Canada’s financial regulator is urging the country’s biggest banks and insurance companies to perform a new controlled threat assessment of their cyber resilience every three years with independent penetration testers.
The recommendation for the assessment, called Intelligence-Led Cyber Resilience Testing (I-CRT), was announced today in new guidance from the Office of the Superintendent of Financial Institutions (OSFI) to help banks and insurers identify areas where they could be vulnerable to sophisticated cyber-attacks.
The OSFI supervises more than 400 federally regulated financial institutions and 1,200 pension plans, but the I-CRT framework is only being applied to major institutions.
The I-CRT approach, first developed by the Bank of England, is used globally by regulators to enhance financial institutions’ technology and cyber resilience against sophisticated attacks, the regulator said.
All federally-regulated financial institutions are expected to practice effective risk management and assess their level of cyber preparedness. That may include doing traditional penetration testing (looking for vulnerabilities) and establishing a red team that specializes in testing the reactions of systems and employees.
An I-CRT test is wider than a red team test in that it assesses critical business functions. These are functions that, if disrupted, could have an impact on the financial stability of a company and its resilience, safety or soundness.
Canada’s banks are considered among the country’s leading industries in cyber awareness. However, any institution can be hacked — externally or internally — under the right circumstances. In 2019 Quebec’s Desjardins credit union discovered an employee had copied data of almost 10 million current and former customers. An investigation by the federal and Quebec privacy commissioners said Desjardins “did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
In 2018, crooks copied information on 113,000 Bank of Montreal customers in two waves. A federal privacy commissioner’s report noted that, with proper application and network monitoring, the first wave of data thefts would have been detected. In fact, the bank didn’t have a way of addressing automated attacks by bots, which left it vulnerable to the second wave of attacks. CIBC’s Simplii Financial was hit around the same time.
While a red team test emulates sophisticated threat actors’ tactics, techniques and procedures (TTPs), an I-CRT test identifies critical business function targets and emulates sophisticated threat actors’ TTPs based on known cyber threats against the financial sector.
The goal of a red team test, says the regulator, is to identify gaps not only in technology controls but also in processes and procedures. The goal of an I-CRT test is to identify “genuine cyber threats and vulnerabilities disrupting critical business functions.”
However, an I-CRT test has two major differences:
— the attacking red team has to be an outside cybersecurity firm, ideally advised by a second firm that specializes in threat intelligence;
— and the OSFI provides guidance and oversight throughout the assessment, although each institution is responsible for its own test. In fact the OSFI will chose which and when institutions will run an I-CRT test.
Combining targeted threat intelligence and advanced tools, techniques, and procedures will result in synergies that closely mirror a sophisticated threat actor, says the OSFI.
“To achieve targeted threat intelligence for a given scope and to ensure a successful red teaming execution, it is very important that the activities for threat intelligence gathering and red teaming are sufficiently separate and distinct,” says the OSFI guidance. “The immediate benefits of having two separate vendors to conduct the threat intelligence gathering and the red teaming include independence and different types of knowledge. While both service providers need to work together in some cases, their independence reduces the risk of influence with conscious or unconscious biases.”
If an institution wants to hire one service provider for both threat intelligence and red teaming, an assessment should be conducted beforehand to identify risks and compensating controls, the guidance says. OSFI will review that assessment. “An over-riding stipulation is that there should be a separation between the two activities and no information or communication should be shared between the service providers unless required for greater collaboration and better intelligence and red teaming actions,” the guidance adds.
The I-CRT framework will apply to what the OSFI calls systemically important banks (SIBs) — which include the country’s biggest banks — and internationally active insurance groups (IAIGs).
“Implemented appropriately, the I-CRT framework will strengthen federally regulated financial institutions’ ability to withstand sophisticated cyber-attacks,” OSFI superintendent Peter Routledge said in a statement. “Effectively managing cyber risk is an essential element of a federally regulated financial institutions’ cyber resilience. I would like to thank the institutions that participated in our pilot projects over the past 18 months – their outstanding contributions helped us develop this framework.”
Federally-regulated financial institutions will be expected to follow the guidelines on technology and cyber risk management., which comes into effect on Jan. 1, 2024.
The guidance released today for I-CRT assessments is quite detailed: Each institution should have a senior executive sponsoring the I-CRT assessment. A control group takes the overall responsibility for conducting the assessment. This group, led by a co-ordinator, should include senior staff handling security incident response and the relevant escalation chain. It would be in charge of the end-to-end project management, risk management, contracting of third-party suppliers, scoping, and remediation activities after the assessment.