世界經濟論壇：2020年網絡彈性系統：打造安全可靠的金融科技 （英文版）（37頁）.pdf

《世界經濟論壇：2020年網絡彈性系統：打造安全可靠的金融科技 （英文版）（37頁）.pdf》由會員分享，可在線閱讀，更多相關《世界經濟論壇：2020年網絡彈性系統：打造安全可靠的金融科技 （英文版）（37頁）.pdf（37頁珍藏版）》請在三個皮匠報告上搜索。

1、Systems of Cyber Resilience: Secure and Trusted FinTech July 2020 Shaping the Future of Cybersecurity and Digital Trust Shaping the Future of Financial and Monetary Systems World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland Tel.: +41 (0)22 869 1212 Fax: +41 (0)22 786 27

2、44 Email: contactweforum.org www.weforum.org 2020 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system. 2Systems of Cyber Resilienc

3、e: Secure and Trusted FinTech Contents Preface 4 Introduction: World Economic Forum FinTech Cybersecurity Consortium 6 1. Executive Summary 7 2. Systems of cyber resilience: building cyber-resilient controls for the financial (eco)system 10 3. Creating a system of resilience: universal cybersecurity

4、 controls and assessment 13 4. Approach 14 5. Criteria for choosing base-level frameworks 15 6. Candidate frameworks 18 7. Center for Internet Security Top 20 Critical Security Controls 19 8. The Financial Services Cybersecurity Profile 21 9. Conclusion 25 10. Appendix 1: The CIS CSC 20 vs. base-lev

5、el controls criteria 26 11. Appendix 2: The FSC Profile vs. base-level controls criteria 30 12. Appendix 3: The role of industry and public-private initiatives 32 Contributors 33 Endnotes 34 Systems of Cyber Resilience: Secure and Trusted FinTech3 Cyber risk is pervasive, systemic and global in scop

6、e. In the financial services industry, it is increasingly difficult to mitigate this risk, since the modularization of financial services interlinks organizations whose cybersecurity maturity levels vary greatly. It is therefore difficult for any one firm to understand how an attacker might move lat

7、erally across a supply chain. Given that interests and priorities diverge among actors, a sector-wide baseline for cybersecurity is necessary to ensure the integrity of the global financial system. A vital step in establishing this baseline is for financial technology (FinTech) companies to uphold t

8、heir obligations to system resilience. FinTech companies must protect themselves and their customers in a measurable and demonstrable way, but they are often faced with fragmented regulations and finite resources, and operate in a market where skilled expertise is in short supply. This Consortium he

9、lps raise the level of FinTech cybersecurity by supporting the scaling and adoption of frameworks that provide clear and achievable cybersecurity guidelines to FinTechs to enhance the security of the wider financial services supply chain. More significantly, this work is a vital step towards creatin

10、g durable partnerships that will improve the cybersecurity and resilience of the global financial system. Additional organizations - including the Cyber Risk Institute, supported by the World Economic Forum, and the Coalition to Reduce Cyber Risk will carry this groups recommendations forward to imp

11、lementation across the financial sector globally. Coinbase Large multinational financial services organizations and FinTechs have a unique partnership. They provide services to each other and to similar customers, communicate with the same regulators, and as a result have highly interconnected cyber

12、 risks. That said, there are also significant variances across third-party due diligence approaches and prioritization of cyber-risk management activities. This can make compliance with third-party diligence requirements or financial regulatory requirements impractical and cost prohibitive for FinTe

13、chs. The FinTech Cybersecurity Consortium addressed this challenge by providing a collaborative forum to assess existing cyber-risk frameworks and converge on an “on-ramp” that allows FinTechs to achieve a baseline risk posture. This recommendation is an exciting endorsement that frees FinTechs to f

14、ocus their resources on the highest-impact activities that help achieve the baseline and effectively communicate risk maturity. Daniel Dobrygowski Head of Corporate Governance and Digital Trust, World Economic Forum Adrienne Allen Director of Security GRC and Privacy, Coinbase Preface Matthew Blake

