Managing Cybersec. Challenges From 3rd-Party Service Providers In The Fin Industry - Valdet Shehu

thank you everyone for being here it is a real pleasure to be in front of so many Security Experts actually this is the first time I am in bides in tyano however I'm uh I'm in some other security conferences in tyan and the region so the topic that I will be discussing today deals with a specific which is more in Risk Management domain and and the topic is about managing cyber security challenges from third party service providers in the financial industry uh before we dive into the topic briefly a little bit about myself my name is Val Shu I currently serve as a uh in the information security office in n banka in Pisa in Kosovo which is

one of the largest banks uh in Kosovo and also part of a larger banking group in the Western Balkans previously I also had experience in cyber sec in information security in two other banks in Kosovo in managerial and uh senior level positions other than that uh I have master's degree in computer science and Telecommunications from University of Pristina I was also recently awarded the prestigious Ching cyber security Fellowship uh which is hosted by United uh kingdoms Ministry of Defense uh I will talk about it later and in ter after coming back I I also want to Grant about implementing a specific program which is which uh we named it cyber puls and it deals with implementing an

advanced threat intelligence and situational uh awareness platform in few specific government agencies because uh other than this I also have few security related certifications and over 20 years of experience in it and cyber security combined uh you can find me on on social media on Twitter X and Linkedin with the same handle vales so I would like to continue on on this one so firstly uh this this topic was part of of a broader uh Brother Project as I mentioned that was uh for the achieving Pro achieving program and this is the Western Balkan cyber security fellowship and this is a project that is fully funded by the FCD or the foreign office of United Kingdom's government it is

delivered at the defense Academy of the UK's Ministry of Defense at and it is hosted by the prestigious Cranfield University this program is more geared toward professionals uh that are interested in in cyber policy and cyber security and it it includes candidates from the six Western Balkan countries I would encourage anyone to to learn more about this program because it is a fantastic uh experience to to allow professionals to to get networked with high level decision makers and professionals from the United Kingdoms from the industry from the Academia and from the government cycle so this is a very interesting project and I would encourage anyone interested to look to it and and to apply so this about the specific uh

project the uh as part of a final deliverable during this program uh we had to perform research and the research paper had few objectives uh I've listed the main ones here the first one was to investigate and to manage uh the cyber security challenges related to third party service provider ERS but on top of that uh after the the research the objective was to propose an effective third party risk management strategy that would emphasize more specifically the role of regulatory bodies and Regulatory Frameworks which are based on the best practices the methodology of the research was uh pretty pretty standard it involved qu uh quantitative analysis literature review and few specific surveys with the involved stakeholders

of this topic so first before I dive into the project let me provide a brief overview of the financial industry in kosova more specifically on the banking sector so there are currently 12 banks in Kosovo and nine of them are foreign owned which hold over 85% of the capital of the banking sector however since our independence in 2008 the banking sector as is seen as the key driver as a key driver in funding the economic growth and innovation in the kosova kosova market so which are some of the services that are related to security that the banking industry and the financial sector uses I've I've highlighted the main ones and obviously the key ones that are more important to the industry

are online and Mobile Banking the communication Services Payment Processing C personalization and others and uh last but not least the cyber security services which which uh hold a specific and and very important interest to the banking industry and while using these Services which are the key targeted benefits of the of the financial industry or the or the banking sectors the benefits that the banking sector aims by using the third part part service providers are the operational resilience uh Market Advantage Legacy reduction and and cost Effectiveness by by reducing the Reliance on Legacy uh systems the banking sector uh tries to gain advantage over over over this issue Innovation and of course to stay compliant with with specific uh

regulations so now now I will focus on on the on which are the main cyber security risks that uh the Kosovo financial industry faces currently I've listed the main ones and and obviously the data breach is one of the key concerns in in the financial sector or banking uh industry in in Kosovo and uh related to data breaches I've only listed the year 2020 while the Security Professionals from the region are probably aware of a significant incident that occurred in 2020 when a prominent Bank in Kosovo fell victim to the Doppel paymer criminal gang where all most of its data were encrypted by ransomware and then the data was exfiltrated and published in the dark web uh under

