Cybersecurity worries European Central Bank

Financial sector is one the main investors in cybersecurity without doubt. And this is because, financial sector is one of the main affected by cybercrime. This situation leads to European Central Bank, leaded by Mario Draghi, to be specially worried about the cybersecurity capabilities of european financial entities to fight against cyberthreats.

During last months, european financial entities have had to answer a (quite) long questionnaire sent by ECB about cybersecurity that includes questions related with what mechanisms financial entities have implemented to prevent data theft from malicious (internal or external) users or what controls they have to detect cyberattacks. And even, and this has been what more has call our attention because it is close related with LEET Security activity, what mechanisms are financial entities addopting to assure that third party providers are compliant whit security measures wrote down in agreements, and not only when deciding which provider to choose, but during all service life.

For LEET Security, this ECB concern about service providers monitoring processes means the confirmation of something we have detected in our meetings con these financial entities: The percepction of dependency on providers in cybersecurity issues is quite high and the number of financial entities designing processes to assure that their providers are compliant with security requirements defined in agreeements is growing.

Nevertheless, this issue means a very touhgt challenge if, in the same way that regulators / supervisors, financial entities do not tackle the need of harmonization, because what is unthinkable is that every user requires different validation mechanisms of (more or less) the same security requirements (i.e., that every user audits the same provider), not only because of cost, but for inefficiency.

LEET Security rating is extremely useful regarding this aspect, because the adoption of a common #securityrating model (able due to versatility of five levels on three dimensions) allows that an unique validation could be used by multiple clients.

In summary, we thing that a model in which financial entities require to providers to be rated according to a common metric could very useful for everyone. In one side, to show ECB how financial entities tackle the need to assure a minimun security level along the ICT supply chain and, in the other, to simplify and rationalize the supervision process.