ICT security and cyber risks

ICT security and cyber risk monitoring

Objective of ICT security and cyber risk monitoring

The objective of information and communication technology (ICT) security and cyber risk monitoring is to promote the availability of safe, secure, reliable and at the same time innovative financial services. Therefore, the digital operational resilience of the financial market is one of the supervisory priorities of Latvijas Banka. Market participants are tasked with developing and enhancing their capabilities to defend against growing and evolving cyber threats by strategically planning ICT protection and responding effectively to ICT vulnerabilities and security incidents, thereby ensuring the protection and viability of ICT. This includes both the necessary technological resources and the awareness and knowledge of the capabilities to protect themselves – both for the financial institution itself and for society at large.

Cyber threats

The European Union Agency for Cybersecurity (ENISA) has identified the following critical cyber threats as persistent challenges that may also pose risks to financial market participants:

• distributed denial of service (DDoS) attacks and ransomware are the primary threats, followed by social engineering, data security threats, information manipulation, supply chain attacks, and malware;
• the number of threat actors offering their professional expertise and capabilities as paid services (as a service) has increased significantly, for instance in the realm of financial fraud (fraud as a service). This trend allows new actors with no prior professional experience in financial fraud to engage in such activities;
• attackers predominantly target public administration (~19%), followed by focused attacks on natural persons (~11%), the healthcare sector (~8%), the digital infrastructure (~7%), as well as the manufacturing, financial, and transport sectors;
• information manipulation activities and campaigns still remain a central component of Russia's aggressive war against Ukraine and its supporters;
• cyber criminals are increasingly targeting cloud infrastructures. While most often the motivation behind these actions is geopolitical, it also serves as an opportunity to broaden the scope of extortion operations. This expansion includes not only deploying ransomware but also directly targeting customers and their data;
• the frequency of social engineering attacks is rising sharply, fuelled by the application of artificial intelligence to devise new methods; however, phishing remains the predominant attack vector.

DORA – the new ICT security framework for financial entities

Necessity to introduce DORA

DORA, or the Digital Operational Resilience Act, is Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector that entered into force on 17 January 2023.

The increased use of technology in the digitalisation process not only provides business opportunities for existing and new market participants, but also promotes a rise in risks. The framework aims to mitigate the risks associated with the digital transformation of the financial sector by setting common rules for all market participants. The rules apply to a wide range of financial institutions, including important ICT third-party service providers such as cloud service providers, telecommunication operators, software developers and other digital service providers.

Critical third-party service providers with cross-border reach and high concentration risk and systemic impact will be subject to centralised supervision at European level.

The categories of financial entities licensed in Latvia that must comply with the new framework from 17 January 2025 are:

• credit institutions;
• insurance corporations;
• investment management companies;
• investment firms;
• insurance brokers that are large companies;
• payment institutions;
• electronic money institutions;
• managers of alternative investment funds;
• crowdfunding platforms;
• central securities depositories;
• crypto-asset service providers (after the adoption of the European Union regulation).

Regulatory framework under DORA

The DORA requirements are divided into five pillars and will be detailed in regulatory technical standards (RTS) and implementing technical standards (ITS), which are in the public consultation phase and are expected to be approved in 2024.

The first pillar of standards consists of essentially refined existing regulatory requirements and defines in detail two groups of standards.

The ICT Risk Management RTS set out harmonised requirements in relation to the existing risk framework for financial entities, based on the Guidelines on ICT and security risk management issued by the European Banking Authority.

The ICT Risk Management RTS are expected to harmonise the incident reporting framework, including incident classification and reporting requirements, and establish a common reporting format.

DORA also includes three new regulatory areas with significant implications for financial entities:

• risk management of third-party ICT providers – this is also expected to subject the third-party providers of critical ICT services of financial entities to regulatory requirements;
• operational resilience testing – this is expected to harmonise and standardise digital operational resilience testing requirements – following a risk-based approach, companies should implement assessments, testing, methodologies, solutions and tools that are appropriate to the size, business and risk profile of the company;
• European supervisory framework – this will ensure the overall functioning of the mechanism from a cross-border perspective and the supervision of critical third-party service providers by a single supervisor in cooperation with national competent authorities.

DORA is directly applicable, but in order to provide a legal basis for supervision, to define the supervisory authorities and their responsibilities, the relevant amendments to the national framework will be made in Latvia in 2024 and are planned to be developed and submitted to the Ministry of Finance for approval (Laws and regulations | Ministry of Finance (fm.gov.lv)).

ICT governance challenges and opportunities

Digital transformation of the financial market

Digitisation processes are inevitably linked with challenges such as:

• the organisation's ability to manage a sizeable portfolio of ICT projects;
• testing new untried technologies;
• lack of employee experience and knowledge;
• managing the lifecycle of outdated technologies;
• cross-border cooperation with suppliers.

When embarking on ambitious digitisation projects, an organisation's management structure has to cultivate a risk management culture that includes development through cutting-edge and innovative technologies, such as artificial intelligence.

The cornerstones of this risk culture is effective communication across all levels of the organisation related to digital transformation projects. This entails clear accountability for risks, managing and monitoring them based on defined criteria, while also allowing for the evaluation of digital transformation initiatives.

The risk management culture can be enhanced by implementing targeted programmes, such as innovation laboratories, where participants can directly observe the opportunities and risks associated with technologies.

As financial market services continue to advance in digitisation, the potential threats and damage from cyberattacks escalate. However, regardless of the amount of resources invested in securing ICT infrastructure, it should be assumed that it will never be entirely impervious to threats, and vulnerabilities will always persist.