cybersecurity in the digital economy · its implementation in member states. mr mühleck stressed...

Cybersecurity in the Digital Economy Challenges and Threats to the Financial Services Sector

15 April 2015, Brussels

Memorandum

involved in cybersecurity to work on

two separate axes: the strategic axis and the tactical approach. Such an

approach is necessary, said Mr Purser, to enable efficient partitioning of staff and ensure appropriate apportioning of

resources.

In his opening remarks, Mr Purser said that it is important to define the problems before looking at solutions,

and pointed out that all solutions are a combination of three elements: people,

process and technology. He sees a tendency in the industry to focus on the technological tools, but these are

useless if not used in the right way. This, he said, frequently does not happen due to a lack of scalability,

flexibility and usability – all of which need to be improved in the area of

cybersecurity. Finally he said that prioritization of management is key, and he encouraged the people

Memorandum!Cybersecurity in the Digital Economy!

Dr Steve PurserHead of Core Operations Department, ENISA(Moderator)

Martin MühleckProgramme Officer, Trust and Security, DG CONNECT, European Commission

Mr Mühleck gave an overview of EU

policies in the area of cybersecurity. H e i n t r o d u c e d t h e E u r o p e a n

Cybersecurity Strategy, which was published in 2013. It gathers together all the policy items and initiatives to be

launched for a variety of public and private stakeholders, industry groups,

_________________________

Platform with three working groups: r i sk management , in fo rmat ion exchange & reporting, and research &

innovation. First drafts of documents are available, and delegates were

encouraged to read them and provide their feedback.

consumers and users where the

security of the digital economy is at stake. A key component of the strategy

is the Network and Information Security (NIS) Directive, which is current ly in t r ia logue with the

Commission, the Council and the European Parliament. It deals with three main topics: capacity building

among the Member States to prepare them adequately for incidents;

stipulation of obligations for the Member States to cooperate and share information; and requirements

for special sectors such as banking and financial infrastructures for

reporting of any grave cybersecurity incidents. After the adoption of the Directive the Commission will monitor

its implementation in Member States. Mr Mühleck stressed the need for the

Commission to fully engage with all stakeholders, as the Directive alone

will not solve all the problems and issues. With this in mind, the Commission launched the NIS


Edwin AokiChief Architect and Technology Fellow, PayPal

_________________________

Mr Aoki said that PayPal continues to invest millions of dollars to protect users’ security while endeavouring to

ensure a balance with convenience to provide the frictionless payment

methods that over 160 million PayPal users expect. DMARC is one such innovation, co-developed by PayPal. It

authenticates senders and provides mail rejection and reporting at the receiver, so that users are never

exposed to malicious content. Today DMARC effectively protects billions of

users from phishing attacks. Another initiative PayPal is been actively supporting since years is F.ID.O (Fast

Identity Online) for simpler, stronger authentication. Its pluggable local authentication takes advantage of a

wide range of access methods including secure PIN, biometrics, and

new methods as they are developed. It frees users from passwords that are hard to remember, often used across

several sites, and sometimes insecure. Mr Aoki said that PayPal supports

regulatory efforts to increase security in the digital area, such as the NIS Directive, to establish a high-level of

network information and security across the EU. However, as the

industry is confronted with the fast pace of technology innovation,


he considers that regulation must retain an inclusive, technology-neutral and global approach that protects

consumers while avoiding a patchwork of multiple (or conflicting) national

standards and requirements. He warns against overlapping of reporting obligations, and strongly recommends

keeping the dialogue amongst stakeholders in the financial services, technology providers and regulators to

craft policies that strike the right balance between secur i ty and

innovation, and which can create new opportunities for everyone in the emerging digital economy.

_________________________

Darren ArgyleGlobal Chief Information Security Officer, Markit

their ultimate objective, which is accessing an ent i re network ’s sensitive information. He thinks more

needs to be done in the preparation phase, where simulation will become

hugely important. Data classification is necessary, so that you know what level of protection to put around

certain data. Awareness and education also needs to be improved, and Mr Argyle stressed the need to develop

people-centric rather than technology-based security. In the recovery phase,

business continuity planning (BCP) is an integral part of information security, so that enterprises can recover as

quickly as they can detect. Finally, he recommended two recently published

reports: one from Verizon Business Associates, and the more technical Internet Security Threat Report from

Symantec.


Mr Argyle welcomes the NIS Directive to help the collaboration and sharing of information, as he regards information

sharing as the most important aspect of tackling cybercrime. He presented

some ideas of what might need to be considered when tackling cybercrime. Traditionally most resources have

been spent on protection, but he thinks there will be a shift so that by 2020 around 60% of security investments

will deal with detection and response.

This is an acknowledgement that

a%acke r s a r e a l r eady i n t he

environment today and what needs to

be done is to stop them reaching

Mr Schröder displayed an empty slide with the title “The Un-Hackable Environment”, as it does not exist. A

few years ago Microsoft realised that prevention is not enough, the attacker

o f t e n i s a l r e a d y i n s i d e t h e environment. So the question now is how to remain secure when a cyber-

attacker has already penetrated your environment? Mr Schröder outlined the challenges. The threat landscape

is constantly evolving, which means that Risk Assessment Frameworks are

extremely critical for technology suppliers. The complexity of security requirements and the mul t ip le

regulations applicable are extremely

challenging, so he called for a new dialogue among regulators with technology suppliers. This dialogue

needs to be more forward thinking as to how technology can meet the needs

of the financial sector. Microsoft continually monitors the security landscape and is constantly thinking

about how to adapt its technology platforms two or three years down the line. He believes strongly that the

future is the only way forward, with companies like Facebook and Amazon

likely to completely change the payment landscape in the next five years, using the Cloud infrastructure

connected to point of sale applications. This will lead to a number of new and

different scenarios such as digital intimacy, the online advisor and many other new entrants. Mr Schröder

believes that these developments need to be anticipated from a

regulatory perspective.

Bruno SchröderTechnology Officer, Microsoft BeLux


_________________________

Panel discussion

The first question from the floor was whether, in the light of the NIS Directive, EU or national regulators will

be required to play a role in the cyber aspects of financial services. Mr

Mühleck said implementation by Member States of the NIS Directive will be key, as they will be responsible

for monitoring its implementation. He said that over the next three or four years, how implementation works for

international companies will be closely monitored to ensure a fully European

approach.A question was asked on how Europe can compete with new players, for

example from the US, which have less strict regulations regarding data

protection and privacy in areas such as cloud computing, geo-localisation and analytics. Mr Mühleck said that

Europe should offer high data regu la t i on and secu r i t y as a

competitive advantage, so that data

stored on a European territory under European rules should give users greater trust. Mr Aoki said that uniform

and consistent reporting requirements are needed given the global nature of

digital services providers: such requirements will assist in meeting the high level of trust and confidence that

European cus tomers demand, providing a regulatory framework that supports digital innovation.

Mr Purser wondered what might be the biggest future challenges to security in

the financial industry. “Understanding where sensitive data is, prioritizing the investments, and protecting the critical

infrastructure,” said Mr Argyle, while Mr Schröder sees the dynamic nature

of data, which banks need to integrate in how they operate, as the key challenge. Mr Purser himself sees the

challenge as getting the optimal balance between opportunity and risk.

Mr Argyle agrees, and thinks that a


___________________________________________________________

bank needs to define its risk appetite up front, get buy-in, and then disseminate this across all business

units.In a delegate’s view, the biggest

challenge is the Directive on Payment Services, in which the codes used to access a bank account could be

openly transmitted to third-party providers. Mr Aoki pointed out that this Directive is still in the trialogue phase

and clearly requires more work to be

done on it. He also believes that it is important to move beyond traditional a c c o u n t c r e d e n t i a l s t o o t h e r

mechanisms that would allow for the appropriate level of sharing and

control with third parties. Mr Schröder mentioned that authentication of users and how we deal with validation of

individuals is certainly an important topic that needs to be addressed in the future.

Sponsored by:


Media Partner:

cybersecurity in the digital economy · its implementation in member states. mr mühleck stressed...

Documents