FS-ISAC PDF

FS-ISAC And that's Christophe Barrel from a not-for-profit organization called FSISAC. It's the short form for Financial Services Intelligence Sharing and Analysis Center. So, Christophe, welcome to the show. If I could flip it over to you to introduce yourself. Sure. Hi, Danny. Hi, everyone. So, my name is Christophe Barrel. I'm the head of APAC at FSISAC indeed, where I lead the regional strategy and operations. I oversee member engagement in the region, and I work closely with key public and private stakeholders. Right. Thanks, Christophe. So, my name is Danny. I work at Mastercard. And currently, I'm the regional chief security officer for Mastercard here in Asia-Pacific. We have a approach towards security. That means we cover everything security from protecting our information, our data, our cyberspace, as well as the physical space. Right. So, if we could quickly kick off with the first question. So, Christophe, could you help explain what FSISAC does and the purpose itself? Sure. So, as you mentioned, the FSISAC is the Financial Services Information Sharing and Analysis Center. So, we are the global cyber intelligence sharing community, but solely focused on financial services. We are member-driven, not for profit. And our goal is to advance cybersecurity and resilience in the global financial system. We focus on three, I would say, big pillars – intelligence, resilience, and security. FSISAC members represent over 5,200 member firms in 75 countries, totaling over US$100 trillion in assets. In the region, we operate here in Singapore as the HQ for APAC, as well as in Australia, Japan, and India. We set up our Singapore office here in 2017, with the strong support of Monetary Authority of Singapore, MAS. Our members come from the financial sector at large, so banks, insurance, investment firms, exchanges, payment, fintech, crypto companies, and more. ISACs, in fact, were created precisely to help preserve critical infrastructure, including financial, through intelligence sharing and collaboration. FSISAC, as you know, turns 25 years old this year, but its mission is more relevant than ever. While country-specific ISACs do exist around the world, they tend to share only among local firms and not globally, making FSISAC's role all the more critical as, you know, because cybercrime knows no borders, right? FSISAC offers a global reach to its members, allowing them to not only focus on domestic and regional issues, but also the ability to tap into global intelligence and expertise. So with a global intelligence network, financial firms that are members of FSISAC are actually able to preempt potential attacks while getting real-time threat reporting and also peer expertise from around the world. And we also run exercises for our member firms. That's the resilience aspect. Yeah. So first of all, happy 25th birthday to FSISAC. I think you guys have come a really long way. And just now you were mentioning the threat landscape. So if I could pivot to our second question, which is, what are the key types of threats you're seeing and how are they evolving? Sure. So the first type of threat is related to artificial intelligence, gen AI. There has been a rise of AI-enabled threats over the past few years. Cyber criminals are harnessing the potential of AI to automate and refine their techniques, elevating the complexity and adaptability of their attacks. AI tools lower the barrier of entry, allowing even low-skilled threat actors to launch more complex attacks. Gen AI tools are being used to create highly fraudulent laws, very realistic, so fake emails, voices, images, making detection more difficult. Skilled cyber criminals can exfiltrate or inject contaminated data into large language models, training gen AI. And such corrupted gen AI outputs can then lead to severe legal, reputational, or operational consequences for financial institutions. Additionally, gen AI is known to be prone to hallucinations, could lead to data loss, and negatively impact critical decisions as well. I think organizations and regulators should adjust strategies amid the ongoing technological arms race. Earlier this year, FSISAC put out a set of white papers on AI, the result of intensive collaboration among hundreds of contributors from the financial sector, but also other partners. By the way, the audience can check out those white papers on our public website if they want to. These collaborative efforts aim to create a more robust and resilient financial ecosystem, which is less prone to AI-related risk. The second type of threat is related to quantum computing, and I know we discussed it recently. Even though the technology isn't completely established, advancements in quantum computing have the potential to break current encryption methods and therefore transform various sectors like financial services and cybersecurity. Financial firms should start developing new encryption and security measures to stay ahead of potential threats. Similarly, collaborative efforts and industry guidance, such as FSISAC's Post- Quantum Cryptography Working Group, are crucial in preparing for the changes ahead. Third, the increased sophistication of conventional methods such as