Addressing Cyber Security Risks

in Emerging Financial Sectors

November 20, 2019

Setting The Stage: Cyber Security Challenges And Trends In Emerging Financial Markets

Judith Frickenstein, GIZ

Juliet Maina, GSMA

Komitas Stepanyan, Central Bank of Armenia

Prof. Dr. Dirk Zetzsche, University of Luxembourg

THE DARK SIDE OF DIGITAL FINANCIAL TRANSFORMATION:

THE NEW RISKS OF FINTECH AND THE RISE OF TECHRISK

Prof. Dr. Dirk A. Zetzsche, LL.M.ADA Chair in Financial Law (inclusive finance)

University of Luxembourg

Based on Buckley/Arner/Zetzsche/Segla, Sing. J. Leg. St., in press,

pre-print available at: www.ssrn.com/abstract =3478640

1.0 2.0

3.0

3.5

1866 - 1967 1968 - 2007 2008 - Present

Infrastructure Banks Start-ups

2007

4.0

TechFin

Identity

Big Data

AI

IoT

Decentralized

Dev

elo

ped

Wo

rld

Dev

elo

pin

g W

orl

d

Telegraph

Telephone

ATM

E-

Banking

P2P

Credit

Scoring

FinTech Evolution

Framework of Analysis

New sources of traditional risks: Credit? Payment? Market?

Legal? Operational?

New risks? TechRisk

New systems / structures? Technology today is no longer the

constraint in an increasing range of cases – Libra …

Key Areas of Concern

▪Cybersecurity

▪Data security / protection

▪TechFin / BigTech

▪Technological risks: New infrastructure

▪Interoperability / connectivity

▪International / regional cooperation

Cybersecurity

▪No. 1 national security, public security AND financial stability risk

▪Incumbents

▪Infrastructure: old and new

▪New entrants: small and large

▪Regulators / governments

▪Use of same software and service providers (cloud...)

▪Markets: Flashcrash …

Hostile and other actors

▪Participants

• Hackers

• Hacktivists

• Terrorists

• Criminals: of all types

• Corporations

• Sovereign / quasi sovereign

▪Purposes

• Fun

• Destruction

• Message

• Theft: old and new

• Warfare

BigTech / TechFin

▪Network effects

▪Regulation: new SIFIs

▪Competition / antitrust

▪Non-traditional infrastructure

Non-traditional infrastructure

▪Data

▪“financial operating systems”: Aladin

▪Cloud: FinTechs, incumbents, SIFIs, BigTech / TechFin

▪New infrastructure: blockchain

▪Libra, stablecoins, CBDCs, public-private: Utility Settlement

Coin (USC)

Interoperability / interconnectivity

▪Traditional

▪New

TechRisk

New sources of traditional risk

New risks

Necessitates: monitoring, understanding, system design,

technology, international cooperation

RegTech

What to do?

▪Financial sector: risk management systems, data

protection systems, contingency planning, insurance

▪Regulators: monitoring, supervisory review, information

sharing, sandboxes / stress tests / war games / contingency

plans, capital

▪Governments: training / human capital, defense / planning

▪International / regional cooperation / information sharing

Thanks!

Prof. Dr. Dirk Zetzsche, LL.M.

ADA Chair in Financial Law (Inclusive Finance)

Faculty of Law, Economics & Finance

University of Luxembourg

Dirk.Zetzsche@uni.lu

Readings on FinTech

Regulatory Sandboxes

www.ssrn.com/abstract=3018534

TechFin / Data-driven Finance

www.ssrn.com/abstract=2959925

Distributed Ledgers / Blockchain

www.ssrn.com/abstract=3018214

eID / KYC Utilitieswww.ssrn.com/abstract=3224115

Corporate Technologies (AI etc.)

www.ssrn.com/abstract=3392321

ICO Gold Rush

www.ssrn.com/abstract=3072298Regulating Libra

www.ssrn.com/abstract =3414401

Rise of Tech Risk

www.ssrn.com/abstract=3478640

FT4FI Roadmap

www.ssrn.com/abstract=3245287

Future of Data-Driven Finance

www.ssrn.com/abstract=3359399

Cyber Security Risks For Central Banks in

Emerging and Developing Countries

Komitas Stepanyan, PhD, CRISC, CRMA, Cobit

Deputy Head of Internal Audit

20 November, 2019

17

Cybersecurity – more than a real threat

People Process Technologies

RISK

18

What does the regulators/supervisors need to know?

• Clear understanding of what cyber risk means and how it could harm a bank’s and/

or financial sector viability

• Able to challenge the supervised institutions

• Ability to asses if 3 lines of defense is functioning at the supervised institutions

o Good knowledge of the institutions’ IT/Info/Cyber governance and strategy

o Understanding the institution’s IT/Info/Cyber risk management framework

• Knowledge of the institutions ICT/cyber risk profile, including critical assets and

processes, relevant threats, existing vulnerabilities and mitigating controls

• Understanding of bank’s dependencies

Cybersecurity governance for Mobile Money providers

Juliet Maina, Advocacy and

Regulatory Manager, GSMA

20th November 2019

Photograph by Trung Vo Chi

20

About The GSMA

21

“Generally, it refers to the protection, by any means, of network-

related systems and devices and the software and data they

contain… typically comprises the protection of technical

infrastructure, procedures and workflows, physical assets, national

security as well as the confidentiality, integrity and availability of

information.”

What is Cybersecurity?

Source: GSMA Mobile Policy Handbook, 2019

23

Cybersecurity

governance

framework.

The report on Cybersecurity in mobile money is now

available.

Cybersecurity

in mobile

moneyGSMA Mobile Money Group

@GSMAMobileMoney

mobilemoney@gsma.com

gsma.com/mobilemoney

Follow us on social media

Setting The Stage: Cyber Security Challenges And Trends In Emerging Financial Markets

Judith Frickenstein, GIZ

Juliet Maina, GSMA

Komitas Stepanyan, Central Bank of Armenia

Prof. Dr. Dirk Zetzsche, University of Luxembourg