ICT security and cyber risks

ICT security and cyber risk monitoring

Objective of ICT security and cyber risk monitoring

The objective of information and communication technology (ICT) security and cyber risk monitoring is to promote the availability of safe, secure, reliable and at the same time innovative financial services. Therefore, the digital operational resilience of the financial market is one of the supervisory priorities of Latvijas Banka. Market participants are tasked with developing and enhancing their capabilities to defend against growing and evolving cyber threats by strategically planning ICT protection and responding effectively to ICT vulnerabilities and security incidents, thereby ensuring the protection and viability of ICT. This includes both the necessary technological resources and the awareness and knowledge of the capabilities to protect themselves – both for the financial institution itself and for society at large.

Cyber threats

The European Union Agency for Cybersecurity (ENISA) has identified the following critical cyber threats as persistent challenges that may also pose risks to financial market participants:

• distributed denial of service (DDoS) attacks and ransomware are the primary threats, followed by social engineering, data security threats, information manipulation, supply chain attacks, and malware;
• the number of threat actors offering their professional expertise and capabilities as paid services (as a service) has increased significantly, for instance in the realm of financial fraud (fraud as a service). This trend allows new actors with no prior professional experience in financial fraud to engage in such activities;
• attackers predominantly target public administration (~19%), followed by focused attacks on natural persons (~11%), the healthcare sector (~8%), the digital infrastructure (~7%), as well as the manufacturing, financial, and transport sectors;
• information manipulation activities and campaigns still remain a central component of Russia's aggressive war against Ukraine and its supporters;
• cyber criminals are increasingly targeting cloud infrastructures. While most often the motivation behind these actions is geopolitical, it also serves as an opportunity to broaden the scope of extortion operations. This expansion includes not only deploying ransomware but also directly targeting customers and their data;
• the frequency of social engineering attacks is rising sharply, fuelled by the application of artificial intelligence to devise new methods; however, phishing remains the predominant attack vector.

ICT governance challenges and opportunities

Digital transformation of the financial market

Digitisation processes are inevitably linked with challenges such as:

• the organisation's ability to manage a sizeable portfolio of ICT projects;
• testing new untried technologies;
• lack of employee experience and knowledge;
• managing the lifecycle of outdated technologies;
• cross-border cooperation with suppliers.

When embarking on ambitious digitisation projects, an organisation's management structure has to cultivate a risk management culture that includes development through cutting-edge and innovative technologies, such as artificial intelligence.

The cornerstones of this risk culture is effective communication across all levels of the organisation related to digital transformation projects. This entails clear accountability for risks, managing and monitoring them based on defined criteria, while also allowing for the evaluation of digital transformation initiatives.

The risk management culture can be enhanced by implementing targeted programmes, such as innovation laboratories, where participants can directly observe the opportunities and risks associated with technologies.

As financial market services continue to advance in digitisation, the potential threats and damage from cyberattacks escalate. However, regardless of the amount of resources invested in securing ICT infrastructure, it should be assumed that it will never be entirely impervious to threats, and vulnerabilities will always persist.

Impact, opportunities, and challenges of geopolitical threats in combating cyber threats

Data compiled by the information technology security incident response institution CERT.LV, which tracks attacks on various European institutions, reveal that Latvia holds the 2nd position in terms of incident frequency, trailing only behind Poland. Overall, the scale of attacks on the public sector has surged by at least four times, with each attack typically lasting on average about ten hours and disrupting access to the targeted site. However, these attacks can also persist for several days and even weeks.

Moreover, it is crucial to recognise that distributed denial of service (DDoS) attacks are becoming increasingly sophisticated, requiring a more innovative approach to effectively counter them.

Organisations concerned with national security have observed a trend of anti-state individuals and organisations willingly channelling their information technology (IT) resources to various foreign groups. These groups then use these resources to execute a wide array of malicious activities in cyberspace, including DDoS attacks.

In addition, the customers that use remote services also remain exposed to phishing campaigns and ransomware attacks, as the nature of cyberattacks changes at an accelerated pace. Amid rising geopolitical tensions, artificial intelligence solutions and cloud services are increasingly being integrated into attackers' arsenal, enabling more sophisticated attacks while enhancing their methods for social engineering attacks and the effectiveness of ransomware.

Latvia is adapting to the changing geopolitical environment and incorporating the financial sector into its national cybersecurity strategies. The relevant threat scenarios are being analysed, including major attacks on the financial infrastructure, given that the financial sector has to ensure the provision of critical services to society at least at a minimum level.

The maintenance of both outdated and new IT infrastructure poses challenges, with deficiencies in managing IT security vulnerabilities within financial institutions emerging as a primary source of risk. Moreover, with the substantial rise in the number of discovered zero-day vulnerabilities and their exploitation in attacks, it is crucial to promptly address deficiencies and gaps in the vulnerability management process to reduce both the probability and impact of such risks.