underground uh markets this uh and uh when you couple this with a situation when there was a complete lockdown due to the pandemic uh this this uh highlighted the significance that such a such an incident although initially thought to be minimal in effect it caused huge reputational damage to that institution because because there was a many Panic caused among the population because on on the parallel with the situation of being locked down people will were also fearing that you know they they would lose their money so this highlights the risks that data breaches uh POs to the financial industry other than that there are other types of risk like unauthorized access malware attacks service disruptions is also a

significant risk to the banking sector because most most of the modern services are hosted by third party service providers or some of the key services are are provided by service providers so whenever there's an operational issue with those providers this causes service disruption and all and then this transl to operational cost and and losses for the for the sector and and few other risk are mentioned there as well so uh during the project there was as I mentioned before a service so just to to quickly relate to the topic of cyber security risk one of the questions uh provided uh during the the survey was if if the financial industry have any knowledge of of cyber security incident

related to service providers in the last 12 months and the answers here are pretty evident of of the perception or or about the knowledge of cyber security incident as as from the perspective of financial industry because this is this is quite evident and uh and it it it tells it tells us that it it needs its deserved attention related to this I I would I also would like to present few few Trends from the more renowned reports that are that are published one of them is from the Verizon data breach investigation reports this is from the time when the research was done in 2023 and this highlights the point of entry or or the attack Vector in in data

breaches where we can see that the the attack Vector from the partner or or the service or the Ware updates uh features prominently in the top two positions on a similar report on the share of cyber security risk per type of malware from the IBM cost of data breach report in 2023 we also see that the attack on the business partner and the software supply chain also feature prominently so this this underscore the importance of of the or the criticality that service provide providers POS on the financial industry and all the risk that are implicated by using such services so what is the current role of regulatory Frameworks in the banking sector or financial industry of Kosovo

first one there are two aspects of this the first one there is a regulation of Information Technology for the banks which was published in 2020 by Central Bank of kosova and uh it is quite basic uh regulation which lists the basic requirements for the management of service providers it doesn't go too much on on the details and it also lists the definition of minimum standards that service providers need to have in order to manage the their risks it also puts emphasis on the contractual obligations about the business relationships with uh with the service providers in in terms of information security policies which are the oversight measures that cbk the Central Bank of Kosovo uses to apply

this regulation they they are through the security audits by the central bank they also need access to internal and external uh security audit reports and also uh they do have Provisions where they recommend penetration testing of critical Services I need to highlight the critical services that are offered by third party in terms of digital uh Digital Services that the banks use another aspect of regulatory Frameworks is the recently adopted law on cyber security in Kosovo and this law was adopted in 2023 and uh this is more more detailed uh and it it highlights the obligation of service providers in the event of cyber incident this uh these clauses mandate that service providers need to to notify the relevant authorities in

cases when there are uh there are confirmed cyber security incidents uh notification requirements need to be done to the cyber security agency of kosova which are the key enforcement measures I'm going through these briefly are the in case you don't do the requirements that are listed under the provisions of the law there are impositions of financial fines for non-compliance with cyber security measures and the objective is to ensure that the security and resilience of Digital Services in kosova is improved to also establish the obligations and the significant aspect is on this is that there is also a provision that compliance with future regulations in by the cyber security agency of kosova needs to be well

established other relevant legislation that pertain to the services cyber security services of uh financial industry are the other two the law on protection of personal data as well as the law on critical infrastructure so now we go into the kind of the more most important part of the research which was to analyze the the trends based on the surveys that were performed with stakeholders from financial industry and service providers of of the banking sector so I I I will just show the the charts and the the questions and then to give some some of my my insight one of the one of the initial things was to to ask the to ask the responses about the cyber

security challenges faced by uh Financial lersy when working with service providers and and and this is this is important uh because uh it highlights that in insufficient cyber security measures ranked higher than data breaches and non-compliance issues this is indicative that there is also not not enough Clarity in the financial industry because non-compliance issues should be more prevalent because non-compliance includes the other concerns that are ranked higher another one is the perception on the level of risk R by service providers as seen by financial industry and in regards to this uh the question posed was what is the current level of risk posed by service providers in for the financial industry and half of them

