CREST calls for appropriate, multi-party cyber resilience testing on financial entities in developing countries. Credit: wutzkohphoto / Shutterstock International information security accreditation and certification body CREST has published a new guide to fostering financial sector cyber resilience in developing countries. The nonprofit’s Resilience in Developing Countries paper forms part of its work in encouraging greater cyber readiness and resilience in emerging nations to help protect key industries from cyberattacks.The guide outlines that, while increased financial inclusion is a global goal, the less privileged remain highly susceptible to cyberthreats. It also describes the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.Low cyber resilience of financial entities in developing countriesCyber resilience of financial entities in developing countries is often relatively low, leaving them and their clients considerably exposed to cyber risks, the guide read. Global developments since 2016 have underscored the need to improve the cyber resilience level of financial entities – and the whole financial sector. “Large-scale rapid digitalization of financial products and services and supply chain extension by increasing use of third-party entities, combined with geopolitical tensions, have provided new opportunities and motivations for hackers, malicious insiders, organized crime groups, and nation-states alike.” While this applies to all countries, developing countries have an additional element, CREST said. Ongoing digitalization in the financial sector has provided the opportunity for considerable improvements regarding financial inclusion — i.e., embarking less-privileged people into the financial system and giving them access to credit, savings, and payment services. However, this has exposed the formerly unbanked to cyber risk. “Any theft of their digital savings, malicious alteration of their data, or obstruction of the financial infrastructure in general, can affect the less-privileged hardest, directly endangering their businesses, families, and possibly even their lives,” CREST wrote.Interestingly, Cisco’s Cybersecurity Readiness Index revealed last month that organizations in developing countries in the Asia-Pacific region are more prepared for cybersecurity incidents compared to those in developed countries. Less tech debt and legacy systems in organizations in emerging markets compared to their peers in developed markets is likely an influential factor, making it easier to deploy and integrate security solutions across IT infrastructures, Cisco said. TLPT can develop cyber resilience in developing countriesCentral banks and financial authorities have an important task in increasing the level of their financial sector’s cyber resilience, the paper read. One common element being considered is threat led penetration testing (TLPT), which can facilitate the improvement of cyber resilience through controlled testing processes.However, TLPT is most effective when applied to relatively “cyber mature” financial entities. It’s also dependent on the maturity of the authority in charge and the cybersecurity service industry in the country or region, CREST said. “If authorities pursue a policy to have financial entities tested according to the respective TLPT frameworks, they have to consider the possible capacity and quality restrictions of local cybersecurity service providers and consider options to catalyze development of the market for cybersecurity services,” the guide read.Assuming the central bank is the authority in charge, it must invest in a dedicated team, headed by a senior manager, which must closely monitor each test process to ensure tests are performed according to the applicable testing framework and that service providers meet the required quality criteria, CREST said. “To avoid supervisory judgement during the test process and the test becoming a mere compliance exercise, this team must sit at arm’s length of the supervisory and oversight functions to ensure a smooth test process.” As long as supervisors and overseers are involved in the scoping at the beginning and will receive the entity’s remediation plan at the end of the test process, their responsibilities are well taken care of. Authorities pursuing a TLPT program will help improve the cyber resilience of the most critical financial entities, along contributing to the maturation of the local market for cybersecurity services. However, close and constructive collaboration among all parties, private and public, is key, CREST said. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe