CREST calls for appropriate, multi-party cyber resilience testing on financial entities in developing countries. Credit: wutzkohphoto / Shutterstock International information security accreditation and certification body CREST has published a new guide to fostering financial sector cyber resilience in developing countries. The nonprofit’s Resilience in Developing Countries paper forms part of its work in encouraging greater cyber readiness and resilience in emerging nations to help protect key industries from cyberattacks.The guide outlines that, while increased financial inclusion is a global goal, the less privileged remain highly susceptible to cyberthreats. It also describes the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.Low cyber resilience of financial entities in developing countriesCyber resilience of financial entities in developing countries is often relatively low, leaving them and their clients considerably exposed to cyber risks, the guide read. Global developments since 2016 have underscored the need to improve the cyber resilience level of financial entities – and the whole financial sector. “Large-scale rapid digitalization of financial products and services and supply chain extension by increasing use of third-party entities, combined with geopolitical tensions, have provided new opportunities and motivations for hackers, malicious insiders, organized crime groups, and nation-states alike.” While this applies to all countries, developing countries have an additional element, CREST said. Ongoing digitalization in the financial sector has provided the opportunity for considerable improvements regarding financial inclusion — i.e., embarking less-privileged people into the financial system and giving them access to credit, savings, and payment services. However, this has exposed the formerly unbanked to cyber risk. “Any theft of their digital savings, malicious alteration of their data, or obstruction of the financial infrastructure in general, can affect the less-privileged hardest, directly endangering their businesses, families, and possibly even their lives,” CREST wrote.Interestingly, Cisco’s Cybersecurity Readiness Index revealed last month that organizations in developing countries in the Asia-Pacific region are more prepared for cybersecurity incidents compared to those in developed countries. Less tech debt and legacy systems in organizations in emerging markets compared to their peers in developed markets is likely an influential factor, making it easier to deploy and integrate security solutions across IT infrastructures, Cisco said. TLPT can develop cyber resilience in developing countriesCentral banks and financial authorities have an important task in increasing the level of their financial sector’s cyber resilience, the paper read. One common element being considered is threat led penetration testing (TLPT), which can facilitate the improvement of cyber resilience through controlled testing processes.However, TLPT is most effective when applied to relatively “cyber mature” financial entities. It’s also dependent on the maturity of the authority in charge and the cybersecurity service industry in the country or region, CREST said. “If authorities pursue a policy to have financial entities tested according to the respective TLPT frameworks, they have to consider the possible capacity and quality restrictions of local cybersecurity service providers and consider options to catalyze development of the market for cybersecurity services,” the guide read.Assuming the central bank is the authority in charge, it must invest in a dedicated team, headed by a senior manager, which must closely monitor each test process to ensure tests are performed according to the applicable testing framework and that service providers meet the required quality criteria, CREST said. “To avoid supervisory judgement during the test process and the test becoming a mere compliance exercise, this team must sit at arm’s length of the supervisory and oversight functions to ensure a smooth test process.” As long as supervisors and overseers are involved in the scoping at the beginning and will receive the entity’s remediation plan at the end of the test process, their responsibilities are well taken care of. Authorities pursuing a TLPT program will help improve the cyber resilience of the most critical financial entities, along contributing to the maturation of the local market for cybersecurity services. However, close and constructive collaboration among all parties, private and public, is key, CREST said. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe