Against the backdrop of Russian-based hacktivists declaring war on Europe’s financial system, the passing of the EU’s Digital Operational Resiliency Act (Dora), and the potential threats posed by new technologies such as generative AI, FS-ISAC, the banking industry’s cyber risk information-sharing network, has established a European board of directors.
FS-ISAC, which is headquartered in the US, has operated in Europe for a number of years, but its new European board, chaired by Daniel Barriuso, group chief transformation officer at Grupo Santander, will establish a localised group of experts to help financial services firms in Europe navigate the ever-changing cyber threat and regulatory landscape in Europe.
“The financial services sector must come together to collectively navigate these changes and the creation of this board is the next step in ensuring the experiences of FS-ISAC’s Europe-based members are incorporated into the global community,” says Beate Zwijnenberg, global chief information security officer at ING, who serves as director on both the European and global boards of FS-ISAC.
European board member Jayaraj Puthanveedu, global head of resilience for cyber and digital fraud at BNP Paribas, adds: “Resilience of the financial services sector is not only accomplished through individual preparation, but also by a greater effort from the industry as a whole, both in Europe and around the world.
“Only the development of collective muscle memory, formed through cross-border exercising, local training and collaboration, will build operational resilience on behalf of Europe’s financial sector and improve global response time in case of large-scale incidents.”
Only collective muscle memory ... will build operational resilience on behalf of Europe’s financial sector
FS-ISAC CEO Steven Silberstein says the new Europe board of directors, which will drive a lot of EU-specific activities among its more than 5000 members, was in the pipeline for some time and would have been announced sooner if the Covid-19 pandemic had not stalled progress.
Serious risk
However, the announcement comes at a time when cyber security threats and geopolitically motivated attacks are becoming top-line concerns for chief risk officers (CROs).
According to the latest edition of EY and the Institute of International Finance’s bank risk management survey of 88 banks across 30 countries, cyber security is a top risk for 72% of global CROs.
The war in Ukraine is also affecting banks’ risk agenda, according to the survey, with 62% of European banking CROs anticipating geopolitical factors will demand more of their attention in the coming months, compared with just 28% globally.
The war in Ukraine has given rise to geopolitically motivated threat actors in eastern Europe. On June 15 this year, three pro-Russian hacker groups, KillNet, Anonymous Sudan and REvil, threatened to declare a cyber war on European banks.
The three groups are believed to have been responsible for a distributed denial-of-service cyber attack which brought down the European Investment Bank’s main websites on June 19.
The regulatory landscape with respect to cyber and operational resilience is also changing. Regulations such as Dora, which was formally passed by the EU in late 2022, will require financial services firms, including asset managers, banks and insurers, to adhere to technical standards for ensuring operational resilience against major cyber attacks.
The regulation is due to come into force in January 2025, giving financial institutions and service providers just under 18 months to prepare.
Shared information
Mr Silberstein says FS-ISAC is committed to ensuring the industry is sharing information in the right way, as required under Dora.
“FS-ISAC is built on the principle that financial institutions can share information within a secure, trusted community,” he explains. “Thus far, we have seen that FS-ISAC members are already in lock-step with the intentions of Article 45 of Dora, which encourages financial firms to share cyber threat information and intelligence within a trusted community of financial entities.”
Dora raises the standard of responsibility on financial institutions in reporting cybersecurity incidents and ensuring transparency of their cyber safeguards and infrastructure.
The threat landscape is dynamic and information-sharing helps multiply our capabilities
While FS-ISAC’s members are enthusiastic about intelligence-sharing, Mr Silberstein says this rule ultimately makes threat intelligence-sharing and cross-industry collaboration a necessity for institutions to ensure that they have the best possible protections in place.
Following Dora coming into effect, FS-ISAC expects to further expand its member base with more cross-border exercises to help financial firms build muscle memory on a variety of attack scenarios and improve global response times in the case of large-scale incidents.
“FS-ISAC’s Europe Board will oversee our work within the region as institutions collaborate to prevent, detect, contain and recover from incidents related to information and communication technology,” says Mr Silberstein.
Mr Barriuso, who chairs FS-ISAC’s new European board of directors, says the group will play an important role in co-ordinating information-sharing regarding cyber-related activities among European financial services providers. “There have been some smaller groups in Europe; now we are creating a one-stop shop to reduce fragmentation in the financial industry,” he explains.
But modern cyber security is about more than just building a big wall of defence, he says. “The threat landscape is dynamic and information-sharing helps multiply our capabilities and allows us to adjust our defences to respond better to threats. The intelligence of one makes us all stronger.”
In addition to working with financial service providers, including banks, credit unions, financial markets infrastructure, asset managers, hedge funds and insurance companies, FS-ISAC also engages with critical infrastructure providers to the financial services sector, including cloud providers like Google and Akamai. It is also increasingly focused on tri-sector cyber resiliency by working more closely with energy and telecoms firms.
