CBTT seeking stronger cyber security

THE Central Bank is exploring ways it can improve its ability to help local financial institutions protect themselves against cyber attacks.

Among them could be a dedicated unit within the bank to deal with these situations and site visits to commercial banks to assess their respective cyber-security measures.

The bank's deputy director (financial institutions) Michelle Francis Pantor made those statements during a meeting with Parliament's Finance and Legal Affairs Joint Select Committee (JSC) at the Red House, Port of Spain, on Friday.

Pantor said, "The Central Bank is aware that cyber security (attacks have) been increasing with the efforts towards digitalisation. We know this is only going to increase. It is one of the top two risks in the world, cyber security."

She told committee members the bank has commissioned technical assistance from the International Monetary Fund (IMF) to improve its capability to address possible cyber attacks on financial institutions.

"That has been ongoing. We have been training our examiners. A report was published by the IMF. It is publicly available.

"One of the recommendations is to shore up our resources with respect to cyber security. This is under active consideration at the bank."

In response to questions from Port of Spain South MP Keith Scotland, Pantor said the bank did not have a cyber-security unit, but different entities under its ambit which dealt with different aspects of cyber attacks.

She did not rule out the possibility of a dedicated cyber-security unit being created within the bank.

"Whether it's a specialised unit, whether it's additional persons, has not been determined at this point."

Scotland observed that the bank made recommendations to financial institutions to use end-to-end encryption for transmitting personal passwords for customers' accounts.

He asked, "To what extent are financial institutions adhering to the above recommendation?"

Pantor said, "We have not done those types of on-site verification exercises to date."

What has happened so far, she continued, are self-assessment reviews of financial institutions as the bank builds up its capacity to do on-site supervision.

Pantor said the bank had issued a cyber-security guideline to financial institutions last September.

"Responses to those questionnaires are due by end of March this year. We are awaiting those responses in order to assess...the areas where there may be gaps."

Pantor said financial institutions were also required to submit detailed action plans to the bank along with those cyber-security self-assessments.

Scotland maintained that on-site visits by the bank to other financial institutions to determine the effectiveness of their cyber-security measures was a critical part of the bank's audit and oversight of those institutions' ability to repel cyber attacks.

He asked Pantor if the bank issued compliance letters and fines to financial institutions whose cyber security measures were not up to a particular standard from 2020-2023.

Pantor reiterated, "We have not yet examined financial institutions with respect to cyber security. It is really based off of the self-assessments."

On-site assessments of financials institutions were supposed to happen in 2020.

But Pantor said they were postponed because of the covid19 pandemic.

"We had to pivot and we adopted a questionnaire type of approach and virtual interviews."

In response to questions from Opposition Senator Jayanti Lutchmedial-Ramdial, Pantor said the bank hoped to undertake the on-site assessment of financial institutions' cyber-security measures in the new fiscal year.

Scotland said, "It is now crucial that the on-site visits start without any undue delay. That is something that we convey."

Pantor agreed with him.

"It is for that reason that we are training our examiners. We have to be able to equip our examiners to do effective on-site (assessments) of cyber security."

In 2020-2023, Pantor said there were six reported instances of fraud.

"They involved matters pertaining to cheque fraud, withdrawal of funds by customers in excess of deposited balances, employee fraud, using fraudulent identification, signatures and documents."

Pantor said five cases involved insurance companies and the last case was a non-bank institution.

She added, "What we would have seen to date, through the reviews that we would have done on self-assessments and questionnaires, is that we recognise that the cyber security in the banking sector is stronger than (in) other sectors."

Pantor said that did not mean the cyber-security measures were perfect.

"They are evolving, given what is happening in cyber security. But basically, they have frameworks in place to treat with cyber risk."

Lutchmedial-Ramdial asked if the bank helped financial institutions to deal with the costs involved in upgrading their cyber-security measures.

Pantor said much assistance might not be needed with respect to smaller financial institutions.

"You would expect that their expenditure is in line with their activities, services and systems."

Those institutions, she continued, may not have to spend large amounts of money to upgrade their cyber-security measures.

But with larger institutions, Pantor said, "We expect the bells and whistles – the international organisations. They will have more centralised cyber-security programs in place.

She added that the local offices of the institutions would have cyber-security measures in place that would be the same as their parent companies'.

On cyber-security legislation, Fraud Squad Snr Supt Arlet Groome said the failure to pass cyber-security legislation in 2017 greatly affected the ability of the police to deal with such crimes.

"We don't have any laws to suit that. We are way behind legislatively in properly bringing these matters into any form of fruition."

Digital Transformation Minister Hassel Bacchus said there were 27 pieces of legislation that could have some level of impact on fighting cyber crimes. He cited the Data Protection Act and Electronic Transaction Act as places where some people believed a silver bullet could be found to kill cyber crimes.

"Unfortunately, legislation does not work that way. It is a combination of things that provides the necessary impacts on what you want.

"But we do take on board the deficiencies that exist in some of the current legislation to deal with the modernisation of the type of crime that we're dealing with."

Last December, Attorney General Reginald Armour, SC, said new laws to deal with cyber crimes would be coming to Parliament soon.

His ministry was one of several institutions that fell victim to cyber attacks last year.

Others included the Judiciary, Telecommunications Services of TT (TSTT), National Insurance Board (NIB), PriceSmart and Courts.