Cyber attacks on some institutions in the financial system this year were “characterized by social engineering,” Central Bank (BC) Inspection Director Ailton de Aquino Santos said. The director also pointed to actions taken by BC in recent months, such as capital requirements for IT service providers (PSTIs) and the change in pocket accounts.
“It is proof that the central bank cares and that we need to move forward and we also need to act as direct supervisors of each institution,” he said, while participating in the 15th International Risk Management Conference promoted by the Brazilian Banking Federation (Febraban).
When asked if BC was late in discovering any cyber vulnerabilities in the industry, the director said BC was not late. “I think we’re not late. Everything we’ve done, we’re not late.” “Pain always teaches us,” he added.
- Read also: British Columbia director on institutional reaction after new minimum capital rules: ‘Do you want to kill us?’
- Brazil needs a new bank settlement law, says B.C.’s Aquino
The Director stressed that there are currently 300 payment institutions and that it is necessary to take a systematic approach to strengthen the risk culture. “We need to strengthen the risk culture in these entities, and we need to enhance cyber resilience in these entities,” he said.
Aquino also noted that recent actions taken by British Columbia were very clear in this regard. “When we clearly realize that most of the attacks and the two major cyber incidents, on C&M and Sinqia, there have always been a large number of (payment institutions) IP addresses, then something needs to be done,” Aquino said.
For the manager, there are two standards that should be discussed with the industry, one about communication via APIs (Application Programming Interface) and the other about third-party services. “Why do I consider third-party services essential? The events were characterized by social engineering, and involved third parties. We learned that.”
According to the manager, third-party risks in the financial system are one of the most important risks. “How you deal with third parties in the building, how you control them, how you manage them, is one of the most complex risks,” he said.
Aquino also noted that “operational risks break the organization.” According to the director, “We had two (cyber) incidents, and small enterprises suffered the impact, lost part of their assets, fell out of compliance and could perish. This is a message I leave to you, ladies and gentlemen. Be careful, handle the risks very well, map the risks, and strengthen your internal audit processes.”
Asked whether the System of Risk Assessment and Control (SCR) methodology used in bank supervision could be used in non-banking institutions, Aquino said yes, and that the move occurred in a well-planned manner.
The director indicated that the first tests are now being conducted and it is scheduled to enter full production in 2026.
“The internal decision is to apply the same rule to everyone. We will move in this direction. It does not matter if it is a payment institution or an SCD (direct credit association), it does not matter if it is a people’s loan association (SEP), it does not matter if it is a large cooperative with assets of R$20 billion. We need to apply the same rule,” he explained.
/i.s3.glbimg.com/v1/AUTH_63b422c2caee4269b8b34177e8876b93/internal_photos/bs/2023/b/D/2dAwQhQNyf1sw8mL3eXg/lula2785-24.jpg)
About The Author