15、Head, Platform for Shaping the Future of Financial and Monetary Systems 4Systems of Cyber Resilience: Secure and Trusted FinTech Mastercard FinTechs play an important role in the digital transformation that makes our lives simpler, more convenient and rewarding. For FinTechs to scale sustainably, co

16、llective partnership is required. However, FinTechs cannot achieve impact and scale without proper cyber protocols. Collaboration is critical sharing expertise, defining standards and playing a leading role in securing the landscape. The FinTech Cybersecurity Consortium enables FinTechs to innovate

17、responsibly, protect the digital ecosystem, align security with consumer experience and reduce risk. At Mastercard, safety and security are foundational principles for every part of our business and the technology platforms and services we enable. As our digital landscape expands along with our depe

18、ndence on it, our expectations of cybersecurity need to be continuously considered and refined. Cybersecurity must never be an afterthought. SoFi FinTechs can be a valuable source of innovation for the financial services industry, but only if those innovations can be delivered with security controls

19、 that meet industry and regulatory requirements. The effort described in this document aims to provide FinTechs with guidance that can put them on a path towards a robust security programme that can be applied in the earliest stages of the business. As both a provider and consumer of technology focu

20、sed on financial services, SoFi has found the approach described herein to be a key enabler for participating in this critical industry sector. Visa Fintech innovations deliver tremendous economic and social benefits, connecting unbanked and underbanked populations to the digital economy, contributi

21、ng to small business growth, and empowering consumers in new and exciting ways. As larger financial service organizations increasingly look to partner with FinTechs, gaps between the security capabilities of established firms and young FinTechs can present real challenges to collaboration. At Visa,

22、our commitment to security is unwavering. This includes our responsibility to help secure the wider payments ecosystem by encouraging best practices and sharing relevant insights. The work of the World Economic Forums FinTech Cybersecurity Consortium will provide valuable first steps to help new com

23、panies develop secure, market-ready solutions. Adam Sommer Vice-President, Industry Standards at Mastercard Jim Maloney Chief Security and Privacy Officer, Social Finance (SoFi), World Economic Forum Expert Network member Sunil Seshadri Senior Vice-President, Chief Information Security Officer, Visa

24、 Systems of Cyber Resilience: Secure and Trusted FinTech5 Introduction: The World Economic Forum FinTech Cybersecurity Consortium The FinTech Cybersecurity Consortium formed in 2018. Its aim was to facilitate the reasonable protection of a dynamic and growing global Financial ecosystem composed of e

25、stablished organizations with high levels of cybersecurity maturity and FinTechs rapidly developing and providing emerging technologies. The security requirements of each participant in the Financial System vary, sitting along a continuum dependent on the countries in which a firm operates, the serv

26、ices it provides, the customers it targets and its impact on other participants in the market. This has made it difficult to provide smaller firms with guidance to weave cyber-resilience into their business and growth plans. Consortium members asked, how can less mature FinTech companies connect wit

27、h very mature organisations while maintaining a level of cybersecurity risk that is understood by all parties, accepted and manageable? The Consortium believes that the security of the wider financial system requires the acceleration of FinTechs access to methodologies for identifying cybersecurity

28、risks and applying the practical steps needed to mitigate them. These methodologies should be scalable, by which we mean that they can be applied across borders so that a FinTech can use recognised cybersecurity best practice to facilitate entry to new markets and grow securely as it expands. The Fi

29、nTech Cybersecurity Consortium identified the simplification of baseline cybersecurity requirements for FinTechs as an important starting point. The Consortium has identified criteria for common minimum cybersecurity standards and controls that will obtain agreement from globally systemic financial

30、institutions, FinTechs, governments and key regulators. The Consortiums recommendations support the scaling and adoption of frameworks that provide clear and actionable cybersecurity guidelines to FinTechs to enhance the security of the wider financial services supply chain. Figure 1 Benefits of a c

31、ybersecurity controls framework for the entire financial ecosystem A common framework to ensure a win-win-win-win-win-win outcome, involving understanding and articulation of benefits 6Systems of Cyber Resilience: Secure and Trusted FinTech 1. Executive summary 1.1 Systems of cyber resilience: FinTe

32、ch security controls and assessment The World Economic Forums Global Risks Report 20201 again named cyber threats as among the most significant risks to society and the economy in terms of likelihood and impact. The financial services sector remains a favoured and high-value target for cyberattacks.