Supply chains, which remain a major source of threats, also present challenges due to substandard quality of outsourced services and inadequate security measures thereof. Therefore, timely identification of outsourcing providers and suppliers, coupled with the assessment of the risks associated with this collaboration, is an integral element of the internal control system. This is crucial for managing risks associated with the use of insecure technologies, insufficiently effective security measures, and potential geopolitical threats arising from such collaboration.

As the number of incidents involving ransomware and extortion stemming from data breaches continues to increase, it is crucial to consider the potential use of artificial intelligence-driven threat tools alongside malware. Although they have not yet made a game-changing impact, this does not preclude the possibility of a paradigm shift occurring in the near future.

The prevailing threat level will endure, with ongoing attacks on the availability of core services, particularly due to Latvia's intense support provided to Ukraine. At the same time, the risk to information integrity will increase, with the potential adoption of hybrid warfare tactics reminiscent of those employed in Ukraine. According to national security services, the intensification of foreign intelligence activities will extend risks beyond the confidentiality of classified information to include a broader spectrum of influential communication and propaganda. These efforts will target the Latvian financial market, with the aim of discrediting it and eroding customer confidence in its stability.

However, it is also crucial to consider the underestimated probability of internal threats as incidents frequently stem from deficiencies in change management processes or errors within information systems. Therefore, it is imperative to swiftly address and rectify these deficiencies and gaps in the change management process to reduce the likelihood and impact of such risks.

ICT and security risk management framework

ICT and security risk management requirements

ICT and security risk management requirements for all financial market participants are set out in the "Regulation on Information Technology and Security Risk Management".

To help financial market participants assess their information technology (IT) and security risk management processes, the Financial Technology Supervision Department of Latvijas Banka has prepared easy-to-use recommendations for the self-assessment of IT and security risk management.

The recommended checklist for IT and security management self-assessment will help financial market participants self-assess their IT and security management processes against the requirements set out in the "Regulation on Information Technology and Security Risk Management". 

Incident reporting requirements

In compliance with the Regulation on Reporting Significant Payment Service Incidents, payment service providers are required to report all significant incidents related to the provision of payment services.

• The number of reports on significant incidents significantly decreased in 2023 year on year.
• Overall, the reported incidents have affected a larger number of users and transactions. The overall downtime caused by reported significant incidents has decreased.
• The number of incidents associated with services provided by external partners has decreased due to improved monitoring practices for services delivered by outsourcing providers.
• Despite a significant rise in denial of service attacks, the number of successful attacks has fallen, as the cyber resilience capabilities of market participants have improved considerably since 2022.

Outsourcing monitoring requirements

The requirements for the use of IT outsourcing by all financial market participants are defined in Chapter 3.5 of the Regulation on Information Technology and Security Risk Management.

In addition, the use of outsourcing by credit institutions is governed by the Regulation on Outsourcing Arrangements, which sets out the requirements for assessing the significance of outsourcing and harmonising critical outsourcing services.

On the other hand, the use of outsourcing by non-bank market participants is regulated by:

• Chapter VIII of the Insurance and Reinsurance Law;
• Division F1 of the Financial Instrument Market Law;
• Section 29 of the Law on Payment Services and Electronic Money.

However, each case of goods or services delivery should be assessed on an individual basis. The market participant should thoroughly assess all circumstances related to the planned activities of the goods or services provider, including objectives, the tasks required to achieve them, party responsibilities, etc. and particularly the associated risks.

For example, when acquiring a CRM (Customer Relationship Management) system, it would be necessary to break down the process into detailed sub-phases for a comprehensive assessment. This granular approach would facilitate the identification of responsibility divisions between the market participant and the respective supplier, the tasks to be executed, the expected outcomes, and additional factors such as the involved human resources, necessary competencies, technological resources, etc.

When assessing the obtained qualitative information, the market participant can identify risks and opportunities, as well as potential costs in various scenarios. This includes delegating the entire CRM development process or parts of it to an external supplier, versus executing the project fully using internal human and technological resources.

While there are instances where a CRM system can be delivered as a ready-made end product, it is more common that customisation is required to align the system with the credit institution's functions and processes, which cannot be achieved without the involvement of IT development functions.

Delegating IT development functions to an external provider is a quintessential example of IT outsourcing. Therefore, it is essential to strictly define the limits of warranty obligations by clearly specifying delivery deadlines. This distinction helps separate the development of IT system updates, which occurs within the change management process, from the aforementioned process, regardless of the significance of the introduced changes and in the context of the business needs of market participants and the needs of other stakeholders.

