Digital resilience and financial stability: the quest for policy tools in the financial sector

As a result of the sweeping transition to a digitalised financial system, digital resilience is a fundamental pillar of financial stability. Achieving digital resilience poses a broad range of regulatory challenges, to respond to the complex combination of risks, essentially consisting of cyber (in)security and the concentration of computer resources in the cloud. This article presents the guiding principles of the new regulatory logic needed in the microprudential and macroprudential fields, highlighting its special features and its relationship to the exceptional combination of risks at stake in the area of digital resilience. It also discusses the need for instrumental innovations, such as greater use of circuit breakers, the singular role of cooperation in cybersecurity regulation and the unique challenges raised by the regulatory perimeter of digital resilience.La resiliencia digital constituye un pilar fundamental para la estabilidad financiera ante la radical transición a la digitalización del sistema financiero. La consecución de resiliencia digital plantea retos regulatorios de amplio espectro con los que dar respuesta al complejo combinado de riesgos que conforman, principalmente, la ciber(in)seguridad y la concentración de recursos computacionales en la nube. Este artículo presenta las líneas maestras de la nueva lógica regulatoria precisa en los ámbitos micro- y macroprudencial, destaca sus rasgos singulares y la relación de estos con el atípico combinado de riesgos en juego en el ámbito de la resiliencia digital. En concreto, el artículo versa sobre la necesidad de innovaciones instrumentales como un mayor recurso a circuit breakers, sobre el singular papel de la cooperación en la regulación para la ciberseguridad y sobre los retos únicos que plantea el perímetro regulatorio de la resiliencia digital

Cyber Security and Risk Disclosure: A Literature Review for Theory and Practice

Corporations and SMEs are facing ‘new’ external and internal pressures, which frequently result in modifications to their corporate governance structures and accounting/reporting systems. Because of the digital transformation, the environment – be it real or virtual – in which these companies operate has experienced significant changes. Business operations are a key and important component of human development all over the world – not only financially – and their influence on societal and environmental conditions as well as their necessary preservation are essentially undeniable. However, these operations increasingly undergo cyber-attacks that dramatically represent true causes of disruptions and breakdowns, eluding international governments’ inspection and sophisticated corporate control systems. The concepts of governance, internal control and accountability are critical for the protection of sustainable business activities from cyber-attacks, and their effectiveness is arguably dependent on corporations’ ability to govern themselves well and demonstrate accountability to their many stakeholders (across their entire value chain) also in relation to cyber dynamics. This should be accomplished by implementing well-accepted governance system standards that are globally harmonized with ‘Environment, Social and Governance’ (ESG) reporting and performance measurement tools capable of strategically assessing and evaluating risk exposure and providing forward-looking information on a multiple level. Few studies have adequately explored these issues in this defining setting, and due to the contrasting evidence arising from the extant literature, there is still no undisputed identification of effective measurement, reporting and disclosure systems for cyber risk and crime anticipation and/or neutralization

A survey on the cyber security of Small-to-Medium businesses: Challenges, research focus and recommendations

Small-to-medium sized businesses (SMBs) constitute a large fraction of many countries’ economies but according to the literature SMBs are not adequately implementing cyber security which leaves them susceptible to cyber-attacks. Furthermore, research in cyber security is rarely focused on SMBs, despite them representing a large proportion of businesses. In this paper we review recent research on the cyber security of SMBs, with a focus on the alignment of this research to the popular NIST Cyber Security Framework (CSF). From the literature we also summarise the key challenges SMBs face in implementing good cyber security and conclude with key recommendations on how to implement good cyber security. We find that research in SMB cyber security is mainly qualitative analysis and narrowly focused on the Identify and Protect functions of the NIST CSF with very little work on the other existing functions. SMBs should have the ability to detect, respond and recover from cyber-attacks, and if research lacks in those areas, then SMBs may have little guidance on how to act. Future research in SMB cyber security should be more balanced and researchers should adopt well-established powerful quantitative research approaches to refine and test research whilst governments and academia are urged to invest in incentivising researchers to expand their research focus

That Was Close! Reward Reporting of Cybersecurity “Near Misses”

Building, deploying, and maintaining systems with sufficient cybersecurity is challenging. Faster improvement would be valuable to society as a whole. Are we doing as much as we can to improve? We examine robust and long-standing systems for learning from near misses in aviation, and propose the creation of a Cyber Safety Reporting System (CSRS). To support this argument, we examine the liability concerns which inhibit learning, including both civil and regulatory liability. We look to the way in which cybersecurity engineering and science is done today, and propose that a small amount of ‘policy entrepreneurship’ could have substantial positive impact. We close by considering how a CSRS should be organized and housed

That Was Close! Reward Reporting of Cybersecurity “Near Misses”

Building, deploying, and maintaining systems with sufficient cybersecurity is challenging. Faster improvement would be valuable to society as a whole. Are we doing as much as we can to improve? We examine robust and long-standing systems for learning from near misses in aviation, and propose the creation of a Cyber Safety Reporting System (CSRS). To support this argument, we examine the liability concerns which inhibit learning, including both civil and regulatory liability. We look to the way in which cybersecurity engineering and science is done today, and propose that a small amount of ‘policy entrepreneurship’ could have substantial positive impact. We close by considering how a CSRS should be organized and housed

Operational Technology Preparedness:A Risk-Based Safety Approach to Scoping Security Tests for Cyber Incident Response and Recovery

Following the advent of Industry 4.0, there have been significant benefits to industrial process optimisation through increased interconnectivity and the integration of Information Technology (IT) and Operational Technology (OT). However, this has also led to an increased attack surface for cyber threat actors to target. A growing number of cyber attacks on industrial environments, including Critical National Infrastructure, has, subsequently, been observed. In response, government and standardisation organisations alike have invested considerable resources in improving the cyber security of these environments. This includes response and recovery, often used as a last line of defence against cyber attacks. However, due to the unique design philosophies of Industrial Control Systems (ICS), several challenges exist for effectively securing these systems against digital threats. Through an analysis of standards and guidelines, used for assessing and improving cyber incident response and recovery capabilities, and stakeholder engagement on the implementation of these in practice, this thesis first identifies the challenges that exist when it comes to preparing for cyber incidents targeting ICS/OT environments. In particular, risk management, which involves identifying, evaluating, and prioritising risks and finding solutions to minimise, monitor, and control these, was found to be essential for improving preparation for cyber incidents. Assurance techniques are used as part of risk management to generate evidence for making claims of assurances about security. Alongside this, adversary-centric security tests such as penetration tests are used to evaluate and improve cyber resilience and incident response capabilities by emulating the actions of malicious actors. However, despite the benefits that these provide, they are currently not implemented to their full potential due to the safety and operational risks that exist in ICS/OT environments. This thesis contributes to academic and industry knowledge by proposing a framework that incorporates methods for identifying and quantifying the safety and operational risks of conducting adversary-centric security tests within ICS/OT environments. In understanding the risks, these engagements can be scoped using precise constraints so as to maximise the depth of testing while minimising risk to safety and the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice