–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Jeroen: Could you briefly introduce yourself?
Jacco: My name is Jacco Jacobs, Department Head at Supervision within the Dutch Central Bank, focusing specifically on the IT and operational risks in the financial sector in the Netherlands.
Jeroen: What comes to mind first when you think about risks?
Jacco: Talking about operational and IT risks, one critical element is cyber risk. Within supervision and at financial institutions, cyber risk is a strategic risk. It is top of mind at Board level and for internal and external supervisors. The recent cyber incidents on which the media focused as well, illustrates the importance to discuss cyber risk at Board level on an ongoing basis. But apart from the cyber risks at financial institutions, is the ongoing attention of cyber risks that occur at third parties that service those financial institutions. That means that outsourcing risk and cyber risk are interconnected.
Jeroen: What do you like about your job and about the areas that it covers?
Jacco: Firstly, there is never a dull moment in supervision when it comes to addressing cyber risks. For example there is a lot of traction related to policy development. We see this for example in the recent developments around the Digital Operation Resilience Act, DORA in short, which places a strong focus on IT and cyber risks as well – especially when it comes to third parties. Secondly, I like to understand of what goes on at financial institutions when it comes to cyber risk and to mitigate these. We do many inspections at financial institutions, remotely or on site. Through these inspections, we learn together with the financial institution about the cyber risks they are facing, and how these risks can be effectively mitigated in practise. I find this a very interesting dimension of my work. Thirdly, it is not only about policies and inspections, but also about collaboration with the sector and with third parties, for example by sharing information and best practices with each other, and so on. How can we achieve a safer digital world in collaboration with each other? All of these things together mean this is a very interesting position.
Jeroen: What are the biggest current challenges for financial institutions when it comes to cyber security?
Jacco: On the one hand, it is a challenge to keep track of all developments that impact cyber risk and more broadly IT risk, like the policy developments related to DORA, and supervision activities from the Dutch Central Bank and other supervisory parties. And on the other hand, there are more practical challenges that are faced by financial institutions individually, by the sector more broadly, and by third parties. The combination of all of these risks makes it very challenging. Especially because potential cyber criminals will develop themselves as well.
Jeroen: If we look not just at financial services but at society at large, what would you say the biggest challenges are?
Jacco: I think there are three main challenges. The first is understanding the risk of concentrations at third parties who provide services to financial institutions. Some parties offer services to more than one single financial institution, and there are third parties that in turn outsource a part of their services to other third parties. So the entire chain encompasses many actors, and to manage this effectively comes with challenges and interconnected cyber risks. In Dutch, we refer to these as ‘ketenrisico’s, in which the entire outsourcing chain is as strong as the weakest link. Secondly, also when financial institutions outsource their activities, they remain responsible for these activities. So it is essential that they have proper knowledge and skills in place to understand these risks. You need to have a good information position to understand the risk at the parties that you have outsourced to, while also maintaining a good information position for the security that you provide yourself. Thirdly, cyber risk is not only relevant to financial institutions, but to the entire (vital) sector. To manage this risk from a sector perspective rather than a solely financial services perspective is another big challenge that we are facing, both in and outside of the Netherlands.
Jeroen: From a regulator’s perspective, is technology a mainly a solutions to these challenges, or a threat?
Jacco: That is a good question. I always approach cyber risk management not solely as a compliance exercise but as an exercise that should effectively manage cyber risk, a so-called principle based approach. Technology can be of tremendous support in that. I think we should embrace new technologies and new perspectives that can mitigate cyber risk effectively. On the other hand, new risks also occur because of technology. For example, the developments in Artificial Intelligence and the introduction of quantum cryptography pose challenges for us as a sector, but also create many opportunities. So it is a balancing act, I would say.
Jeroen: Do you have any tips for starters in the field of cyber security?
Jacco: First of all: be open-minded, so you can learn both the potential and the risks as a result of the ongoing digital developments, especially from a technology perspective, an organizational perspective a from a human/people perspective. Also learn from each other! Secondly, I encourage to gain an understanding of different technologies and how various organizations approach the opportunities and risks, both locally and internationally. Be prepared to face the unknown, I would say.
Jeroen: Lastly, based on what I have heard you discuss today: a big area of concern, also when it comes to new regulatory developments, is that as a financial institution you cannot merely focus on yourself alone. To which extent is it possible to control all of those third parties, from a financial institutions perspective?
Jacco: That is a major challenge, of course. At the Dutch Central Bank, we stress the importance that you remain responsible for your own outsourcing activities, although we acknowledge as well that the chain could be as large as seven to ten players, so that this can be difficult. But financial institutions remain overall responsible, so they need to make sure to get relevant and accurate information from all parties in the chain. We also have a professional network of IT auditors in The Netherlands, so also rely on and work with IT auditors that can provide assurance on certain parts of the chain. I would also encourage to share information with each other, both as financial institutions and as third parties in the chain. From a Dutch Central Bank perspective, we will also look into the possibilities to share more information about trends, developments, et cetera. A recent example is the published benchmark report on information security. So it is a huge exercise in which we all take part and for which we are all important stakeholders, while recognizing each other’s mandate, of course.
–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023