Cyber Flashcards
What is the critical role of IT in modern economies according to the study?
Information technology (IT) is essential for the functioning of contemporary economies, with organizations increasingly relying on IT products and services like cloud systems and artificial intelligence.
How has the reliance on IT affected exposure to cyber risks?
This reliance has led to heightened exposure to cyber risks, which are defined as the risk of financial loss, disruption, or reputational damage from IT system failures, including malicious incidents like ransomware, hacking, or internal data theft.
What is the challenge in cyber risk management for firms?
Firms actively manage cyber risk and invest in cybersecurity, but quantifying the associated costs is challenging.
Why are cyber risks considered a systemic concern in the financial sector?
Cyber risks are viewed as a major threat to stability in the financial sector and are considered national security matters in critical economic sectors.
What trends in cyber incidents does the study document using its dataset?
The study notes an increase in cyber incidents until 2016 followed by a reduction, which might be due to increased security investments or delays in discovery/reporting. The average cost of incidents has been rising.
How do different economic sectors vary in resilience to cyber incidents?
Different sectors show varied resilience, with the financial sector experiencing frequent, less costly incidents. Data breaches are common and expensive, while business disruptions are infrequent but can incur high costs.
What factors influence the costs of cyber events?
Factors include the size of the firm, the nature of the incident (intentional or unintentional), and technological capabilities.
What is the role of third-party cybersecurity services in managing cyber risks?
The use of services like cloud technology is linked to lower costs of cyber events but increases interdependence and potential systemic risks.
How has the financial sector addressed cyber risks, and what are the specific challenges in the cryptocurrency space?
The financial sector’s proactive risk management and regulation have mitigated attack costs. However, the cryptocurrency space, especially crypto-exchanges, has experienced higher costs from cyber events.
What does the study reveal about IT spending across various sectors?
The study finds an overall deficit in IT security investment across sectors, except for the finance and insurance sector, which shows adequate spending levels.
Pourquoi le secteur financier est-il une cible privilégiée pour les cyberattaques ? Quel pourcentage des cyberattaques mondiales en 2021 a ciblé le secteur financier, selon IBM ? What are the findings regarding cyber-attacks on financial institutions?
- Le secteur financier est ciblé en raison de ses actifs et données de grande valeur, ce qui en fait une cible lucrative pour les cybercriminels.
- En 2021, le secteur financier a subi 22% de toutes les cyberattaques à l’échelle mondiale.
- Around 91% of cyber-attacks target banks, especially retail banking and credit card services. Losses vary and are not necessarily related to the size of the financial institution. Central banks also face significant cyber-attack risks.
How are cyber-attacks categorized in the financial sector?
Cyber-attacks are seen as operational risks impacting the confidentiality, availability, or integrity of information or information systems, affecting firms through breaches, business disruptions, fraud, and data breaches.
Quel impact systémique les cyberattaques peuvent-elles avoir sur le secteur financier ?
Les cyberattaques peuvent menacer la stabilité financière en affectant des organisations individuelles ou plusieurs composantes du système financier, pouvant entraîner une crise systémique.
Quels sont les exemples de services financiers critiques pouvant être perturbés par des cyberattaques ?
Les services critiques incluent la garde de titres, le règlement centralisé, les services de paiement, les systèmes de règlement brut en temps réel (RTGS) et SWIFT.
Quelles sont les principales menaces cyber auxquelles le secteur financier est confronté ?
Les menaces incluent
- des perturbations des infrastructures critiques,
- des atteintes à l’intégrité des données,
- des défaillances technologiques,
- des risques liés aux interdépendances opérationnelles et financières,
- l’augmentation de la dépendance aux fournisseurs de services tiers,
- la concentration dans les services cloud,
- et les vulnérabilités liées aux technologies émergentes comme les paiements mobiles sans contact et la finance décentralisée.
Quels sont les efforts entrepris pour renforcer la résilience opérationnelle du système financier face aux risques cyber ?
Les efforts comprennent
- l’évolution réglementaire,
- l’élaboration de cadres de supervision,
- la coopération entre les autorités de supervision et de sécurité de l’information,
- l’adoption d’outils communs et une coordination renforcée,
- la gestion de crise,
- l’établissement de canaux de confiance et de communication,
- la coopération bilatérale et les cadres internationaux,
- ainsi que les exercices de simulation réguliers.
Comment les autorités réglementaires et de supervision adaptent-elles leur cadre pour gérer le risque cyber ?
Elles ont mis en place des directives et des actes comme le Digital Operational Resilience Act (DORA) de l’UE, et adaptent leurs cadres réglementaires nationaux, comme la France avec l’ACPR, pour standardiser la gestion du risque cyber dans le secteur financier.
Quel est le rôle de la coopération entre les autorités de supervision et de sécurité de l’information ?
Cette coopération vise à surveiller le risque cyber, comme l’ECB qui supervise les banques importantes sous le Single Supervisory Mechanism (SSM) pour le risque cyber, et l’ENISA qui favorise l’échange de bonnes pratiques entre les autorités.
