Financial Crime World

FMI Owners Shoulder Responsibility for Cloud Service Security

Introduction

A recent report by Norges Bank highlights the importance of Financial Market Infrastructures (FMIs) maintaining sufficient expertise and capacity to manage and control deliveries from IT providers. The central bank emphasizes that FMIs must have plans, contracts, and resources in place to efficiently switch providers in case of a need.

Cloud Services: Challenges and Opportunities

The use of cloud services is becoming increasingly common, with many financial and non-financial businesses shifting their strategy to expand the use of cloud services to include core functions. While cloud providers contribute to innovation and development through economies of scale, they also present challenges similar to those faced by traditional operating environments.

  • System owners need sufficient expertise and resources, as well as a strong security culture, to manage and control IT deliveries satisfactorily.
  • Solutions must be designed to be secure, easy to use, and administer.
  • The recent internal security incident in Microsoft’s Azure cloud platform, known as “Bluebleed,” exposed the data of around 65,000 customers, highlighting the potential global impact of incidents at cloud service providers.

Norges Bank’s Supervisory Role

As part of its supervisory work, Norges Bank assesses whether individual FMIs’ continuity and contingency arrangements are sufficient. The central bank also considers whether additional independent contingency arrangements are needed to ensure adequate system availability in crisis situations.

  • Norges Bank is responsible for supplying banks with cash and meeting the public’s demand for cash, even in crisis situations.
  • The bank is assessing how cash-related contingency arrangements should be adapted to an evolving risk and threat landscape.

Effective Information Sharing Crucial

Effective information sharing and cooperation are essential for dealing with critical incidents quickly. Examples of such cooperation include:

  • The Nordic Financial CERT (NFCERT)
  • The Financial Infrastructure Crisis Preparedness Committee (BFI), which brings together authorities and private entities to prevent and coordinate the handling of incidents with potential major disruptions to the financial infrastructure.

TIBER-NO Testing Program

Norges Bank has collaborated with Finanstilsynet on the introduction of cyber security testing in accordance with TIBER-NO, a national adaptation of the TIBER-EU framework developed by the European Central Bank (ECB). The purpose of TIBER testing is to increase the resilience of the banking and payment system against cyber attacks that can have systemic consequences.

  • The TIBER-NO Forum, which includes critical functions in the banking and payment system, will test cyber resilience in accordance with the Norwegian implementation of TIBER-EU.
  • A separate TIBER-Cyber Team (TCT-NO) has been established at Norges Bank to guide entities through the testing process.

Conclusion

FMI owners must take responsibility for ensuring the security of cloud services used by their organizations. Norges Bank’s supervisory role is crucial in assessing FMIs’ continuity and contingency arrangements, as well as promoting effective information sharing and cooperation. The introduction of TIBER-NO testing program will help increase the resilience of the banking and payment system against cyber attacks.