Working Group on Financial Modernization and Regulatory Reform Annual Meeting (Quarter II Virtual Session)

Held on June 17, 2021

Meeting Overview

The Swedish National Audit Office hosted the 2021 Quarter II INTOSAI Working Group on Financial Modernization and Regulatory Reform virtual meeting. Seventeen SAI members (listed below) joined the meeting. The SAIs heard from three external speakers on the issue of cybersecurity and learned about audit methodology from a few member SAIs’ presentations.

Meeting Attendees

The following SAIs attended the meeting: Austria, Brazil, Canada, China, Estonia, European Court of Auditors, Finland, France, Germany, Italy, India, Indonesia, Korea, Malaysia, Qatar, Sweden, and United States.

Cybersecurity

The three external speakers presented on various issues related to cybersecurity.

• Carl-Johan Rosenvinge, a senior economist at the Sveriges Riksbank, presented on cyber attack’s direct and indirect impact on financial stability. In particular, he emphasized that cyber threat is aimed at both the financial system and its critical service providers, such as cloud services and energy suppliers. Since financial entities are important in different ways (such as size, interconnectedness, and substitutability), the impact may be felt differently. Mr. Rosenvinge suggested that cyber resilience in the Swedish financial system could be improved through coordination, information sharing, threat analysis, incident response, and testing.
• Teresa Walsh, the Global Head of Intelligence for the Financial Services Information Sharing and Analysis Center, spoke about third-party risk for the financial sector. Attacks against companies can occur through automated updates, file transfers, application programming interfaces, and other channels. Attacks can result in reputational costs, fines, or business loss. Financial institutions may have hundreds of third-party vendors and the answer to third-party risk management is not a 100-page questionnaire. While best practices for third-party risk management are evolving, Ms. Walsh emphasized prioritizing critical third parties, crowdsourcing the problem, and understanding cyber security risks in the context of the business (e.g. a bank) to overcome cybersecurity risks.
• Tim Maurer, a Senior Counselor for Cybersecurity at the US Department of Homeland Security (DHS) spoke about contagion risk. Mr. Maurer said that the CIA (Confidentiality, Integrity, and Availability) framework is the technical foundation to think about cybersecurity. For example, malicious attacks affecting the integrity or confidentiality of data can lead to erosion of trust. Mr. Maurer emphasized that the public’s perception of cyber incident matters as much as the real incident and cyber security experts must understand where cyber attacks have cascading effects.

SAI members followed up with questions.

• One member SAI asked about regulator collaboration with banks. Ms. Welsh said that there should be more discussion between financial institutions and regulators on what regulators are trying to achieve and to identity lessons learned. Additionally, Ms. Welsh said that government agencies should be talking to each other to ensure that their guidance does not conflict and confuse banks.
• Another member SAI asked about how financial institutions that suffer a cyber attack should balance transparency with maintaining public trust. Ms. Walsh said that public education should be coupled with transparency to help the public better understand the impact. While a data breach sounds simple, for example, California has different definition of data breach than other U.S. states. Mr. Rosenvinge said that from a regulatory point of view, transparency contributes to better data analysis.

Member SAIs’ presentations

A few member SAIs presented on their recent work and associated methodologies.

• Peter Danielsson (Swedish National Audit Officer) presented on the EU Contact Committee Audit Compendium on Cybersecurity in the E.U. and its Member States. The compendium summarized audits from 12 SAIs and the European Court of Auditors.

• Per Franzén (Swedish National Audit Officer) presented on a report on Swedish pension funds and sustainability.
• Mihails Kozlovs (European Court of Auditors) presented on the assessments of the EU financial crisis management framework covering four recent reports on 1) lessons learned from the 2008-2012 financial and sovereign debt crises; (2) resolution planning in the single resolution mechanism; (3) control of state aid to financial institutions in the EU; and (4) EU efforts to fight money laundering in the banking sector.
• Shaun Brynes and Mr. Alex Bennett (U.S. Government Accountability Office) presented on a report on U.S. federal agencies’ oversight of financial sector cybersecurity risk mitigation efforts. The report described key cyber-related risks facing the financial sector and the steps the financial services industry is taking to share information on and address risks to the sector. Additionally, the report assessed steps federal agencies are taking to enhance the security and resilience of the sector.