ransomware. Today, ransomware tactics are growing more sophisticated with triple extortion attacks and ransomware as a service, making it easy for cybercriminals, probably too easy, with minimal technical expertise to launch an attack. Triple extortion is a type of ransomware attack in which a cybercriminal extorts their victim multiple times by encrypting data, exfiltrating data to expose them, and threatening another attack. Ransomware as a service makes attacks easier. Again, in this model, affiliates pay a fee to use the ransomware and split the profit from successful attacks. Lockbit, that probably everyone here heard about over the past couple of years, became the most active ransomware group in 2023, averaging nearly $1 million in ransom demands per attack, which is huge. This example highlights the escalating threat posed by ransomware attacks, especially their potential to severely impact critical sectors. The repercussions extend beyond financial losses, including operational downtime, reputational damage, and compromised public trust. All these trends I just mentioned are set to continue, unfortunately, particularly in our region here in AIPAC. FSISAC's latest annual report, in fact, Navigating Cyber 2024, shows a surge in cyberattacks across AIPAC with ransomware targeting financial firms the most. The report reveals a staggering 15% year-on-year increase, averaging about 2,000 attacks per week with more complex tactics by threat actors, and a growing vulnerability in the financial services supply chain. This underscores the ever-increasing importance of cyber resilience for the financial sector. Yeah, thanks for sharing that, Christophe. I think these days it's very difficult to go through, you know, five minutes of conversation without mentioning AI, for example, and it's hard to go through 10 minutes of conversation without talking about PQC or post-quantum computing. And last but not least, ransomware, especially triple ransomware that you mentioned. I think all these are clear and present danger. And the other thing that I really like about FSISAC is your community of interest, COI, that tackles each of these different areas of concern and has brought so much value and support to us here in the industry. So going back to what you mentioned about the public-private partnership, right? So perhaps you could share why is, you know, such collaborative public- private approach, you know, so essential for tackling these sorts of cybercrime from ransomware and beyond? And how exactly does an organization like FSISAC play this role? Thanks, Annie. I appreciate the question. So as we discussed earlier, borders do not confine cyber threats. And in today's interconnected digital landscape, no single firm can anticipate all potential cyber threats on its own. Hence, global information exchange and international collaboration are indispensable in effectively preventing and countering these risks across diverse regions and jurisdictions. Talking about PPP, so at FSISAC, we actively engage with our member financial institutions, but also sector associations, governments, law enforcement, and other key stakeholders to further the collective security of the financial sector. FSISAC offers a platform where members can exchange real-time information on emerging threats, vulnerabilities, and incidents. This immediate flow of intelligence allows institutions to stay ahead of cyber threats and respond swiftly to potential attacks. To facilitate effective global collaboration on intelligence and resilience, which are two of the biggest pillars I mentioned earlier, FSISAC's international network encompasses many public- private partnerships worldwide. For resilience-related analysis and coordination, FSISAC's resilience team collaborates with public-private partners before, during, and after crises, right, cyber incidents, to assess risk to the sector and also incident impact severity, plus, you know, share information on sector operational capabilities. The financial sector is highly interconnected again, right, relying on a complex network of relationships and systems. FSISAC plays a vital role in fostering a unified effort and ensuring that cyber security measures are cohesive and comprehensive across the board, across the sector. This collective approach, which is key here, strengthens overall resilience because all our member firms, small and large in fact, work together to address vulnerabilities and defend against coordinated attacks. Yeah, thanks for sharing that, Christophe, because so far we've been speaking more in general about, you know, what FSISAC has done, but if you could share a specific case on exactly how FSISAC has helped, you know, the community through a cyber issue where, you know, we are able to all collaborate. Sure, so I'll take one example here. I will highlight the CrowdStrike outage in July 2024, where I think we played a critical role in supporting our members, the financial sector, in fact, through a coordinated response. At the heart of our mission at FSISAC is ensuring the resilience and continuity of the global financial services infrastructure, particularly when faced with incidents that could significantly impact the sector's ability to