By September, the Central Bank of T&T should provide a security framework for financial institutions in the country.
In a webinar entitled “Cybersecurity in Financial Institutions: Best Practices” hosted by the Central Bank last week, Central Bank Governor Dr Alvin Hilaire noted that as the world grows more dependent on technology, the importance of cybersecurity is growing particularly among financial institutions.
Hilaire said, “It is no exaggeration that our financial institutions across the world are heavily dependent on technology. It is quite remarkable to think that just some time ago, you didn’t have online transactions, but now, this is the world that we live in and it’s hard to imagine anything without online transactions, ATMs and so forth.”
He continued, “In fact, as a country becomes more modern, its financial institutions become more savvy, there’s intense competition and they go together. And so technology reinforces financial stability and they can’t go without moving hand in hand. But they also may threaten each other and here is where it is important to be on top of the game.”
He pointed out that in modern times, a bank robbery is less likely to be physical.
“We have to be aware of the importance of technology but also the threats to financial stability. Now, let me give you an example of what we used to think about as a typical bank robbery that you will see on TV. So somebody comes in in a mask, they give a note. And then they say well give me your money and they have a getaway car and they get away or they don’t get away,” said Hilaire.
“So this is our typical bank robbery. You still have that but now, guess what. People could rob a whole bank without being in the country. The bandits could be in Korea, the could be in Australia. They have a cyber attack the whole financial institution could be compromised.”
Hilaire pointed out there were several strategies now that could allow the theft of personal information and financial institutions around the world and local financial institutions have to be mindful of these threats.
These threats to personal information could come from ransomware, identity theft or from other means, the Governor said.
These threats do not even have to be on land, as someone could launch a cyber attacks in a submarine or by manipulating a satellite in outer space, said Hilaire.
“This is how serious or how anonymous this thing could be. So we have to be very careful as some of the things that we are accustomed to thinking about in the cyber threat landscape include card skimming, identity theft, ransomware, and all those, so let’s be fully aware of this,” he said.
Central banks around the world have been taking countermeasures.
Hilaire confirmed during the seminar that the Central Bank was indeed working on the framework, which he hoped would not just be adopted by the major commercial banks, but also by credit unions and other financial institutions in our country.
“Domestically we are also working towards improving our cybersecurity defences. Let me mention three aspects. One is education. So people should be aware of cyber threats. One such is where our national financial literacy programme comes in.
“The second is redress where people could have some way of dealing with it. And our Office of the Financial Services Ombudsman will be dealing more with that.
“And the third is market conduct or how institutions behave. And this is what we are talking about today.”
The Central Bank Governor explained that the Central Bank had been working with the International Monetary Fund (IMF) to develop the framework so that local institutions would be properly guided in the instance of a cyber attack.
Hilaire said, “The Central Bank of T&T has been actively thinking about cybersecurity for quite some time. If you look at our strategic plan some years ago, and the current strategic plan, it features very prominently.
“Now most recently, in order to boost this, we have invited the IMF for technical assistance and we had a really tremendous experience with them and I must commend the already dedicated team from the fund for being with us to look at two aspects. One is the cybersecurity of our own operations. And the second is the cybersecurity of financial institutions.”
He said in that regard, the Central Bank is working towards a guideline that would be given to financial institutions that they will be able to utilise for their own operations.
Hilaire said the regulator of financial institutions wants to go a step further not only for licensees but for other institutions such as credit unions.
“We hope that the credit unions will adopt this in a meaningful fashion and we will all have a certain common set of standards. So our expectations today are quite high for this endeavour,” said Hilaire.
He explained that the webinar served a dual purpose as it not only sought to explain these threats but would also entertain questions which would further inform the Central Bank’s approach.
He said, “We will be able to issue the guidelines by, I would say, mid-September.”
Keisha Lashley, assistant manager, Information and Cybersecurity noted that everyday financial institutions were under attack. She said it was therefore important that consumers also know what their options were should their bank come under attack.
“You wake up one morning, and you learn as your financial’s institutions data is available for sale on the dark web. You go to their application and it is unavailable. You go to their website, and it has been defaced. What would you do?
“These are some of the attacks that financial institutions face on a daily basis. And even in this climate, they are still expected to deliver a service that is both resilient and secure. We know that technology allows us to execute our functions, to be innovative, to be creative, just to do things better,” said Lashley.
“There’s a lot of conversation now about artificial intelligence and machine learning, and how these supercomputers will change very near that we do things. These are exciting times for us. But we know that even though technology brings opportunities, there are also risks, and as the governor said, criminals are not restrained to our borders. In fact when we look at some of the attacks that are happening right here.”
Lashley stressed that as Trinidad and Tobago moved closer to becoming a cashless society, these counter measures have to be implemented sooner rather than later.
She said, “We want to move to a cashless society. And I know that just as they demand a lot of us, they also demand a lot of you our financial institutions. And one thing that is consistent is that the attacks are sophisticated, and they happen all day, every day.”
Michelle Francis-Pantor, deputy inspector of Financial Institutions for Central Bank, explained that the framework would be developed with careful consideration of the range and scope of each financial institution.
“The cybersecurity framework to be established should be proportionate to the size of business activities and risks faced by the financial institution. In this regard, the draft guideline will set out the bank’s expectations for financial institutions with respect to cybersecurity, will strike a balance between principles and prescription in recognition of the different levels of sophistication and institutions and will cover key areas such as governance, risk management, IT resilience and third party risks.”
She explained that these guidelines would also inform the training required for all workers at financial institutions.