responded that the the level of risk is high while the another 41% uh highlighted that it is it is a medium which underscored the importance of the perception of how the financial industry sees the risk ped from service providers the the next one is about the confidence of the financial industry entities for the cyber security measures of their service providers and and you we can see here that only like 9% of them believe that the cyber security measures of their providers are sufficient enough while uh the 68% of them believe that they they have not enough information therefore they they replied with neutral and then uh another one is the perception of effectiveness of cyber

security measures by service providers and and the question was about how effective are the current cyber security risk assessments when onboarding the partnering or partnering with third party service providers and even they they admitted uh through these uh question through these answers we can understand that even they they admitted that there is not enough being done in this aspect because only 12% of them believe that uh the onboarding uh processes are effective while the rest are believe that they are somewhat effective and the not so good measures are also prominently highlighted the next one is about the transparency which I believe is quite important when dealing with uh third party service providers and uh when when we ask the question of how

satisfied are the financial industry with the transparency provided by the service providers about the various uh issues only 9% of them uh responded that they are they are happy enough they they are confident of or of the transparency uh communicated by service providers but while the majority 59% of them rep that they are neutral to it and and looking through all of these answers you know we we get all kinds of uh perceptions and and uh thoughts about what what could be done to to improve such such a situation so so the next question deals with the uh if if the financial industry feels that there is a need for a standard that would regulate

the cyber security measures for third party service providers and the answer couldn't be more clearer in that it highlights that the financial industry strongly believes that there should be some clarity there should be some uh framework or regulation that would strict strictly regulate the business relationships as well as the uh security measures that service providers offer to the financial industry so going next now I will also briefly uh go through the details of the data uh analysis from the survey uh uh fied by the service providers one of the question was that how does your company ensure the protection of sensitive information and here I think we can uh we can gather some interesting uh interesting uh data

in that the service providers believe that data encrypt and access controls are important security measures to to ensure the security of their data but further down we see that the compliance with data protection standards only has 15% weight uh in in their answers and this indicates that even the service providers are not fully aware that if you comply with specific data protection standards this encompasses the other measures that are that are ranked higher in this survey which are data protection and access controls and this indicates that while they believe that for example access controls are good enough to maintain the data security you uh unless you are compliant with some specific standards or requirements you can never know if

they are effective because they may be ad hoc access controls and unless you are uh you are obliged to to comply with the with compliance then it it can leave a lot of room for speculation the next one was the Readiness of service providers to respond to a cyber security incident they did they did claim that they are ready with the 56% of of them claiming that they have the capacities to to respond and uh that they have a documented incident response plan for cyber security breaches however the final the final uh question among many others uh is about the Readiness of the service providers to pay cyber security insurance that specifically covers the cyber security risks and the answer here

is pretty indicative of the Readiness of uh the service providers to pay for insurance coverage and uh we see that only 16% of them replied that they they do have insurance coverage to cover for potential cyber security risk and this indicates a big area of potential Improvement because having a cyber cyber security insurance plan would help to offset the costs that would be involved when uh you have a cyber incident when data of your client or your own data is is breached so uh to to kind of provide a an overview of the ex conclusions from the surveys data non-compliance is a key risk obviously non-compliance is a key risk from service providers because this

includes insufficient cyber security measures and data breaches services with highest risk uh on the financial industry are online and Mobile Banking payment processing and infrastructure management this is not to say that these services are are the most uh most vulnerable but these are the most more important and and the potential cyber security incident in this uh in these uh Services would provide with higher risk and higher exposure to the financial industry perception of risk is very high due to the lack of tested incident response plans from the service providers as well as the lack of transparency in in incident disclosure for from them towards the banking sector another significant uh U fact is that service providers are not willing

to invest in in cyber insurance and this is uh this is a significant concern because as as I said earlier a cyber security coverage cyber security insurance coverage for service providers as well as financial industry would provide a very welcome uh layer of of cost reduction in terms of cyber security incident service providers are not fully keen on security assessments from independent parties and and as a member of the financial industry I can attest to that because even though we insist on having contractual obligations to for the service providers to have regular security audits like penetration testing Ser uh security attestations or or similar there are problems which have uh which have potential for improvement and

