Report on the forum “Cybersecurity in Finance 2024”
The main part of the forum, which took place from February 14 to February 16 (from February 11 to February 14 there was a youth part), began with a panel discussion “Countering cyber fraud: key challenges and solutions.”
The forum and discussion were officially opened by the Chairman of the Bank of Russia, Elvira Nabiullina. She said that the forum is dedicated to information security issues, the transition to Russian software, protecting people from cyber fraudsters and technology development.
Next, the panelists began to discuss the main challenges in the field of cybersecurity for the financial sector, for example, the fight against credit fraud, improving the quality of anti-fraud procedures in banks, the quality of reporting on transactions without the consent of clients, the fight against droppers and the creation of a negative image of the droper.
During the discussion, Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov emphasized the importance of finding new directions and solutions for developing technologies and protecting people from cyber fraudsters.
Further, the discussion participants explained what is available to combat cyber fraud: reliable protection of the infrastructure of credit institutions, ensuring the storage of client funds, improving the regulatory framework and standards, creating a unified telephone anti-fraud system, and protection against number spoofing. At the same time, despite the measures announced, problems remain: the damage from telephone fraud is growing, new channels and tools of fraud are appearing. In addition, there is no single platform for exchanging risk events and statistics, there is a problem with SIM cards and SIM boxes, and financial literacy needs to be improved population.
To address these issues, panelists proposed a variety of measures, including improving fraud detection tools, building data sharing tools between entities, strengthening cyber intelligence, and smarter integration of vulnerability management and code production processes.
Then the meeting participants discussed various ways to improve interaction between banks and the FinCERT center and the introduction of an open API standard for effective online data exchange. Representatives of banks and government departments also discussed the need to improve the quality of FinCERT reports and proposed creating a unified platform to combat fraud in the financial sector.
A separate topic included a discussion of the problems of microfinance organizations that issue loans to criminals. In this regard, it was proposed to amend the legislation. The problem of credit fraud and measures to combat this fraud were also raised. According to the discussion participants, the number of complaints about loan fraud is growing.
At the session, ideas were put forward to introduce a cooling period for loans and block cards to combat fraud. It is noted that the cooling period works well and helps prevent customer losses.
In addition, the discussion raised the problem of droppers and the fight against it. For example, it was proposed to use the experience of the Republic of Belarus, where criminal liability was introduced for the transfer of bank cards. Some debaters proposed in the Russian Federation to introduce criminal liability for droppers with confiscation of property.
The next topic discussed at the panel discussion was the high-profile proposal to increase the liability of financial executives for data breaches. Also during the discussion, the idea of using artificial intelligence to detect data leaks and combat fraud arose.
Well, at the end of the discussion, the topic of personnel shortage in the field of information security was raised. This is discussed at almost every IT and information security conference. A proposal was put forward, together with the Ministry of Education, to train personnel with the necessary competencies.
After the panel discussion, I would like to talk about the round table “Cyber Risk Insurance”.
The round table discussed the issue of insurance of risks and liability within the framework of cybersecurity. Although insurance is not currently widespread, it can serve as a financial tool to protect members from losses and encourage them to take safety measures.
One of the issues on the table was related to increasing the responsibility of companies to consumers for the leakage of their personal data. The discussion participants spoke about the need to develop a mechanism and methodology to implement this initiative.
The willingness of the insurance community to participate in such an initiative, including developing regulations and participating in proposals for legislation, was also discussed. However, the idea was voiced that it is necessary to develop and implement a law with certain limits and stages.
During the discussion, participants considered the need to develop liability insurance for leakage of personal information and its impact on the market. It is concluded that insurance is useful for protecting against possible reputational losses and indirect losses, but will not protect against direct losses.
The meeting also discusses what types of liability insurance may be acceptable and understandable to consumers. It is noted that while liability insurance can help protect against reputational losses, it cannot protect against direct financial losses.
As part of the round table, it was proposed to introduce liability insurance for leakage of personal data in order to stimulate referrals. In addition, the roundtable participants noted that the insurance market is dominated by large companies with advanced cybersecurity systems. To gain experience and statistical information, it is necessary to develop insurance for medium and small enterprises, which are more susceptible to the risk of data leakage.
Examples of liability insurance for information leakage include liability insurance for loss of personal data and insurance within the framework of the All-Russian Union of Insurers. The creation of a standard or basic data loss liability insurance product is being discussed.
According to experts at the roundtable, insurers have an important role to play, acting as experts for companies and helping to resolve incidents and minimize consequences.
In addition to insuring risks associated with the loss of personal data, the round table discussed insurance for various problems resulting from cyber incidents, such as work interruption, equipment failure or data loss. The issue of liability insurance to end users (ordinary clients of companies, patients of medical institutions or consumers of services) was also considered.
I reviewed the last round table because it seemed to me a good idea that people affected by leaks could at least receive compensation through insurance. Or the affected companies will have the opportunity to minimize the risks of hacking and reduce damage. I don’t know where such initiatives will lead, but the ideas are interesting.
However, offline I was at another event. This was a discussion of the interaction between IT and information security specialists. The discussion was called “Information Technology vs Information Security.”
As part of the discussion, participants discussed the problems of interaction between various IT services and cybersecurity specialists. It has been said more than once that when drawing up a particular project, programmers, system administrators and other people in one way or another associated with information technology neglect cybersecurity or simply forget about it.
The discussants shared their experiences on how to avoid this. For example, a representative of Gazprombank said that they have a large questionnaire issued before the implementation of the project. And if, after filling it out, the project turns out to be profitable and in demand, they begin to implement it.
Also during the discussion, the idea was repeatedly raised that simple solutions are not cybersecure. Sometimes a system administrator or developer proposes or creates a convenient solution, but this solution has a number of vulnerabilities that affect the infrastructure and the company.
Various thoughts were discussed on the topic of interaction, for example, the synergy of IT and information security specialists or when a security specialist acts as a consultant when creating the desired solution. There were also more radical ideas, when specialists first needed to justify to the information security service why they needed to add the necessary system.
However, everyone agreed on the need for safe development and greater interaction between specialists
After the discussions and round tables, I would like to tell you a little about the stands; In general, there were six of them in total. But by and large there is nothing to talk about; the most memorable thing at the Solar Group stand was the design software and hardware NGFW under load, but I talked about it separately. And this is not advertising, it’s just a forum about something a little different, and the media and Internet journalists were not allowed to do this.
The Ural forum was memorable for me because it had a whirlwind pace, because there was a lot of communication with experts, there were various statistics on hacking and phishing. And although in the end I didn’t have much material – a review, some news and an interview – it was interesting to see how things were going in the financial sector. I especially remember the discussion of import substitution of equipment, when one of the speakers said that some structure (a bank or an agency, I don’t remember) had been purchasing foreign equipment for years, and now they were concerned with import substitution. I would have also watched this discussion, but, unfortunately, I was called for an interview, and I was unable to find a recording of the speech online. Therefore, I have included this part only in the conclusion. I hope I have opened up the forum a little.
