IMF urges stronger Central Bank cybersecurity response

BitDepth #1406

MARK LYNDERSAY

THE IMF'S country report 23/161 for TT focused on a visit to the country by its Monetary and Capital Markets Department between October 31 and November 4, 2022.

The specific purpose of the IMF mission was to "strengthen the cybersecurity of the financial institutions under the supervisory ambit of CBTT, build supervisory capacity for the effective supervision of cybersecurity and strengthen the cybersecurity posture of the Central Bank."

During the visit, the IMF held extensive discussions with and assessments of the status of the TT Central Bank's (CBTT) management of cyber risks, spoke to banks operating locally and hosted a hybrid event with CBTT teams, financial regulators and institutions on key issues that the entire financial sector needs to manage more effectively.

The supervision of financial institutions is fragmented across a range of local authorities.

The CBTT supervises banks, non-banks, insurance companies, pension firms, bureaux de change and payment systems. The Co-operative Development Division in the Ministry of Youth and National Development oversees credit unions. The TT Security and Exchange Commission supervises the securities market and intermediaries. The Financial Intelligence Unit investigates anti-money laundering/counter financing of terrorism.

It is unclear whether the IMF scheduled this mission based on observed shortfalls in finance-related cybersecurity or if there was an invitation to evaluate from the CBTT, but 'its clear there are significant shortfalls that need to be addressed urgently.

In a list of 21 key recommendations compiled in the report, 18 were described as high priority and one, the augmentation of the CBTT's resources available for ICT/cyber-risk supervision was flagged as immediately necessary.

The report lamented the complement of supervisory staff assigned to banks/non-banks and expressed specific concern that there was only one junior examiner qualified as an IT resource partially assigned to ICT and cyber-risk supervision. There is no equivalent resource assigned to review insurance and pension firms.

The report urged the CBTT to assess the workload of its IT Security Unit noting, "An analysis of the unit's current workload should be performed, including operations and project work.

"CBTT's commitment to improving its cyber resilience will result in additional workload on top of an already stretched agenda, which needs to be estimated and the necessary resource development plans drawn up in advance, as there is a general shortage of available skills."

The CBTT, however, is the only national regulatory entity considering the development of specific ICT and cyber-risk guidelines to address rapidly evolving threats that aren't covered by existing requirements for corporate governance, market conduct and security of customer information.

The Central Bank of Barbados published new cyber-risk guidelines this month.

This fuzziness in defining how financial institutions should conduct their business in an era of dramatically increased cybersecurity risk and widespread ransomware is further undercut by the lack of clear requirements in existing legislation.

Amendments to the partially proclaimed Data Protection Act should include mandatory reporting of exposure of personally identifiable information (PII) when data breaches occur.

Without a legal requirement, disclosures remain at the discretion of companies and financial institutions.

Given the demonstrated reluctance of companies and the Government to discuss the circumstances of known data breaches over the last three years, resulting in undisclosed PII exposures of unknown scope, it isn't surprising that the authors of the report note, "Drafting a guideline, consulting with the industry, finalising the guideline and issuing it will take serious effort. Subsequently, assessing the compliance with the guideline will increase the supervisory burden."

The CBTT is the Government's banker and has an explicit mandate to promote financial stability, manage the exchange rate and maintain monetary stability.

It has done so through a largely successful regime of fiscal conservatism and its cautious ambivalence regarding fintech developments is largely reflective of the Government's position on the technology, which has evolved slowly from openly derisive to tentatively engaged.

That sketchy commitment is reflected even in the CBTT's financial allocations. The IMF noted that a budget of TT$100,000 for identity and access management advisory services is only likely to cover the first of at least six steps required to properly revamp of its cyber-risk supervision.

The IMF's evaluation, couched as technical advice, makes it clear that the CBTT is far behind where it should be in supervising cyber risks in the financial sector.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there