Quelle est l’importance des outils communs et de la coordination améliorée dans la gestion des risques cyber ?
Ces outils et cette coordination sont essentiels pour gérer les interdépendances opérationnelles et financières dans le secteur financier, incluant
- la systématisation des notifications d’incidents,
- l’harmonisation des taxonomies d’incidents,
- et l’identification des sources de risque systémique.
En quoi consiste la gestion de crise dans le contexte du risque cyber ?
Elle comprend le développement de meilleures pratiques et d’outils pour répondre aux incidents cyber, comme ceux développés par le Financial Stability Board et le G7 Cyber Expert Group, et l’intégration du risque cyber dans les outils macroprudentiels comme les tests de stress systémiques cyber proposés par l’ESRB.
Comment la communication et la confiance entre les entités privées et les autorités financières sont-elles établies ?
Elles sont établies à travers des groupes de travail et des canaux de communication dédiés pour le partage d’informations et la coordination opérationnelle en cas de crise, comme le groupe de travail ‘Robustness’ en France.
Quel est le rôle de la coopération bilatérale et des cadres internationaux ?
La Banque de France et l’ACPR, par exemple, ont établi une coopération bilatérale en matière de cybersécurité avec des autorités financières étrangères, comme un mémorandum d’entente avec l’Autorité monétaire de Singapour, pour renforcer la résilience cyber par le partage d’informations.
Qu’est-ce que le risque cyber et comment est-il classifié par la Banque des Règlements Internationaux ?
Le risque cyber englobe les risques liés au monde numérique affectant la confidentialité, l’intégrité ou la disponibilité des systèmes d’information ou des données.
Il est classé en quatre dimensions :
- causes/méthodes,
- acteurs,
- intention
- et conséquences.
Quels sont les défis liés à la quantification du risque cyber ?
La nature en constante évolution du risque cyber le rend difficile à définir et à quantifier, et le manque de transparence dans le signalement des incidents complique l’évaluation de la fréquence du risque et de son impact économique potentiel.
Quels sont les impacts directs et indirects du risque cyber ?
Les impacts directs incluent les paiements de rançon et la perte de revenus due aux perturbations opérationnelles. Les impacts indirects comprennent les dommages à la réputation de l’organisation victime et les effets sur les tiers, comme la perte de confiance affectant des secteurs entiers, la perte de données, l’impact sur les chaînes de valeur, ou une augmentation de l’aversion au risque.
Quelles sont les estimations de l’impact agrégé du risque cyber ?
Les estimations varient largement, allant de 50 milliards à 650 milliards de dollars annuellement selon le CERS. Une approche Value-at-Risk estime l’impact direct à 6 600 milliards de dollars et l’impact total à 22 500 milliards de dollars, soit environ un tiers du PIB mondial avec une probabilité de 5%.
Why is the financial sector evermore vulnerable to cyberattacks?
The financial sector is highly vulnerable due to its extensive digitization and reliance on digital infrastructures, making it a prime target for cyberattacks. The Boston Consulting Group found that financial entities are 300 times more likely to be targeted compared to other sectors. The shift to remote work during the COVID-19 pandemic further heightened these vulnerabilities.
How can cyber incidents impact the financial sector’s stability?
Cyber incidents can undermine financial stability by eroding trust in the system’s security. This can lead to consequences like massive bank withdrawals, liquidity freezes, and operational disruptions. Studies show varying capacities of financial organizations to absorb significant cyber shocks.
What factors influence the systemic impact of a cyber incident in the financial sector?
Factors include the nature of the threat (especially if intended to destabilize the financial system), affected functions (particularly those causing permanent data integrity loss), propagation channels, and the level of preparedness of companies and authorities.
Why is regulating cybersecurity important in the financial sector?
Regulating cybersecurity is crucial to align incentives, ensure companies are responsible for their clients’ data security, reduce information asymmetry through mandatory incident reporting, and develop certification mechanisms.
What regulatory guidance and reporting standards are in place for cyber risk?
In the U.S., the SEC requires listed firms to disclose cyber risks, while the GDPR in the EU mandates breach reporting within 72 hours, imposing substantial fines for non-compliance.
How is the Global Cybersecurity Index used in assessing cyber risk?
The ITU’s Global Cybersecurity Index assesses cybersecurity preparedness based on factors like legal, technical, and organizational arrangements, with advanced economies generally scoring higher.
What is the purpose of the Digital Operational Resilience Act (DORA)?
DORA aims to enhance cybersecurity in the European financial sector, enabling resilient operations in the face of operational disruptions, especially those caused by cyberattacks.
What uniform requirements does DORA set?
DORA establishes uniform requirements for network and information system security across financial companies and critical third-party IT and communication technology service providers, including cloud computing and data analytics services.
What types of disruptions and threats does DORA focus on?
DORA mandates that companies ensure they can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) disruptions and threats.
How does DORA determine the efforts required from financial entities?
The efforts required from financial entities under DORA will be proportional to the potential risks they face.
Are there any exclusions in the applicability of DORA?
