ICT security and cyber risks

ICT security and cyber risk monitoring

Objective of ICT security and cyber risk monitoring

The objective of information and communication technology (ICT) security and cyber risk monitoring is to promote the availability of safe, secure, reliable and at the same time innovative financial services. Therefore, the digital operational resilience of the financial market is one of the supervisory priorities of Latvijas Banka. Market participants are tasked with developing and enhancing their capabilities to defend against growing and evolving cyber threats by strategically planning ICT protection and responding effectively to ICT vulnerabilities and security incidents, thereby ensuring the protection and viability of ICT. This includes both the necessary technological resources and the awareness and knowledge of the capabilities to protect themselves – both for the financial institution itself and for society at large.

Cyber threats

The European Union Agency for Cybersecurity (ENISA) has identified the following critical cyber threats as persistent challenges that may also pose risks to financial market participants:

• distributed denial of service (DDoS) attacks and ransomware are the primary threats, followed by social engineering, data security threats, information manipulation, supply chain attacks, and malware;
• the number of threat actors offering their professional expertise and capabilities as paid services (as a service) has increased significantly, for instance in the realm of financial fraud (fraud as a service). This trend allows new actors with no prior professional experience in financial fraud to engage in such activities;
• attackers predominantly target public administration (~19%), followed by focused attacks on natural persons (~11%), the healthcare sector (~8%), the digital infrastructure (~7%), as well as the manufacturing, financial, and transport sectors;
• information manipulation activities and campaigns still remain a central component of Russia's aggressive war against Ukraine and its supporters;
• cyber criminals are increasingly targeting cloud infrastructures. While most often the motivation behind these actions is geopolitical, it also serves as an opportunity to broaden the scope of extortion operations. This expansion includes not only deploying ransomware but also directly targeting customers and their data;
• the frequency of social engineering attacks is rising sharply, fuelled by the application of artificial intelligence to devise new methods; however, phishing remains the predominant attack vector.

DORA – the new ICT security framework for financial entities

Necessity to introduce DORA

DORA, or the Digital Operational Resilience Act, is Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector that entered into force on 17 January 2023.

The increased use of technology in the digitalisation process not only provides business opportunities for existing and new market participants, but also promotes a rise in risks. The framework aims to mitigate the risks associated with the digital transformation of the financial sector by setting common rules for all market participants. The rules apply to a wide range of financial institutions, including important ICT third-party service providers such as cloud service providers, telecommunication operators, software developers and other digital service providers.

Critical third-party service providers with cross-border reach and high concentration risk and systemic impact will be subject to centralised supervision at European level.

The categories of financial entities licensed in Latvia that must comply with the new framework from 17 January 2025 are:

• credit institutions;
• insurance corporations;
• investment management companies;
• investment firms;
• insurance brokers that are large companies;
• payment institutions;
• electronic money institutions;
• managers of alternative investment funds;
• crowdfunding platforms;
• central securities depositories;
• crypto-asset service providers (after the adoption of the European Union regulation).

Regulatory framework under DORA

The DORA requirements are divided into five pillars and will be detailed in regulatory technical standards (RTS) and implementing technical standards (ITS), which are in the public consultation phase and are expected to be approved in 2024.

The first pillar of standards consists of essentially refined existing regulatory requirements and defines in detail two groups of standards.

The ICT Risk Management RTS set out harmonised requirements in relation to the existing risk framework for financial entities, based on the Guidelines on ICT and security risk management issued by the European Banking Authority.

The ICT Risk Management RTS are expected to harmonise the incident reporting framework, including incident classification and reporting requirements, and establish a common reporting format.

DORA also includes three new regulatory areas with significant implications for financial entities:

• risk management of third-party ICT providers – this is also expected to subject the third-party providers of critical ICT services of financial entities to regulatory requirements;
• operational resilience testing – this is expected to harmonise and standardise digital operational resilience testing requirements – following a risk-based approach, companies should implement assessments, testing, methodologies, solutions and tools that are appropriate to the size, business and risk profile of the company;
• European supervisory framework – this will ensure the overall functioning of the mechanism from a cross-border perspective and the supervision of critical third-party service providers by a single supervisor in cooperation with national competent authorities.

DORA is directly applicable, but in order to provide a legal basis for supervision, to define the supervisory authorities and their responsibilities, the relevant amendments to the national framework will be made in Latvia in 2024 and are planned to be developed and submitted to the Ministry of Finance for approval (Laws and regulations | Ministry of Finance (fm.gov.lv)).

