- Strengthened sectoral collaboration and improved scope for action for the individual players
- Stronger national and international collaboration with relevant stakeholders
- Increased awareness and knowledge of cyber security
Cyberattacks constitute a systemic risk to financial stability
Cyberattacks may threaten financial stability in Denmark in several ways. A cyberattack may, for example, limit socially critical functions performed by one or more institutions or impact confidence in the financial sector. An attack becomes systemic when it impacts society as a whole – see the chart below. This happens e.g. when the attack hits functions critical to society or affects confidence in the financial sector.
From cyberattack to systemic event
The Danish financial sector has strong focus on enhancing operational resilience, including resilience to cyberattacks. A joint effort is being made to manage cyber risks in the individual institutions as well as at sector and national level.
Each financial ecosystem participant is responsible for ensuring that their cyber resilience level is adequate and that they meet the requirements of applicable standards and regulations. This includes management of the risks each participant inflicts on other parts of the system.
Given the technical and financial interconnectedness, cyberattacks can spread across institutions and systems. Moreover, due to their resource-intensive nature, some measures require joint action. So, on top of individual efforts, it makes sense – both from the perspective of the individual institution and of society – for the sector to cooperate on addressing operational risks too, including cyber risks.
Denmark is among the few countries to have established a voluntary yet binding collaboration across authorities and private organisations with the common goal of enhancing operational resilience in the financial sector. In recent years, several other countries have begun to take steps in the same direction.
The discussions in the FSOR are based on a risk analysis identifying operational risks that could potentially threaten financial stability. This work provides a better understanding of the probability and impact of the identified risks. The risk analysis, updated semi-annually, provides a structured basis for prioritising measures to reduce the operational risks the financial sector is facing.
In 2020, Danmarks Nationalbank published the methodology behind the risk analysis to make it more widely accessible. The methodology is generic and may also be used in sectors other than the financial sector.
The risk analysis uses varioussources to identify the systemic risks the financial sector is facing. This includes an analysis of systemic dependencies and key business processes, past incidents, threat assessments and several questionnaires.
The risk analysis identifies operational risks with the potential to threaten financial stability. The identified risks are each classified according to probability and consequences. For the most important risks, the FSOR discusses proposals for mitigating measures. The measures decided on must then be implemented. This work is done in separate tracks.
Measures to reduce the risks identified
Based on the risk analysis, Danmarks Nationalbank and the FSOR have initiated several measures aimed at reducing the identified risks. Some of the measures are mentioned below.
An operational crisis management plan at sectoral level. Read more below.
TIBER test programme for the main players in the financial sector.
Danmarks Nationalbank’s survey of cyber resilience in the financial sector.
Formalised Risk Forum for mutual Interdependencies (RGA). Read more below.
Common baseline for the cyber resilience work. The baseline aims to provide tangible and measurable recommendations on cyber resilience in various areas such as data protection and governance. The aim is to develop an IT platform where each organisation can voluntarily ‘track’ its current cyber resilience and receive specified concrete measures to be initiated to obtain a desired level.
Started work to strengthen the sector’s data protection and strengthen the ability to restore business functions after an attack.
Involved critical suppliers in the FSOR work aimed at bringing the suppliers closer to the sector participants.
FSOR crisis response plan
The FSOR has set up a crisis management plan at sectoral level supplementing its members’ own crisis management plans and the national crisis management under the National Operative Staff (NOST).
Despite strong mitigating measures, the fact is that the most skilled hackers can break through defences. It is therefore essential to have a detailed plan to ensure coordinated action across the financial sector in the event of a systemic crisis.
The FSOR’s crisis management plan builds on international standards for sector preparedness and the national sectoral strategy for cyber and information security.
The crisis management plan is tested twice a year to ensure that the plan works in practice in the event of a serious incident in the sector. The FSOR’s crisis management team has also participated in tests of coordination across the six sectors critical to society in connection with a cyberattack.
In exceptional circumstances, such as during the covid-19 pandemic, the FSOR’s crisis management team has performed the function of distributing a situation overview of the financial sector and coordinated with the national crisis management of the National Operative Staff, NOST.
Risk Forum for mutual Interdependencies (RGA)
Collaboration on interdependencies between the central systems of the infrastructure is in place: Kronos2 (Danmarks Nationalbank), the retail payment systems (Finance Denmark) and securities (Euronext Securities Copenhagen) as well as the joint financial network e-connect. e-nettet is also participating in the collaboration in terms of their responsibility for the management and risk management of the retail payment systems for Finance Denmark as well as in their capacity as system owner of e-connect.
The purpose of the risk management of interdependencies is to strengthen collaboration to identify and mitigate interdependent risks occurring across key financial infrastructure players. This is done with a focus on strengthening the resilience between the central systems and coordinating mitigating and emergency responses. Risks identified in the Risk Forum on mutual Interdependencies (RGA), but which cannot be mitigated in that context, are referred upwards to the FSOR.
The RGA has developed a risk policy describing the purpose and setting out the basic framework and objectives for risk management of interdependencies.
The practical work takes place in working groups with representatives from the four members. In addition, a steering committee has been established for the RGA, which continuously approves the overall risk picture and initiates specific analyses and activities.
FSOR members as of December 2022
FSOR members are the key financial sector participants. They comprise systemically important banks, data centres, representatives of the insurance and pension sector and owners of the critical infrastructure. In addition, business and industry organisations as well as central au-thorities participate.