The advanced course on cyber risk is developed within the EU Supervisory Digital Finance Academy (EU- SDFA) organised by the European University Institute (EUI) – Florence School of Banking and Finance together with the European Commission (DG REFORM and DG FISMA) and the European Supervisory Authorities (EBA, EIOPA and ESMA). The advanced courses delve deeper into the topics covered in the EU-SDFA foundational training weeks, applying a holistic and cross-sectoral approach which covers banking/payments, insurance, and securities. Moreover, the advanced courses reflect the current supervisory needs flagged to EU-SDFA’s partners by beneficiary National Competent Authorities (NCAs).
The advanced course on cyber risk generally deals with cyber risk management, exploring different approaches and focusing on supervising strategies to assess and mitigate cyber risk. There are indeed multiple dimensions of cyber risk: cyber risk of financial entities and cyber risk of network and information systems. In addition to the EU dimension, there are national as well as global dimensions of cyber risk.
The advanced course on cyber risk (through presentations, interactive presentations, classroom discussions, and panel discussions) deals with the main developments in the cyber threat landscape; development and implementation of cyber resilience strategies; ICT risk management; ICT-related incident management, classification and reporting; cyber testing; management of risks related to the use of third-party providers; public-private partnerships and information sharing; how cyber incidents can become systemic, and what approaches can be taken to address systemic risk. The final panel discusses future prospects, exploring whether innovative technology could increase or decrease cyber risk. Group activities, followed by interactive discussions with the instructors, engage participants in the solutions to problems, providing them with the opportunity to share their knowledge, skills and understanding. Group activities allow participants to benefit from cooperative learning and evaluation.
Session 1: Cyber threat landscape and outlook
This session will be a recap of the main developments in the cyber threat landscape. The global dimension will be considered (i.e., the main events, developments and dialogues occurred at an international level), with a focus on key infrastructures of the European economy, such as telecom, energy, transport and financial market infrastructures.
Session 2. Developing and implementing a cyber resilience strategy for the financial sector
The financial sector is comprised of different types of entities, ranging from banks to financial market infrastructures to critical service providers. Given the potential impact of a cyber incident on the increasingly interconnected system, it is important that authorities develop and implement cyber resilience strategies for their respective financial sector, encompassing a range of tools and initiatives, in an integrated and holistic manner. This session will provide insight on how authorities can develop and implement such a strategy, and the tools, initiatives and capabilities to deliver it.
Session 3. Presentation: ICT risk management
In recent years, regulators have increased their efforts on cyber resilience. The underlying basis for this effort has been various international cybersecurity frameworks. This session will provide an overview of the different approaches taken, such as ESAs’ Guidelines on ICT and security risk management; an in-depth technical training on the different elements of the frameworks (e.g., Governance, Identification, Protection, Detection, Response and Recovery, Testing, etc.); oversight and supervisory approaches and interactive case studies focused on the different elements.
Session 4. ICT-related incident management, classification and reporting
This session will provide an overview of the different approaches taken about ICT-related incident reporting. It will focus on the different elements of the incident response process and the main issues and challenges before, during and after a major incident. This will be illustrated using examples and interactive case studies. As the taxonomies and thresholds vary significantly at national level, this session will also address how divergences could hinder the mechanisms and reporting processes. It will also explain what practices contribute to a smooth exchange of information among competent authorities, which is crucial for addressing ICT risks (especially in case of large-scale attacks with potentially systemic consequences).
Session 5. Cyber testing – Threat intelligence based ethical red-teaming
A core part of enhancing the cyber resilience of the financial system is conducting cyber testing. Increasingly around the world, authorities are adopting intelligence-led red team testing frameworks for their financial market. Threat intelligence based ethical red-teaming mimics the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to financial entities. An intelligence-led red team test involves the use of a variety of techniques to simulate an attack on a financial entity’s critical functions and underlying systems (i.e., its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities.
Session 6. Applied session on cyber testing: real life examples and case studies
TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. TIBER-EU was developed jointly by the ECB and the EU’s national central banks, approved by the Governing Council of the ECB and published in May 2018. DORA relies on TIBER EU for cyber testing. The managers of TIBER from ECB and some EU’s national central banks will lead this session, providing insight on such testing and how it is conducted.
Session 7. Group activity: Developing a set of core principles for ICT and security risk management
This session will be an interactive group session, aimed at developing a set of core principles for ICT and security risk management. Participants will be provided with a case study considering different sectors (e.g., banking, insurance, securities), they will be divided into smaller groups, and they will work with the moderators to analyse the case study in the light of what they learned in the previous sessions, in order to identify different cyber risk profiles and impact for supervision, with a view to consider core regulatory principles that might be horizontally applicable to all sectors.
Session 8 (continued). Interactive discussion: Presentation of the outcomes of the Group activity
This session will provide the group to present the outcome of the Group activity. This will be an interactive session, where the group will present the outcome to the instructors and will allow the instructors to challenge the group on its ideas.
Session 9. Managing risks related to the use of third-party providers
The employment of third-party providers to deliver ICT services to financial institutions is a longstanding practice that may entail issues of dependencies, control and substitutability, often correlating to aspects of outsourcing. This session will be a session of authorities and stakeholders that will present and discuss their views about managing risks related to the use of ICT third-party service providers.
Session 10. How to design public-private partnerships and building trust: information sharing
Given the rapidly evolving threat landscape, and the increased digitalisation and globalisation, there is a real need for all the relevant stakeholders (which include regulators, financial entities and the cybersecurity sector) to establish a forum to exchange ideas at a strategic and Board level on how best to tackle the new challenges, share best practices and tools, encourage information sharing, and identify gaps and weaknesses in the ecosystem which require collaborative thinking to catalyse effective solutions. This session will explore how different players have established and operated such fora to deliver effective solutions for the market.
Session 11. Panel discussion: Can cyber incidents become systemic and what approaches can be taken to address systemic risk?
The cyber resilience of a financial entity is in part dependent on that of interconnected banks, FMIs and service providers, as there is a broad range of entry points through which an entity could be compromised. As a result, the interconnectedness of the financial system accentuates the need for strong sector-wide cyber resilience, to ensure that cyber incidents do not become systemic. The core components of effective sector resilience are: market-wide exercises; understanding operational interdependencies through mapping; enhancing crisis management arrangements; information and intelligence sharing; and cross-border and cross-authority collaboration. This session will be aninteractive conversation amid experts, addressing the different issues and approaches that authorities can take to manage potential systemic risk.
Session 12. Group activity: Building a cyber strategy for the financial sector of a fictitious country
This session will be an interactive group session, where participants will be asked to develop a holistic cyber resilience strategy for the financial sector of a fictitious country. The audience will role play as different stakeholders within the country and demonstrate how they can work together to develop and implement a cyber strategy for such a fictitious country. The course participants will be divided into smaller groups and will work closely with the moderators to develop the strategy.
Session 13 (continued). Interactive discussion: Presentation of the cyber strategy for the financial sector a fictitious country
This session will provide the group to present its cyber resilience strategy for the financial sector of the fictitious country. This will be an interactive session, where the group will present the strategy to the instructors, who represent the Board of the authorities of the fictitious country and will allow the Board to challenge the group on its ideas.
Session 14. Panel discussion: Looking to future, is innovative technology increasing cyber risk or decreasing it?
The rise of innovative technology and new entrants (e.g., non-regulated entities) seeking to shake up markets is causing increased disruption. New technologies, services and ways of working are gaining prominence. Meanwhile increased digitalisation and automation can lead to streamlined operations and greater speed. But are these technologies and processes designed and implemented to take into account the cyber threat? Are they mature enough to withstand the increasing cyber threat? Which considerations could be reasonably made about prospects? This session will be a panel discussion among authorities and industry leads, examining the complex issues around the future landscape.
Session 15. Wrap-up