International information security accreditation and certification body CREST has published a new guide to fostering financial sector cyber resilience in developing countries. The nonprofit’s Resilience in Developing Countries paper forms part of its work in encouraging greater cyber readiness and resilience in emerging nations to help protect key industries from cyberattacks.
The guide outlines that, while increased financial inclusion is a global goal, the less privileged remain highly susceptible to cyberthreats. It also describes the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.
Low cyber resilience of financial entities in developing countries
Cyber resilience of financial entities in developing countries is often relatively low, leaving them and their clients considerably exposed to cyber risks, the guide read. Global developments since 2016 have underscored the need to improve the cyber resilience level of financial entities – and the whole financial sector. “Large-scale rapid digitalization of financial products and services and supply chain extension by increasing use of third-party entities, combined with geopolitical tensions, have provided new opportunities and motivations for hackers, malicious insiders, organized crime groups, and nation-states alike.”
While this applies to all countries, developing countries have an additional element, CREST said. Ongoing digitalization in the financial sector has provided the opportunity for considerable improvements regarding financial inclusion — i.e., embarking less-privileged people into the financial system and giving them access to credit, savings, and payment services.
However, this has exposed the formerly unbanked to cyber risk. “Any theft of their digital savings, malicious alteration of their data, or obstruction of the financial infrastructure in general, can affect the less-privileged hardest, directly endangering their businesses, families, and possibly even their lives,” CREST wrote.
Interestingly, Cisco’s Cybersecurity Readiness Index revealed last month that organizations in developing countries in the Asia-Pacific region are more prepared for cybersecurity incidents compared to those in developed countries. Less tech debt and legacy systems in organizations in emerging markets compared to their peers in developed markets is likely an influential factor, making it easier to deploy and integrate security solutions across IT infrastructures, Cisco said.
TLPT can develop cyber resilience in developing countries
Central banks and financial authorities have an important task in increasing the level of their financial sector’s cyber resilience, the paper read. One common element being considered is threat led penetration testing (TLPT), which can facilitate the improvement of cyber resilience through controlled testing processes.
However, TLPT is most effective when applied to relatively “cyber mature” financial entities. It’s also dependent on the maturity of the authority in charge and the cybersecurity service industry in the country or region, CREST said. “If authorities pursue a policy to have financial entities tested according to the respective TLPT frameworks, they have to consider the possible capacity and quality restrictions of local cybersecurity service providers and consider options to catalyze development of the market for cybersecurity services,” the guide read.
Assuming the central bank is the authority in charge, it must invest in a dedicated team, headed by a senior manager, which must closely monitor each test process to ensure tests are performed according to the applicable testing framework and that service providers meet the required quality criteria, CREST said. “To avoid supervisory judgement during the test process and the test becoming a mere compliance exercise, this team must sit at arm’s length of the supervisory and oversight functions to ensure a smooth test process.” As long as supervisors and overseers are involved in the scoping at the beginning and will receive the entity’s remediation plan at the end of the test process, their responsibilities are well taken care of.
Authorities pursuing a TLPT program will help improve the cyber resilience of the most critical financial entities, along contributing to the maturation of the local market for cybersecurity services. However, close and constructive collaboration among all parties, private and public, is key, CREST said.
Copyright © 2023 IDG Communications, Inc.