provide services critical to the global economy, such as what happened in July with CrowdStrike. Collaboration underpins all that we do at FSISAC and was central to our response to the incident. So, in the immediate aftermath of the incident, FSISAC acted swiftly to provide actionable intelligence. I think actionable is very important here. So, to our global network of financial firms, through our trusted information exchange platform, FSISAC organized live calls for intelligence briefings and updates, creating a collaborative environment where members could share insights, ask questions, and report on their responses to the disruption itself. We also set up dedicated communication channels, so we have a tool for that, for the exchange of technical information and intelligence on the not only origin but also cause and mechanism impact of the disruption. We also assisted with coordination of mitigation strategies and public messages through the media, presenting a unified front or response for the financial services sector as a whole. We engaged directly with CrowdStrike's leadership as well to coordinate members' response to the incident. So, in fact, the CEO of CrowdStrike personally briefed FSISAC members, providing valuable insights into the incident and mitigation strategies. This briefing was, unsurprisingly, the most attended in FSISAC's history, demonstrating the importance of expert-led discussions in understanding and addressing complex cyber incidents. FSISAC's efforts not only helped manage the immediate crisis but also facilitated continuous learning and resilience building by opening channels for members to share lessons learned, operational risk considerations, and best practices, reinforcing the sector's overall resilience against future challenges. Thanks for sharing that, Christophe, because I remember that fateful Friday, 19th of July, I think one of the first groups of people that I leaned towards was FSISAC. Your Threat Intel started pushing on defamation. We're also calibrating our approach with the rest of the CISOs in CISO Congress as well as the Asia Steering Committee. I think these are all different platforms that we can collectively come together to not just share Threat Intel, but more importantly, to calibrate our approaches so that we may not necessarily be overdoing or underdoing. And I think because of the leverage of FSISAC, you were able to speak directly with CrowdStrike and invite their most senior leaders to come brief us. I think that is a very clear example of the value that FSISAC brought to the financial services industry, and it's something that I think not just myself but the whole community really appreciate. So if we could move on to the next question, right? So Christophe, can you share some insights on some of the key entities involved globally with FSISAC and how they interact with one another? Sure. So FSISAC connects, connects the dots and connects a wide range of financial organizations globally. These members and partners interact within a secure, trusted environment. Those are keywords to share, exchange critical information on cyber threats, fraud, and best practices. I haven't mentioned fraud much before, but that's a new area of focus for FSISAC. So how do they interact? First, via intelligence sharing. Members contribute and access a wealth of outsourced intelligence on cyber threats and incidents. This intelligence is enriched and analyzed by FSISAC's Global Intelligence Office, providing member firms with actionable insights that help them reinforce their security and resilience, which in turn improves the overall security and resilience of the global financial system. Another way is via collaborative working groups. You mentioned COIs, communities of interest. FSISAC forms specialized working groups where members collaborate on emerging threats like AI risk or post-quantum cryptography, as I mentioned earlier. These groups develop best practices, white papers, and frameworks that members can adapt to their own organizations. For instance, FSISAC AI risk working group comprises experts from across the sector, incorporating input from government agencies, standards bodies, academic researchers, and financial services partners, and share technical knowledge, guidance frameworks, and other expertise to, in fact, benefit the industry. Their efforts have resulted in six white papers providing actionable guidance tailored specifically for the financial sector. Additionally, FSISAC established the Critical Providers Program to foster a strategic and tactical working relationship between member firms and their critical providers at the sector level. By focusing on reducing third-party cyber risk, the program helps prevent service disruptions and promotes transparency within the financial community, particularly as critical service providers increasingly host, connect, and safeguard a significant portion of financial institutions' infrastructure. The third point I wanted to touch on here is cross-sector and public-private coordination. As I mentioned earlier, FSISAC plays a very important role in coordinating global efforts across different geographies, jurisdictions, and sectors, including public-private