According to Paragraph 32 of the "Regulation on Information Technology and Security Risk Management," the receipt of outsourced services does not exempt the market participant from the responsibilities stipulated in regulations or contracts with its customers. The market participant is accountable for the performance of the outsourced service provider, holding the same level of responsibility as it does for its own operations. The level of IT security, if IT is developed or maintained by an outsourced service provider, must not be lower than the standard set by the market participant.

Given the rapid changes in the geopolitical and cybersecurity landscape over the past two years, Latvijas Banka, in line with the regulatory guidance from the European Central Bank, continues to strengthen its supervision of outsourced services. This includes the provision of IT systems and services, as well as the processing of customer data, among other aspects. By monitoring the latest information from the European Union Agency for Cybersecurity (ENISA) and the information technology security incident response institution CERT.LV, which provide updates on current cyber risks and incident statistics in the cyberspace on a regular basis, Latvijas Banka has concluded that the risk level associated with supply chains still continues to remain high, particularly in the context of Latvia.

Since inadequately managed outsourced services are among the main sources of threats, effective management of IT outsourcing enables financial market participants to respond to risks more promptly. It also ensures the implementation of controls that meet the required security levels and enhances preparedness for potential suspension of cooperation and the replacement of the outsourced service provider.

On-site and off-site inspections

In accordance with the supervision plan developed by Latvijas Banka for financial market participants, on-site inspections of ICT and security risk management are carried out.

Continuing the off-site approach to the supervision inspections and assessment process for credit institutions, it is planned to apply the ICT risk management assessment method also to the supervision process for insurance corporations, investment management companies and pension funds. This will provide important data for the prioritisation of supervision work as well as allow for a broader cross-sectoral analysis.

DORA – the new ICT security framework for financial entities

Necessity to introduce DORA

DORA, or the Digital Operational Resilience Act, is Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector that entered into force on 17 January 2023.

The increased use of technology in the digitalisation process not only provides business opportunities for existing and new market participants, but also promotes a rise in risks. The framework aims to mitigate the risks associated with the digital transformation of the financial sector by setting common rules for all market participants. The rules apply to a wide range of financial institutions, including important ICT third-party service providers such as cloud service providers, telecommunication operators, software developers and other digital service providers.

Critical third-party service providers with cross-border reach and high concentration risk and systemic impact will be subject to centralised supervision at European level.

The categories of financial entities licensed in Latvia that must comply with the new framework from 17 January 2025 are:

• credit institutions;
• insurance corporations;
• investment management companies;
• investment firms;
• insurance brokers that are large companies;
• payment institutions;
• electronic money institutions;
• managers of alternative investment funds;
• crowdfunding platforms;
• central securities depositories;
• crypto-asset service providers (after the adoption of the European Union regulation).

Regulatory framework under DORA

The DORA requirements are divided into five pillars and will be detailed in regulatory technical standards (RTS) and implementing technical standards (ITS), which are in the public consultation phase and are expected to be approved in 2024.

The first pillar of standards consists of essentially refined existing regulatory requirements and defines in detail two groups of standards.

The ICT Risk Management RTS set out harmonised requirements in relation to the existing risk framework for financial entities, based on the Guidelines on ICT and security risk management issued by the European Banking Authority.

The ICT Risk Management RTS are expected to harmonise the incident reporting framework, including incident classification and reporting requirements, and establish a common reporting format.

ICT Risk Management Framework	ICT Incident Reporting
RTS "Risk Management" RTS "Simplified Risk Management" Guidelines for calculating ICT losses	RTS "Incident Classification" RTS "Significant Incident Reporting" RTS "Incident Reporting Specification"

DORA also includes three new regulatory areas with significant implications for financial entities:

• risk management of third-party ICT providers – this is also expected to subject the third-party providers of critical ICT services of financial entities to regulatory requirements;
• operational resilience testing – this is expected to harmonise and standardise digital operational resilience testing requirements – following a risk-based approach, companies should implement assessments, testing, methodologies, solutions and tools that are appropriate to the size, business and risk profile of the company;
• European supervisory framework – this will ensure the overall functioning of the mechanism from a cross-border perspective and the supervision of critical third-party service providers by a single supervisor in cooperation with national competent authorities.

Digital resilience testing	Risk management of third-party ICT providers	Framework for the monitoring of critical service providers
RTS "Threat-Led Penetration Testing"	ITS "Supplier Information Register Form" RTS "Supplier Use Policy" RTS "Criticality Determination of Suppliers"	RTS "Harmonisation of Monitoring Conditions" Guidelines for cooperation between national competent authorities and European supervisory authorities

DORA is directly applicable, but in order to provide a legal basis for supervision, to define the supervisory authorities and their responsibilities, the relevant amendments to the national framework will be made in Latvia in 2024 and are planned to be developed and submitted to the Ministry of Finance for approval (Laws and regulations | Ministry of Finance (fm.gov.lv)).