What the ECB’s new cyber security rules mean for the industry

Palo Alto Networks’ Greg Day explains what the European Central Bank’s (ECB) new cyber security requirements mean for your business.

Not so long ago, banks debated the merits of providing free anti-virus to their customers, concerned that it may scare them away from using online services due to risks they couldn’t easily comprehend.

Today, more than half of Europeans and nearly three quarters of UK consumers are leveraging mobile payments, according to research by Visa. We are embracing the digital world for all kinds of financial transactions, and it provides financial institutions the ability to process faster and greater volumes of transactions more efficiently.

It’s therefore little surprise that cyber attacks and computer fraud remain among the primary concerns of banks. In response to the evolving cyber threat to the industry, the ECB’s announcement requiring banks to reveal all major cyber breaches indicates the priority put on this issue by European regulators.

There’s a dichotomy that started back in the nineties with online banking around how to make consumers safer and still maintain their confidence in the digital services being offered. Today trust is still one of the most compelling reasons many people use banks to store and process their money, so anything that could erode that trust is a concern for banks.

Historically, this has led many to keep cyber incidents as low-key as possible. However, with the new EU legislation mandating that the public must be notified when personal information is lost, visibility of cyber breaches is now going to be far more in the public domain.

This provides a great opportunity. If as individuals we are forced to get over the trust concerns and typically our own embarrassment, we can start to take each incident and collaboratively learn from it.

Similar to the data breach notifications under the upcoming General Data Protection Regulation (GDPR), the ECB’s announcement encourages transparency of the cyber attacks impacting financial organisations. While the former aims to protect citizens, the latter aims to enable collaborative insights and learnings between financial organisations to better prevent commercial impact in the financial sector. If they can focus on the real and relevant risks, as well as sharing lessons learnt, they can better prevent and empower the whole industry to think differently.

In 2016, 68 per cent of large UK businesses identified at least one cyber security breach or attack. There isn’t a shortage of cyber security tools to mitigate the problem, yet if you look at most industry reports you’ll see the similar volumes of incidents succeeding. This is partly down to the increasing scale of technology use, but it’s also a big part down to humans.

But why humans? The reality is that while we produce more ways to protect our digital systems, we aren’t keeping pace when it comes to generating skilled cyber security staff. This is being amplified by the increasingly complex nature of cyber threats and the technology space it leverages, as well as security practitioners’ own trust in tools they have often used for years and now find hard to let go.

To identify and contain today’s attack requires piecing together numerous elements to see the whole picture, like building a 1,000-piece jigsaw, with different security tools each being a part of the security jigsaw. The challenge is that it requires a human to put the pieces together. Just as the technology we use evolves at great pace, so should the cyber security professionals who protect it.

Research from Palo Alto Networks into the upcoming GDPR highlighted that most businesses simply didn’t assess their cyber security frequently enough and most weren’t clear on what today’s “state of the art” cyber security capabilities were. All too often I hear IT professionals saying, “When I put the right controls in place the adversary will go elsewhere,” which may be your neighbouring bank.

If we can truly collaborate, our goal should not be to make the adversary go elsewhere, but to leave them no place to go at all.

So, returning to the value of the ECB announcement, we can conclude that as humans we learn through our experiences, and the same goes for banks. That may mean learning how to put the pieces of the puzzle together faster, or understanding what the current “state of the art” techniques, processes and tools that support them look like.

By sharing best practices on how banks deal with adversaries and lessons learnt, it really is possible to raise the cyber security bar. It’s important to continue to evolve capabilities to be as automated as possible to balance the skills shortage and make it as evolutionary as the digital world it protects.

The ECB requirements provide an opportunity to improve, by drawing on lessons learned and through transparency, and by identifying the common components that make up attackers’ playbooks during incidents to prevent future threats.


Greg Day is vice president and chief security officer at Palo Alto Networks EMEA.


Photo © MPD01605 (CC BY-SA 2.0). Cropped.