Why cybersecurity is the one to watch for global regulators in 2024

Rapid digitalization and technological innovation have offered a wealth of advantages to financial industry practices by redefining business operations. Though, consequently, the threat to cybersecurity is as present as ever. How have regulators begun to maneuver this pressing matter? And will it be a trend to watch in the coming year?

20 February 2024 8 mins read
by Kathryn Fallah

In brief:

  • A range of financial regulators weigh in on their approaches to cybersecurity and how they plan to evaluate risks to maintain market safety
  • Firms can expect increased cyber risk testing and security guidelines as threats continue to morph and grow in complexity
  • Cyberattacks have already had noticeable effects on business operations and market activity, meaning industry players must be staunch in their resilience practices

In a way, the evolving financial landscape is much akin to walking a tightrope. Attempting to maximize the potential of new tools like artificial intelligence (AI), multi-dimensional messaging channels, and crypto without falling into the dangers that their misuse can present is undoubtedly a balancing act.

Bottom line, all of these technological advances tie into two foundational areas of finance – cybersecurity and cyber resilience. Market safety has been a longstanding endeavor, though recently, regulators from both North America and Europe have really gotten the show on the road by steering the conversation toward risk management and outlining their plans to measure preparedness.

One after the other, regulators have contributed to the cybersecurity and resilience conversation, and whether it’s through distributing guidelines, announcing required assessments and reporting, or devising the best strategies in identifying and curbing the avenues where security could be compromised, it is expected that developments around the topic will continue to take shape throughout the year.

A summary of regulatory approaches to cyber resilience and defending against threats

Through risk management practices such as stress testing, reporting, and framework requirements, as well as issuing security guidelines, regulators intend to keep firms vigilant in preparation for any breach or cyber threat occurrences.

Don’t stress, stress test:

At the beginning of 2024, the European Central Bank (ECB) announced that it would be performing a series of cyber resilience stress tests on 109 firms to gauge “how banks are able to respond to and recover from a successful cyberattack.” When considering recent instances where successful cyberattacks have had an unfavorable effect on business operations, these tests seem particularly beneficial.

In late January, for example, Wall Street firm EquiLend was the target of a cyberattack that took out some of its systems, which reportedly could have taken “several days” to be operable again. While the occurrence of this attack did not have any lasting effects on the financial market as a whole, it does go to show that cyber threats are continually present, especially against large financial firms since they are, as stated by the Commodities Future Trading Commission’s (CFTC) Commissioner Kristin N. Johnson, “among the most attractive targets of cyber threats.”

Operational resilience frameworks make the dream work:

The CFTC’s sponsored meeting with the Technology Advisory Committee last month discussed themes concerning AI and cybersecurity, particularly in relation to how the CFTC will approach cyber resilience to mitigate financial services disruption.

Johnson also insinuated that increased testing and guidance could be tactics the regulator will use in managing cybersecurity, which are included in the Operational Resilience Framework proposed rule:

“It frames cybersecurity as a critical component of resilience for our market participants. The systemic nature of this program, as well as the increasing centrality of technology in our markets and economy is such that it is incumbent upon us to explore multiple approaches. Some may focus on governance, others on regulatory policy, while others consider and identify vulnerabilities in software and hardware.”

The Operational Resilience Framework calls for future commission merchants, swap dealers, and major swap participants to create, execute, and maintain a framework to identify and manage risks related to information and technology security, including with third-party relationships. Overall, this framework aims to enrich risk management practices and disaster recovery plans by requiring heightened firm governance when implementing these plans. It also necessitates training and testing to ensure utmost efficacy.

Measure up risk by reporting your cyber incidents:

In a speech given at a cyber risk conference, Federal Reserve System Vice Chair for Supervision Michael S. Barr added that cyber incidents can travel through the U.S. financial systems and result in “significant spillovers to other banks.” In addition to defending against attacks, enhanced testing and incident reporting around cybersecurity allows regulators to measure how disruptions affect costs and also helps build cyber risk data to better quantify the degrees of risk.

Though progressively groundbreaking and even beneficial in analyzing threat intelligence and detecting cyberattacks, the unlimited capabilities that transforming technologies offer can be exploited and pose a substantial threat to market stability (even against regulators themselves) if not carefully considered.

This was shown in the case of an AI-generated image falsely depicting an explosion near the Pentagon. Though debunked within a few minutes, this instance caused a dip in the market, inciting fear amongst regulatory entities and financial players around how instantaneously fabricated information can make an impression.

Let’s party – well, manage third-party risk:

Regulators have cautioned that in the case of a security incident against a third-party, accountability will fall on the associated firm no matter who was responsible. Similarly outlined in his speech, Barr advised that it is crucial to set expectations when selecting and communicating with third parties:

 “Reliance by banks on third-party service providers has grown considerably in recent years….it is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard.”

ECB Executive Board Member Piero Cipollone also delivered a speech on protecting the financial infrastructures’ cyber resilience, in which he shared that cyber risks have become an unignorable challenge to global security that is expected to cost over $200 billion globally. Two particular threat areas are ransomware attacks and the need for more robust policy management relating to third-party risks.

As suggested by the newly released Office of the Superintendent of Financial Institutions’ (OFSI) Integrity and Security Guideline, when considering a third-party solution, firms should assess their ability to address threats, their policies and procedures to protect against threats, and their background check processes.

The cybersecurity game plan and guidelines:

OFSI continued the conversation in its Integrity and Security Guideline, which is aimed to provide best practices for protection against cyber threats. The guideline outlined a selection of points tying into security and integrity, such as governance, compliance, and data.

Per OFSI’s guideline, firms should implement increased governance and scrutiny when considering decisions like business plans, strategies, and internal controls. Likewise, it is important to outline codes of conduct and expectations of staff. When observing the threat environment, firms should assess and internally report findings at least annually.

The guideline also emphasizes compliance management and that all firms create a company-wide Regulatory Compliance Management framework. Included in this should be a channel that employees can utilize to anonymously report noncompliance. Data security connects to compliance frameworks and should be tracked to confirm that data is protected while in transit, at rest, and in use.

The impact of integrity in influencing resilience:

In the Integrity and Security Guideline, OFSI pointed out that as always, leading with integrity is a major proponent in enabling security by outlining and demonstrating the behaviors that are expected of employees:

Integrity is an important value in and of itself. A lack of it can damage reputation, result in fraud, cause legal issues, and increase vulnerabilities to undue influence, foreign interference, and malicious activity. Thus, enhancing integrity reduces risks to solvency and supports the overall safety and stability of a financial institution and, consequently, the financial system.”

How do you promote integrity? Enriching policies and procedures, cultivating a healthy business culture, and ascertaining the character that employees act with are some areas where firms can start. 

Echoing the words of global regulators, tone from the top remains vital to peak business performance. Leading by example is a chief aspect of integrity and underlines the gravity of good behavior when conducting business.

It may not be possible to put an end to cybercriminal activity. However, with exhaustive preparedness, regulators and firms can identify patterns and take charge when faced with a cyberattack.

Deliberations around risk management and cyber resilience are only beginning. As threats advance alongside technological developments, it is up to firms to be driven in their efforts to prepare for possible incidents by enhancing policies and using surveillance solutions to remain on guard.