33、 Financial Services are becoming more modular and distributed, with many parties involved in service provision. This is usually to the benefit of consumers, but it has greatly expanded the number of targets available to cyberattackers. Client data and assets are now spread across multiple platforms

34、and providers. Risk levels, security requirements and security capability vary from organization to organization. This medley of requirements leaves the sector in need of a mutually understood and widely accepted base level of cybersecurity controls. Clarity at the base level of security will suppor

35、t the effective protection of business and client assets across the wider supply chain. This will facilitate good cyber hygiene and cybersecurity techniques among the least resourced companies in the market, improving cyber resilience across the financial system. Effective cybersecurity reduces the

36、impact of cyberattacks on commercial operations, lowers the frequency and level of loss to clients and is essential to maintaining consumer trust in the wider financial system. 1.2 FinTechs Financial technology (FinTech) companies are a vital source of accelerated innovation-driven improvements for

37、the financial services industry. Established financial services providers would like to partner swiftly and securely with innovative new FinTechs. This intention is shared by regulators and central banks, who see commercial links between new entrants and established providers as a benefit to citizen

38、s and the wider economy. FinTechs want strong commercial partnerships in order to survive and thrive. However, the modularization of financial services interlinks organizations whose cybersecurity maturity levels vary greatly. This complicates cybersecurity risk management. There are many approaches

39、 that FinTechs can take to make themselves cybersecure. Yet it is not always clear which control frameworks allow a FinTech to secure its assets, create trusted commercial partnerships with established firms and ensure compliance with relevant regulations in the jurisdictions in which it operates. E

40、stablished financial services providers have a number of frameworks, standards and industry- driven initiatives against which they can test the security of FinTechs and other third parties. However, the volume of industry initiatives, driven by the pace of technological change and the multiplication

41、 of regulations, is now creating “noise”, which makes it difficult for FinTechs to direct their resources in a way that allows for security while facilitating the maximal number of commercial partnerships. It is often the case that these cybersecurity standards and frameworks aim to achieve the same

42、 security objectives and vary mostly in their form and language. This leads to inefficiencies for both FinTech and established firms, which need to demonstrate compliance with regulations that vary slightly in form from jurisdiction to jurisdiction, but which have largely common objectives. Systems

43、of Cyber Resilience: Secure and Trusted FinTech7 1.3 Incentivize security The commercial incentive matters for security. Building a robust cybersecurity architecture is important for new-to-market organizations that depend on deterring even one cyberbreach to maintain business credibility. However,

44、this can be expensive to deploy, take a significant amount of time to complete and can leave a firm hostage to early decisions on cybersecurity as it continues to grow. As FinTech founders tend to balance a number of business needs, they may not necessarily prioritize security considerations in thei

45、r product and services development. This can lead to security-related technical debt that is difficult and expensive to address at a later date. If information security teams are given the tools to clearly explain how their actions protect business assets and facilitate commercial partnerships, the

46、executive team is more likely to understand and prioritize security, making it a core part of their firms business growth plans. Implementation of cybersecurity controls is also likely to be more appropriate to the needs of each specific business and consequently more effective. 1.4 The challenge: f

47、ragmentation FinTechs are entering the financial system at a time when governmental authorities have yet to coordinate and harmonize the development of rules and regulations across borders, even though the cyber threat is an internationalized one. At the same time, financial services are becoming ev

48、er more specialized, causing industry to fragment into sub-sectors that set their own advice on security standards and implementation. Established companies are tailoring their due diligence requirements in order to better protect themselves and their clients. The lack of coherence across the privat

49、e sector as to which baseline standards FinTechs should implement, how they should be implemented and how this should be evidenced makes it difficult for FinTechs to apply their resources in a rational manner. Rightly, nobody wishes to compromise on cybersecurity standards. All recognize that the current level of variation and duplication of requirements is unsustainable, pushing up the cost of compliance without always enhancing operational security. 8Systems of Cyber Resilience: Secure and Trusted FinTech 1.5 Building on strong foundations When it was s