ICT governance challenges and opportunities

Digital transformation of the financial market

Digitisation processes are inevitably linked with challenges such as:

• the organisation's ability to manage a sizeable portfolio of ICT projects;
• testing new untried technologies;
• lack of employee experience and knowledge;
• managing the lifecycle of outdated technologies;
• cross-border cooperation with suppliers.

When embarking on ambitious digitisation projects, an organisation's management structure has to cultivate a risk management culture that includes development through cutting-edge and innovative technologies, such as artificial intelligence.

The cornerstones of this risk culture is effective communication across all levels of the organisation related to digital transformation projects. This entails clear accountability for risks, managing and monitoring them based on defined criteria, while also allowing for the evaluation of digital transformation initiatives.

The risk management culture can be enhanced by implementing targeted programmes, such as innovation laboratories, where participants can directly observe the opportunities and risks associated with technologies.

As financial market services continue to advance in digitisation, the potential threats and damage from cyberattacks escalate. However, regardless of the amount of resources invested in securing ICT infrastructure, it should be assumed that it will never be entirely impervious to threats, and vulnerabilities will always persist.

Impact, opportunities, and challenges of geopolitical threats in combating cyber threats

Data compiled by the information technology security incident response institution CERT.LV, which tracks attacks on various European institutions, reveal that Latvia holds the 2nd position in terms of incident frequency, trailing only behind Poland. Overall, the scale of attacks on the public sector has surged by at least four times, with each attack typically lasting on average about ten hours and disrupting access to the targeted site. However, these attacks can also persist for several days and even weeks.

Moreover, it is crucial to recognise that distributed denial of service (DDoS) attacks are becoming increasingly sophisticated, requiring a more innovative approach to effectively counter them.

Organisations concerned with national security have observed a trend of anti-state individuals and organisations willingly channelling their information technology (IT) resources to various foreign groups. These groups then use these resources to execute a wide array of malicious activities in cyberspace, including DDoS attacks.

In addition, the customers that use remote services also remain exposed to phishing campaigns and ransomware attacks, as the nature of cyberattacks changes at an accelerated pace. Amid rising geopolitical tensions, artificial intelligence solutions and cloud services are increasingly being integrated into attackers' arsenal, enabling more sophisticated attacks while enhancing their methods for social engineering attacks and the effectiveness of ransomware.

Latvia is adapting to the changing geopolitical environment and incorporating the financial sector into its national cybersecurity strategies. The relevant threat scenarios are being analysed, including major attacks on the financial infrastructure, given that the financial sector has to ensure the provision of critical services to society at least at a minimum level.

The maintenance of both outdated and new IT infrastructure poses challenges, with deficiencies in managing IT security vulnerabilities within financial institutions emerging as a primary source of risk. Moreover, with the substantial rise in the number of discovered zero-day vulnerabilities and their exploitation in attacks, it is crucial to promptly address deficiencies and gaps in the vulnerability management process to reduce both the probability and impact of such risks.

Supply chains, which remain a major source of threats, also present challenges due to substandard quality of outsourced services and inadequate security measures thereof. Therefore, timely identification of outsourcing providers and suppliers, coupled with the assessment of the risks associated with this collaboration, is an integral element of the internal control system. This is crucial for managing risks associated with the use of insecure technologies, insufficiently effective security measures, and potential geopolitical threats arising from such collaboration.

As the number of incidents involving ransomware and extortion stemming from data breaches continues to increase, it is crucial to consider the potential use of artificial intelligence-driven threat tools alongside malware. Although they have not yet made a game-changing impact, this does not preclude the possibility of a paradigm shift occurring in the near future.

The prevailing threat level will endure, with ongoing attacks on the availability of core services, particularly due to Latvia's intense support provided to Ukraine. At the same time, the risk to information integrity will increase, with the potential adoption of hybrid warfare tactics reminiscent of those employed in Ukraine. According to national security services, the intensification of foreign intelligence activities will extend risks beyond the confidentiality of classified information to include a broader spectrum of influential communication and propaganda. These efforts will target the Latvian financial market, with the aim of discrediting it and eroding customer confidence in its stability.

However, it is also crucial to consider the underestimated probability of internal threats as incidents frequently stem from deficiencies in change management processes or errors within information systems. Therefore, it is imperative to swiftly address and rectify these deficiencies and gaps in the change management process to reduce the likelihood and impact of such risks.