Almost all financial entities in the EU will be subject to DORA, with auditors temporarily excluded but potentially considered in future reviews.
What requirements does DORA impose on third-country providers?
Critical service providers based in third countries offering IT services to EU financial entities must establish an EU subsidiary to allow for proper supervision.
What supervisory framework is established under DORA?
DORA includes an additional joint supervisory network to enhance coordination between European supervisory authorities on digital operational resilience.
What are the provisions for penetration testing and internal auditors under DORA?
Penetration testing will be operational, potentially involving authorities from multiple EU Member States. The use of internal auditors will be limited to strictly defined circumstances.
How does DORA interact with the NIS Directive?
DORA clearly defines rules for digital operational resilience for financial entities, building upon the Network and Information Systems (NIS) Directive and removing overlaps with a lex specialis exemption.
What is the context and background of DORA?
DORA was proposed as part of a broader digital finance package, including a digital finance strategy, proposals on crypto-asset markets (MiCA), and distributed ledger technology (DLT), aimed at facilitating technological development while ensuring financial stability and consumer protection.
What is the EU’s definition of cybersecurity?
Cybersecurity in the EU involves protecting computer systems from malicious attacks or espionage, and includes all techniques and tools to safeguard infrastructures and the confidentiality, integrity, and availability of data in the digital world.
How is the European cybersecurity market valued and what is its growth rate?
The European cybersecurity market is valued at over 130 billion euros and is growing at a rate of 17% annually.
What are the key threats identified in EU cyberspace?
Identified threats include ransomware, malware, covert mining, email attacks, data threats, denial of service attacks, disinformation, supply chain attacks, and unintentional incidents caused by human error or poor IT configurations.
How do cyberattacks impact SMEs and public administrations in the EU?
Cyberattacks affect not only individuals but also SMEs and public administrations, with SMEs being particularly vulnerable due to fewer resources for cybersecurity.
What is the role of the EU Agency for Cybersecurity (ENISA)?
Established in 2004 and strengthened in 2019, ENISA works with EU member states and institutions to maintain and improve digital security, providing a framework of technical requirements, standards, and procedures.
What does the Directive on Network and Information Systems (NIS) mandate? What is the proposed NIS 2 Directive and its objectives?
- The NIS Directive imposes security obligations on operators in strategic sectors like transport, energy, health, and finance, including the requirement to report incidents to national authorities.
- The NIS 2 Directive aims to expand coverage to more sectors and strengthen corporate obligations and national authority surveillance measures.
What are the planned Security Operation Centres (SOCs)?
SOCS are AI-assisted centers acting as “digital police.”
What is the Secure Space Connectivity Initiative?
A constellation of satellites in low orbit to improve connectivity and internet access, ensuring service continuity during cyberattacks, with an estimated cost of 6 billion euros.
What is the timeline for implementing the Digital Operational Resilience Act (DORA) in the EU?
The implementation period for most of DORA’s requirements is likely to be 24 months, expected to run from the second half of 2022 to the second half of 2024, with discussions on extending the timeline for resilience testing requirements.
What are the ICT risk management requirements under DORA?
The Council and European Parliament (EP) agree on proportionality for smaller financial services (FS) firms and delegate rulemaking to the European Supervisory Authorities (ESAs) through Regulatory Technical Standards (RTS). Differences include the EP’s push for public reporting of ICT incidents and the Council’s emphasis on business impact analyses.
What are the ICT incident reporting requirements in DORA?
There’s a consensus on introducing harmonized reporting requirements for major ICT-related disruptions, which will likely broaden reporting obligations for firms and may include mandatory reporting of significant cyber threats.
What resilience testing requirements does DORA impose on financial firms?
Firms will be required to conduct various operational resilience tests, including advanced testing like Threat-Led Penetration Testing (TLPTs), with the scope and frequency still being determined.
How does DORA address third-party risk management?
DORA maintains requirements for firms using third-party providers (TPPs) for critical functions, including key contractual provisions, with additional requirements proposed by the EP.
What is the oversight mechanism for Critical Third-Party Providers (CTTP) under DORA?
Certain ICT TPPs designated as “critical” will come under the direct oversight of EU financial authorities, bringing them into the financial services regulatory perimeter.
How does DORA integrate cryptoassets into its framework?
DORA includes amendments to align existing EU Directives with the proposed operational resilience framework, integrating Distributed Ledger Technology (DLT)-enabled products into the definition of a financial instrument under MiFID2.
What is the role of Level 2 rulemaking in DORA?
DORA delegates authority to the ESAs to develop detailed Regulatory Technical Standards (RTS) on ICT risk management, incident reporting, resilience testing, and third-party risk management.
How should firms prepare for the implementation of DORA?
Firms should conduct a gap analysis of existing ICT risk management practices, evaluate current incident management and reporting capabilities, understand resilience testing requirements, and improve mapping and management of third-party provider relationships.
What is the significance of DORA for financial services firms?
DORA presents a comprehensive approach to digital operational resilience, requiring significant preparatory work and a proactive approach from financial services firms to comply with the new requirements.
