Dealing with cyber risks
The increasing use of new technologies and IT systems creates numerous advantages, but also dangers. Due to global networking and the high data density that technical progress brings with it, any financial intermediary can become a potential target for cybercrime. The FMA therefore attaches great importance to the topic of cyber security.
The following is a brief overview of the most common threat scenarios:
- Distributed denial of service (DDoS): This is an attack on computer systems that is intended to disrupt the availability of the system. Large volumes of data are sent from many distributed computers to the target system for the purpose of causing an overload.
- Insider threats (especially social engineering/phishing): Exploiting their good faith or uncertainties, employees are tricked into disclosing passwords or other confidential information, engaging in unauthorised transactions, downloading malicious software, and the like.
- Malware in email messages: The recipient is tricked into opening an email attachment or clicking on a link that automatically executes malicious code. The purpose of this is, for example, to further spread malware or to destroy or steal data.
- Encryption Trojans: The system is infected with a specific type of malware that encrypts data on the recipient's drive and on connected network drives. In most cases, the victim is then requested to make a payment to the attacker in order to decrypt the data.
FMA Communication 2018/3
These and other threats need to be countered through adequate IT risk management. The measures required to deal with cyber risks are specified in FMA Communication 2018/3. Not only must a security level appropriate to the threat situation be ensured, but there must also be appropriate emergency management in place in order to resume normal business operations as quickly as possible following an attack. Based on the globally established NIST (National Institute of Standards and Technology) standard, six process elements are presented: identify, protect, detect, respond, recover, and report.
If IT is outsourced to external service providers, these requirements are just as important. Care must therefore be taken to include IT service providers in risk management when implementing suitable measures.
FMA Communication 2018/3 establishes a minimum standard and thus does not prevent the financial intermediaries addressed from establishing higher standards and more detailed rules for dealing with cyber risks.
Any (future) provisions at the European level remain unaffected by this Communication.