Governor of Bank of Italy on Addressing Cyber Risk in Financial Sector
At the G7 Conference in Paris, Mr. Ignazio Visco, the Governor of the Bank of Italy, discussed the ongoing evolution of cyber risk in the financial sector and the ways to address this risk. Mr. Visco highlighted that in cyberspace externalities are not contained within national borders and that the increasing reliance on third-party suppliers who fall outside the jurisdiction of financial authorities is one important source of cyber risk for supervised entities. He outlined cross-industry and cross-border cooperation, issuance of common security standards for hardware and software, and the use of artificial intelligence by supervisory authorities as the means to deal with the increasing cyber-security issues.
In the past, attackers have leveraged vulnerabilities in the IT systems of third parties to strike financial institutions. In the G7 Fundamental Elements For Third Party Cyber Risk Management in the Financial Sector, which was published last year, tenets on the appropriate management of third-party risk were introduced. Work on implementation of these tenets must now be accelerated, said Mr. Visco. When it comes to third parties that operate in regulated sectors, such as energy and telecoms, the different authorities must step up their coordination and cooperation efforts. Within each country there needs to be a cohesive national system of cyber defense that allows different authorities to work together effectively. In this context, governments have a natural role as coordinators.
The financial sector remains a prime target and such risks cannot be effectively mitigated by simply mandating supervised entities to follow good practices. Complex attacks can be deployed via obscure tools. Even large financial institutions with excellent (and expensive) defense systems can be lost in the face of cutting-edge threats; they can, of course, work out some of the technical details, but they might miss some of the broader, systemic elements, simply because they ignore relevant information such as precedents that affected other sectors, attacker tactics, and effective defenses adopted elsewhere. This kind of information is generally available only to intelligence agencies and the military. Cross-sector, nationwide as well as international cooperation is, therefore, essential. There needs to be a mechanism in each country that allows appropriate public bodies to coordinate and jointly support, each within its own mandate, the victims of a cyber campaign. In EU, the Network and Information Security (NIS) Directive takes this course.
Next, he added that cooperation must extend beyond borders, given the nature of many of the attacks and the interconnectedness of the financial system. This will always be a challenge because disclosing vulnerabilities to entities from another jurisdiction might endanger national security. Nonetheless, feasible solutions need to be found for this problem, since this kind of information-sharing might prove crucial for responding to some attacks. He said that the G7 remains the most favorable context for international cooperation—the many achievements of the G7 Cyber Expert Group (CEG) provide a good example of what can be done. The CEG was established in 2015 under the German presidency and it went on to deliver results during the presidencies of four other countries—Japan, Italy, Canada, and France. "We need to persevere on this route," said Mr. Visco.
According to Mr. Visco, one area that is ripe for more cooperation is the establishment of common security standards for hardware and software, which also covers the growing market for financial technology apps. In EU, a new regulation (which is currently under approval) will introduce a mechanism of cybersecurity certification for many products. This is an important step, but it would be more effective if G7 countries could converge at least on a subset of requirements. "If a service is not safe according to our own laws, it should not be on the market—and there should be a reasonable degree of convergence between laws in like-minded jurisdictions." Finally, he highlighted that artificial intelligence introduces new possibilities in cyber-security. It facilitates the detection and the exploitation of vulnerabilities, which the attackers know; therefore, the attackers are starting to deploy machine learning to analyze and penetrate target systems. Cyber-security companies use the same artificial intelligence analytic tools, with the goal of fixing the weak spots. By the same token, authorities could employ artificial intelligence to ascertain whether supervised entities are meeting mandated security standards on a continuous basis, added Mr. Visco.
Related Link: Speech
Keywords: Europe, EU, Italy, Banking, Cyber Risk, Cyber Security, Artificial Intelligence, Suptech, G7, Cross Border Cooperation, Systemic Risk, Operational Risk, Bank of Italy, BIS
Featured Experts

María Cañamero
Skilled market researcher; growth strategist; successful go-to-market campaign developer

Pierre-Etienne Chabanel
Brings expertise in technology and software solutions around banking regulation, whether deployed on-premises or in the cloud.

Nicolas Degruson
Works with financial institutions, regulatory experts, business analysts, product managers, and software engineers to drive regulatory solutions across the globe.
Related Articles
EBA Proposes Guidelines for Establishing Intermediate Parent Entities
EBA issued a consultation paper on the guidelines on monitoring of the threshold and other procedural aspects of the establishment of intermediate EU parent undertakings, or IPUs, as laid down in the Capital Requirements Directive.
EC Adopts Financial Reporting Changes Arising from Benchmark Reforms
EC published Regulation 2021/25 that addresses amendments related to the financial reporting consequences of replacement of the existing interest rate benchmarks with alternative reference rates.
BIS Bulletin Examines Key Elements of Policy Response to Cyber Risk
BIS published a bulletin, or a note, that examines the cyber threat landscape in the context of the pandemic and discusses policies to reduce risks to financial stability.
HMT Updates List of Post-Brexit Equivalence Decisions in UK
HM Treasury, also known as HMT, has updated the table containing the list of the equivalence decisions that came into effect in UK at the end of the transition period of its withdrawal from EU.
EBA Issues Erratum for Technical Package on Reporting Framework 3.0
EBA published an erratum for technical package on phase 1 of the reporting framework 3.0.
APRA Publishes FAQ on Measurement of Credit Risk Weighted Assets
APRA updated a frequently asked question (FAQ), for authorized deposit-taking institutions, on the measurement of credit risk weighted assets.
EBA Publishes Risk Dashboard for Third Quarter of 2020
EBA published the quarterly risk dashboard, along with the results of the Risk Assessment Questionnaire survey among 60 banks and 15 market analysts.
ECB Analysis Shows Privacy as Biggest Concern in Use of Digital Euro
ECB concluded the public consultation on the introduction of a digital euro in EU.
ECB Analysis Shows Privacy as Biggest Concern in Use of Digital Euro
ECB concluded the public consultation on the introduction of a digital euro in EU.
ECB Finalizes Guide on Supervisory Approach to Bank Consolidation
ECB published a guide that sets out the supervisory approach to consolidation in the banking sector.