Analyses focus on current issues of particular relevance to Danmarks Nationalbank’s objectives. The analyses may also contain Danmarks Nationalbank’s recommendations. They include our projections for the Danish economy and our assessment of financial stability. Analyses are targeted at people with a broad interest in economic and financial matters.

Cyber security
No. 9

Improved cyber maturity in the financial sector

Danmarks Nationalbank’s latest cyber resilience survey indicates that the financial sector in Denmark has an increased level of maturity, but with variations across companies. The development in the capabilities and tactics of cyber criminals as well as greater uncertainty about the threat level mean that continuous work is needed. Managements can step up their cyber security efforts further in some companies and focus on data protection and the capability to recover can be increased.



Key messages

Serious cyber attacks may pose a threat to the individual financial institutions’ continued existence and may, in a worst-case scenario, threaten financial sector stability. This may occur if a serious cyber attack disables critical business systems or destroys systems and/or data, thus preventing the performance of key business activities in the financial sector. Serious cyber attacks may have major consequences in the form of a loss of trust in both individual financial institutions and the financial system as a whole.

“Danmarks Nationalbank and the financial sector work to ensure financial stability.“

 

One of Danmarks Nationalbank’s overall objectives is to work for financial sector stability. To meet this objective, Danmarks Nationalbank uses a number of instruments, including a questionnaire survey on cyber resilience in the financial sector. The survey provides a snapshot of the cyber resilience of the sector, based on the respondents’ reporting of their own security levels.

Fourth survey on cyber resilience in the financial sector

At the end of 2022, Danmarks Nationalbank collected data for its fourth survey on cyber resilience in the financial sector. Previous surveys were conducted in 2016, 2018 and 2020, see box 1. Cyber resilience in the sector has increased since 2016.The first surveys generally indicated a need to work with governance, including a need to prepare a strategy and implement a good framework for working with cyber security. They also pinpointed a need to identify and map critical business activities and underlying assets etc. These activities fall under the ‘identify’ function of the NIST Cybersecurity Framework. At the present time, and given that the sector has become more resilient and has, for example, identified and mapped critical systems and data in greater detail, there is a better basis for making decisions about how systems and data are to be protected (the NIST ‘protect’ function), how to detect and respond to incidents (the NIST ‘detect’ and ‘respond’ functions), and what measures are needed to recover systems and data (the NIST ‘recover’ function). The sector is therefore currently much better geared to further strengthening the work with recovery plans. The survey indicates a need for this, see the section on the board of directors and executive managements responsibility for crisis management, response and recovery plans.

Since Danmarks Nationalbank started conducting cyber resilience surveys, the threat scenario has changed, and the criminals are countering strengthened security measures by adopting new and more sophisticated methods and tools. Also, the degree of specialisation of IT criminals is increasing, with different groups becoming increasingly skilled in specific areas.

The Centre for Cyber Security (CFCS) assesses that the threat from cybercrime against the financial sector is very high, and the threat from activism and cyber espionage, respectively, is assessed to be high. The most skilled criminals are becoming increasingly specialised and are continuously adopting more sophisticated methods, and it is not possible to ensure full protection against serious cyber attacks. Russia’s invasion of Ukraine has also led to increased security policy concerns, which means that cyber threat levels can change rapidly in case of a deterioration in relations between NATO and Russia.

Given the increased uncertainty and the impossibility of ensuring complete protection against all attacks, it is important that the financial sector continues to focus on increasing its cyber resilience and on mitigating the impacts of cyber attacks.

Box 1

Survey on cyber resilience in the financial sector

Danmarks Nationalbank’s survey on cyber resilience among core players in the financial sector was conducted at the end of 2022 under the auspices of the Financial Sector forum for Operational Resilience (FSOR). The FSOR is a public-private collaboration forum in the financial sector and its objective is to enhance operational resilience across the sector, including resilience to cyber attacks. The survey is a questionnaire survey conducted among the FSOR’s members, and its objective is to provide a snapshot of the current level of cyber resilience among the core players in the Danish financial sector. Respondents report their own level of resilience, and there is no verification of the responses given. The results in this article are based on responses from 18 systemically important banks, mortgage credit institutions, data centres and financial infrastructure companies that participated in the survey.

The questionnaire from 2022 contains more detailed response options than the previous surveys, having been further developed based on the questions from Danmarks Nationalbank’s survey in 2020. The response options in the 2022 survey have been divided into a larger number of more specific subcategories than previously.

The questionnaire

The questionnaire contains 41 cyber security questions with a total of 314 response options that can be ticked. The questionnaire covers the functions ‘identify’, ‘protect’, ‘detect’, ‘respond’ and ‘recover’. The functions are based on the NIST Cybersecurity Framework; an American framework setting standards and providing recommendations for the cyber security work of organisations. The respondents’ responses indicate their level of cyber security resilience, based on how formalised, consistent and risk-based their approach is.

Elements of the survey and their purpose

The survey indicates a mature financial sector with scope for improvements

Danmarks Nationalbank’s processing of data from the survey on cyber resilience in the financial sector indicates an improvement in the level of maturity, but with variations across responses and areas. Cyber security issues have been identified that indicate scope for improvement for several of the respondents in the categories ‘identify’, ‘protect’, ‘detect’, ‘respond’ and ‘recover’, see box 1. These matters are described in more detail below.

For some respondents, their board of directors and executive management need to focus even more on cyber security

It is important that the company’s senior management, i.e. the board of directors and the executive management, are committed to and assume responsibility for the cyber security work. This is a prerequisite for an organisation to have the right focus on the importance of cyber resilience. The senior management must obviously make their expectations clear to managers and employees in the relevant areas, thereby ensuring that the executive management and the board of directors are in a position to make informed and well-considered cyber security decisions based on an adequate risk landscape and to allocate sufficient resources to this area.

A company’s board of directors and executive management should have a strategy with a clearly defined framework and objectives. Moreover, the strategy should be tangible, which can, for example, be ensured by the senior management defining overall objectives that managers and employees can turn into more concrete projects and activities. Projects and activities should then be approved by the senior management, which must be kept informed about progress as input for ongoing follow-up and discussion of the cyber security area.

The cyber resilience survey shows that such management anchoring has increased significantly in the financial sector since Danmarks Nationalbank conducted its first cyber resilience survey in 2016, where nearly half the respondents did not yet have a cyber security strategy and had not involved their board of directors in this matter. In many organisations, it was simply assumed that the board of directors and the executive management understood and were aware of their roles and responsibilities in relation to cyber security.

The surveys on cyber resilience in the financial sector indicate that respondents from organisations in which responsibility for cyber security is well anchored in the executive management and the board of directors also have a higher resilience level in terms of protecting themselves against cyber attacks and in detecting and responding to potential attacks.

It is therefore reassuring that the latest survey indicates that responsibility for the cyber security area is generally anchored in the senior management and that the cyber security work is supported by a fixed framework of policies, procedures and control measures. Risks are generally managed and reported to a high management level.

However, there is still scope for improvement among some respondents, for example when it comes to anchoring of responsibility at the highest management level. Several respondents have not specified that the board of directors is responsible for the organisation’s cyber security, nor is it ensured that the manager in charge of cyber security has direct access to the board of directors. For some respondents, it may also be relevant to consider whether the board of directors and the executive management are provided with sufficient cyber security information in their decision-making.

Strong data and system access control can be further strengthened for some respondents

Identity and user management and access control is a fundamental and essential part of protecting organisations against criminals accessing and moving through their systems. The management of access control measures is therefore essential, as part of which it must be ensured that such user rights are granted solely on the basis of work-related needs.

Systematic – and preferably system-supported – control of assigned user rights, creation and deletion of users, assignment of user rights and use of multi-factor authentication when accessing critical data increase the probability of detecting and stopping malicious attempts to gain unauthorised access.

In conformity with previous surveys, the cyber resilience survey indicates that the respondents have the basic foundation in place for assigning and controlling user rights. Users are granted access solely based on work-related needs, and, for work areas of critical importance to business activities, further measures are in place to make it even more difficult for criminals to access these areas.

Several respondents can further increase their resilience through the increased use of multi-factor authentication. In addition, the resilience of individual respondents can be increased by establishing clear procedures for the administration and deletion of users with accompanying documentation.

Extra protection for key employees with special user rights may increase resilience

The employees’ knowledge and awareness of cyber threats are an important part of a company’s cyber security which can be supported by training and education in cyber security. For people with criminal intentions, employees can be a potential gateway to systems and data that the criminals regularly try to exploit via, for example, phishing and malware.

Key employees who have been granted special user rights and access should be a particular focus area for companies, as their user rights and accesses may be particularly attractive targets for criminals. In conformity with previous surveys, this survey shows that there is scope for improvement in the support provided for these employees.

Approximately half of the respondents in the 2022 survey will be able to reduce the risk of key employees being exploited by criminals by identifying these employees to a greater extent and organising relevant and targeted further education and cyber awareness training, and by addressing the need for other measures targeted at such key employees’ roles and functions. In addition, it is important to update education and awareness programmes regularly, so that they reflect the latest knowledge and most recent threat scenario, and to follow up on whether the design of the programmes has the desired effect on employee behaviour.

Furthermore, several of the respondents do not have a succession plan for replacing key employees with special user rights, access and knowledge. Such a plan will reduce the risk of the company losing critical competences and the in-depth understanding of the company’s critical functions and associated risks that key employees possess.

