector also changes over time, as new types of entities, products, and services emerge, and third-party service providers are increasingly relied upon. Entity-specific, as well as sector-wide, cybersecurity strategies and frameworks need periodic review and update to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources. Other sectors, such as energy and telecommunications, present external dependencies; therefore, entities and public authorities should consider developments in these sectors as part of any review process.”