the pressing need the finally there is a pressing need for regulatory Clarity given the low confidence of uh on cyber security of service providers and the related experiences from Regional incidents so after analyzing all this the survey data providing the overview of the regulatory landscape and analyzing briefly what are the services and the risks the objective of the of the research was to come up with a proposal and the strategy for third and and the here comes a strategy for third party risk management framework which is kind of a in two directional The Proposal lists two two possible ways to implement this one of them is is if the tprm or third party risk management

framework would be adopted by by uh Central Bank of kosova and and the in in this aspect there is a proposed regulation or or standards and briefly I will I will list the key the key important points this uh this framework would provide a clear cyber security objectives for financial institutions and third party service providers the guidelines we wouldn't need to to invent something new I mean we would we would uh need to to use the best practices so the guidelines should include the inclusion of best practices recommended security controls and standards as well as compliance requirements and that would Aid the financial sector in the this uh framework would Aid the financial sector in aligning to the

proposed framework mandatory compliance should also feature prominently on the framework in that uh financial institutions and providers must demonstrate compliance with this specific regulations uh in key business processes to ensure data security and confidence in their business Integrity in the in the market what are the methods that this framework would be uh forced it it would be done through regular audits self assessment or third party certifications it would ensure cyber security is integral to the business operations and security governance and then on the other side The Proposal also proposes that this uh framework should be ideally adopted by the cyber security agency of kosova and and the The Proposal is as follows when establishing the third

party risk management framework this would identify a structured approach for firstly identify assessing and monitoring all the third party risks for the critical National infrastructure that cyber security agency would be would be uh accountable for responsible to to protect that it would also Pro provide applicable mandatory compliance across financial sector as well as the other sectors of cni critical National infrastructure and again we we wouldn't need to do to be doing our own but instead to to use the the best practices and and this and in this regard there's the recently adopted Dora EU regulation more specifically chapter 5 uh which which uh has the provisions about strengthening it Security in EU financial sector and this may be used as

a very good model for similar regulation in the financial sector or other sectors of critical National infrastructure in kosova more specific spefically I've listed the five uh key pillars that are in in this chapter which would provide a very good Baseline to to have the third party risk management framework other other possible best practices also include the N cyber security supply chain uh risk management which and this one provides guidance on risk management and Supply chains or third parties on all levels of every organization uh suggested or recommended are also the iso 270001 standard which emphasizes that risk management in in supplier relationships as well as the Ana threat landscape which informs the development of strategies dep depending and compared

to the trends of supply chain attacks also NCC supply chain risk guidelines this is a very practical approach that uh that offers steps for assessing the cyber security in Supply chains of for organizations of all sizes from small businesses all the way to the government agencies impact of of this proposal that that if if it would be adopted and if if it would be applied by the cyber security agency of kosova the impact is that it would provide a more effective management of cyber security challenges in kosova's financial industry and also it it would be a significant step for enhancing the resilience of kosova's financial sector but also other sectors of critical National infrastructure so after going through

all this what are the future what is the future and the challenges regarding the proposal firstly the key one that the big you know the big wall is that cyber security agency of kosova is yet to be established although although the law on cyber security was adopted on February 2023 one of the first action That was supposed to happen after the adoption of the law was to establish the cyber security agency and here we are one year in one year and a half later and the Cyber Security Agency is still not there although there have been some steps like bylaws and strategies adopted the cyber security agency with with its leadership or the special specialist cyber security analyst has

not yet been established and then the other dilemma is if once once the cyber security agency is established if there will be plans to adopt a third party risk management framework and and then uh that is another challenge that that needs to be seen on on on the future of to to see how this this will move along and then suggestions for future case studies about similar topics I've listed few of them such as providing research data about about specific risks and implications like Financial Risk regulatory operational and reputational implications upon the adoption of tprm framework it would also improve monitoring on the tprm adaption as well as it would uh it would uh another study

would Challenge on how to utilize the emerging Technologies like like artificial intelligence or other emerging Technologies and how such a framework should need to be adapted for addressing those Technologies and finally by providing a panoramic view of the defense Academy campus where the program was was done I thank you for your attention and now I'm ready for any question