Overview of communication lines and data is fundamental for network and data protection

Data protection hampers malicious attempts to perform compromising actions. The survey indicates that the respondents protect their networks and data to a high degree.

In order to prioritise and introduce the right protection, it is important to have an overview of communication lines and data. Network mapping is, for example, the basis for segregation of networks and the introduction of control measures as protection against insiders and criminals who have breached external defences.

The 2018 survey revealed that the mapping of critical business areas could be improved for several respondents by including underlying information assets, system interconnectedness and data in the mapping process. Since then, the respondents have acquired a much better overview of these issues. However, this survey shows that half of the respondents could expand the mapping of their company’s communication and data flows. An overview of the activity will make it easier to decide the activities that need protecting most. In the event of a cyber attack, the criminal activity can be detected more quickly because this activity will typically deviate from the normal traffic.

Use of updated knowledge about cyber threats in the management’s decision-making supports the handling of threats and vulnerabilities

Monitoring and responding to network alarms and incidents is important in detecting and combating a cyber attack. You can further improve the possibilities of fending off attacks by incorporating knowledge about current cyber threats (cyber threat intelligence). It is also a good idea for cyber threat intelligence to be used by the management – as part of the overall risk scenario – when cyber security decisions are to be made at strategic and tactical levels.

Compared to the survey in 2020, the survey respondents have become better at using knowledge about cyber threats and vulnerabilities, and almost all respondents also have employees who can handle cyber attacks 24 hours a day. Additionally, vulnerability scans are carried out to a large degree for identifying threats and vulnerabilities.

In conformity with previous surveys, however, the 2022 survey shows that a number of respondents could increase their resilience through greater use of cyber threat intelligence as part of management decision-making processes. Clear processes for the use of cyber threat intelligence as part of management decision-making processes will support the implementation of the right measures in the organisation when new risks are detected.

The board of directors and the executive management are responsible for concrete crisis management and response and recovery plans

Well-described crisis management plans and response procedures dedicated to cyber incidents and coordinated and tested with internal and external stakeholders provide the best basis for effectively handling a serious cyber incident. The same applies to recovery plans if required as a result of the incident.

It is important that the plans are clear and specific, with a clear division of responsibilities and roles. Mapping of business functions, the supporting technology and associated processes is an important prerequisite for this. In continuation of this, it is important to include an assessment of the criticality of business functions, so that it can be prioritised in which order and within what expected timeframe the most critical systems are to be recovered.

The survey shows that the respondents focus on crisis management and response and recovery planning, and many of them have implemented measures to enable them to address the consequences of serious cyber attacks more efficiently.

Since 2020, many of the respondents have thus developed their plans further to include matters relating to communication, an overview of business implications and IT emergency response for handling incidents as well as prior coordination with all relevant partners. Respondents have increased testing of their crisis management and response plans, where learning points are subsequently incorporated. In addition, the individual respondents have become more focused on preparing for a situation where it is necessary to restore the company’s systems and data.

The survey also indicates that a number of the respondents could continue their efforts to make their planning more specific and increase the focus on the area so that they are prepared for an extreme scenario where systems and data have to be recovered. Furthermore, for a number of the respondents responsibility for their crisis management and response and recovery plans has not been placed at executive management or board of directors level, where it should rightly be placed, see above on management anchoring.

The survey is used by the individual respondents and in the joint sectoral collaboration

The companies in the Danish financial sector are individually responsible for ensuring that their cyber resilience level is adequate and that they meet the requirements of applicable legislation and recognised standards. The financial companies work continuously to maintain and increase their operational resilience with particular focus on strengthening their resilience to cyber attacks.

In the Financial Sector forum for Operational Resilience (FSOR), Danmarks Nationalbank and the key players in the financial sector also work together to increase the cyber resilience of the sector.

Danmarks Nationalbank’s survey on cyber resilience in the financial sector is used by individual respondents and, at sector level, the results are included in the FSOR’s cyber security work.

The respondents have received individual feedback, which includes anonymised benchmarks and the respondent’s own responses on the topics presented in the analysis. The respondents thus receive input on potential scope for improvement. The survey is also used in the FSOR’s risk analysis, which identifies the greatest risks for the sector, and on which the FSOR’s work is based. The risk analysis determines the direction for the FSOR’s work with joint measures aimed at increasing cyber resilience in the sector. 

In addition, the surveys are discussed with relevant respondents as part of Danmarks Nationalbank’s oversight of the most important payment and settlement systems.

For further information about Danmarks Nationalbank and the FSOR’s work with operational resilience and cyber resilience, see Danmarks Nationalbank’s website (link).