partners. In the face of large-scale cyber threats, FSISAC, through our Global Intel Office and Resilience Team, plays a critical role in the rapid dissemination of intelligence, industry, and analysis plus mitigation guidance to support impacted firms while coordinating industry and public-private incident response efforts. An example in the local context of Singapore here, in July 2023, FSISAC strengthened its commitment to collaborative cyber security by signing a MOU, a Memorandum of Understanding, with CSA, the Cyber Security Agency of Singapore. This renewed partnership focuses on enhancing information sharing and participating in cyber exercises within the financial services domain. Such alliances underscore FSISAC's commitment to collective security and the importance of working really together to advance industry-wide security knowledge and resilience. In addition, FSISAC coordinates and facilitates member participation in large, global-scale cyber exercises like NATO's Lock Shields exercise, for example. These exercises involve members and sector partners in engaging in discussions based on realistic scenarios and are designed to build the necessary skills, training, and playbooks that enable members to respond swiftly and effectively to cyber threats. It's all about being ready. Through these interactions, FSISAC fosters a collaborative and proactive approach to cyber security, allowing global financial entities to work together to reduce cyber risk and build resilience. Yeah, Christopher, what I really like, the thing that you mentioned is, when you mentioned the commodity that we truly trade in, which is trust, and you have both our regulators, which is the Monetary Authority of Singapore, as well as the Cyber Security Agency of Singapore that you're working very closely with. And working through this commodity of trust, you are then able to provide actionable intelligence that is accurate, relevant, and timely. And this allows the whole community, the whole ecosystem to not just protect ourselves, but the entire ecosystem. And that's really amazing what you have done. And if we could pivot to the last question, so what are some of the elements that enable a good public-private partnership in FSISAC's experience? So, yeah, thanks for the question, Danny. A successful public-private partnership in our experience is built on several key elements. The first one is building and safeguarding trust in the industry. Establishing strong relationships based on mutual trust, as you highlighted, is essential for effective partnerships. Open communication and collaboration between public and private entities, along with aligning on the shared objectives, like protecting critical infrastructure and enhancing cybersecurity, ensure that both sectors work towards the same outcomes. The second one is actionable intelligence and secure collaboration in a trusted environment. FSISAC provides a trusted platform and environment that enables members, firm, and partners to collaborate effectively and securely, including sharing information in real time and coordinating responses to cyber incidents. FSISAC also provides timely actionable intelligence on incidents, including insights into threat actor capabilities, TTPs, you know, the tactics, techniques, and procedures, and IOCs, indicators of compromise. The third point here is involving industry stakeholders in the PPP context. Key to these partnerships is the active involvement and participation of many industry voices and stakeholders from both the public and private sectors. For example, as I stated earlier, at FSISAC, specialized working groups bring together not only FSISAC experts, but also leading voices from member firms and other industry stakeholders across public and private sectors to provide industry guidance on key issues. Focusing on critical areas and emerging threats, these working groups are integral to empowering the collective financial services industry through white papers, best practices, and guidelines on mitigating these threats. By integrating these elements, FSISAC fosters a strong, effective public-private partnerships that are essential for responding to large-scale threats and enhancing the resilience of the financial sector globally. Yeah, so on behalf of Mastercard as well as Nanyang Technological University, we really appreciate what FSISAC is doing to, you know, protect the whole ecosystem. I think what FSISAC is doing is really, really important, more so as our threat landscape continues to evolve. Our TTPs and IOCs need to be, you know, current. We need to continue sharing timely, actionable intelligence so that we can all collectively protect ourselves. So we truly appreciate the partnership with FSISAC, but more importantly, the friendship that you have brought to us. With that, Christophe, on behalf of Mastercard and Nanyang Technological University, we want to really thank you for your time today, speaking to our students. I know for sure that we'll all walk away with a better understanding of how organizations like FSISAC protect our whole ecosystem. With that, Christophe, thank you very much, and we'll see you again.

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue