Transcription
2022–24CyberSecurityStrategyReducing RiskPromoting Resilience
Cyber Security Strategy 2022–24Bank of Canada1MESSAGE FROM THE CHIEFOPERATING OFFICERAs the nation’s central bank, the Bank of Canada has a legislatedmandate to promote the stability and operational resilience of ourfinancial system. The Bank’s promise is to give Canadians confidenceto pursue opportunity. They count on the Bank to: foster economic and financial stability navigate relentless change with rigour and integrity help grow Canada’s shared prosperityOur leadership in cyber security in the financial sector contributes tofulfilling that promise. A strong resilience posture is critical for the securityof Canada’s financial system as a whole and the participants in it.Cyber attacks are becoming more sophisticated, more damaging andharder to prevent than ever before. The Bank’s survey results1 show thatCanadian firms consider cyber incidents to be among the top risks toindividual businesses and the financial system.While the Bank’s cyber security posture has improved overall, the threatfrom cyber will never go away. The Bank must continue to develop ourinternal and external cyber resilience initiatives in the years ahead.The Cyber Security Strategy 2022–24 gives us a plan to do that. Thestrategy is guided by our cyber security risk appetite and a clear strategicvision: to strengthen the cyber resilience of the Canadian financialsystem against an evolving threat environment.Filipe Dinis, Chief Operating Officer1 Respondents to the Bank’s spring 2021 Financial System Survey identified a cyber incident as one of the top three risks facingthe financial system.
Cyber Security Strategy 2022–24Bank of Canada2INTRODUCTIONCyber resilience is one of the Bank of Canada’s highest priorities. A cyberattack on any part of the financial system has the potential to cause asystemic event that could ultimately disrupt Canada’s economy.In 2019, the Bank developed its first Cyber Security Strategy to guideits internal and external cyber security activities and priorities. Andconsiderable progress has been made since then.The Bank established critical foundational programs such as penetrationtesting and identity and access management, attracted new talent anddeveloped the expertise of its cyber team, and deployed new cybertechnologies and systems. These have become core elements of the"Bank’s operations.At the same time, the Bank developed successfulOperational and cyber resiliencerelationships and robust collaborations withwere key to the Bank’s successfulworld, promoting cyber security resilience inresponse to and recovery from theexternal partners in Canada and around themany jurisdictions.These efforts contributed to significantCOVID-19 pandemic.improvements in the Bank’s overall cyberrisk profile from 2019 to 2021.Operational and cyber resilience were key to the Bank’s successfulresponse to and recovery from the COVID-19 pandemic. The Bank’sability to be flexible, nimble and resilient allowed employees to makethe transition to secure remote work with minimal or no disruption tothe Bank’s operations.Cyber Security Strategy 2022–24 will guide the next phase of work bycyber teams and business functions across the Bank. It will also giveexternal partners clarity on the Bank’s intentions.A new Cyber Security Risk Appetite has been developed to set strategicboundaries and provide overall direction for managing cyber risk.
Cyber Security Strategy 2022–24Bank of Canada3THE BANK OF CANADA’S CYBERTHREAT LANDSCAPEThe complexity of the cyber threat landscape continued to evolve duringthe COVID-19 pandemic. While some of the attack vectors are not new,cyber attacks are becoming more frequent and sophisticated.The financial sector was an attractive target for malicious cyberoperators during the pandemic.2 As with other institutions, the Bank’scyber attack surface and risk profile increased as Bank employees andconsultants moved to remote work using less secure home networks.New cyber threats are also linked to changing central banking activitiesand processes, such as updated payment systems, digital currency,blockchain and digitalization. The Bank continues to be concernedabout a higher likelihood of espionage and sabotage that could lead tothe theft of intellectual property and proprietary business information orcould disable or disrupt critical financial systems.Cyber threats from nation states and state-"sponsored groups remain acute, posing astrategic threat to Canada. Nation statesThe financial sector wasan attractive target forhave been the source of aggressive cyberattacks around the world, using cyberoperations for financial gain or to promotetheir own national interests.malicious cyber operatorsFinancial institutions and governmentsduring the pandemic"worldwide are also seeing an increase in thenumber and complexity of ransomware attacks.3Trends include larger ransom payment demandsand multifaceted attack tactics.Major international incidents in 2020 and 2021 have drawn attention tothe devastating potential consequences of cyber attacks on criticalinf rastructure and the need for organizations to manage cyber risksrelated to third parties.2 I. Aldasoro, J. Frost, L. Gambacorta and D. Whyte, “COVID-19 and Cyber Risk in the Financial Sector,” BIS BulletinNo. 37, Bank for International Settlements (January 2021).3 S. Lyngaas, “US Financial Institutions Report Major Increase in Ransomware Payments to Cybercriminals,”CNN Politics (October 15, 2021.)
Cyber Security Strategy 2022–24Bank of Canada4EVOLUTION OF CYBER SECURITYAT THE BANK OF CANADAIn recent years, the Bank established a solid cyber security foundationto address existing and emerging cyber security needs. Since its CyberSecurity Strategy was published in 2019, the Bank has continued tostrengthen its cyber security posture.Internally, the Bank expanded its cyber security capabilitiesacross the five functions of the US National Institute of Standardsand Technology (NIST) Cybersecurity Framework.4The Bank has: adopted a risk management approach focused onkey Bank assets and cyber scenarios of concern applied a lines-of-defence model with a more robustsecond line of defence prioritized training and development for staff in a verycompetitive cyber security labour market augmented protection and detection systems to respondto evolving cyber attack techniques put in place a dedicated identity and access managementprogram to enhance controls and reduce the likelihood thatprivileged accounts could be exploited made strategic investments in new tools and monitoring systemsthat facilitated remote access to data and video conferencing foremployees working remotely further developed cyber security awareness to include regularBank-wide phishing and spear-phishing training and exercises4 The NIST Cybersecurity Framework is a voluntary framework used internationally by industry, academia andgovernment to manage cyber security risk.
Cyber Security Strategy 2022–24Bank of Canada5Externally, the Bank collaborated with Canadian andinternational public and private sector partners to strengthencyber security in domestic and global financial systems.The Bank: promoted cyber security in Canada’s payment systems as part ofits oversight of designated financial market inf rastructures (FMIs) introduced new guidelines on Expectations for Cyber Resilienceof Designated FMIs continued its leadership role in the Canadian Financial SectorResiliency Group—a forum for Canada’s systemically importantf inancial institutions and regulators to coordinate responses tosystemic operational issues in the financial sector, including cyberincidents continued work on the Resilience of Wholesale Payments Systemsinitiative—a collaboration with Canada’s six largest banks andPayments Canada to share information and enhance the cyberresilience of Canada’s wholesale payments systemsThe Cyber Security Strategy 2022-2024 is the Bank’s plan tobuild on this foundation and continue to strengthen cybersecurity in the years ahead.
Cyber Security Strategy 2022–24Bank of Canada6Looking forwardSTRATEGIC GOALS FOR 2022–24The Bank will continue to pursue the cyber security vision and missionarticulated in 2019.VisionTo strengthen the cyber resilience of the Canadian financial systemagainst an evolving threat environmentMissionTo promote the eff iciency and stability of the Canadian f inancialsystem through robust cyber security capabilities and expertise,collaboration and information sharing, and comprehensive oversight.Strategic goals, outcomes and actions have been updated toreflect the Bank’s evolving requirements in the months andyears ahead.Goals1Continue to integrate cyber resilience into all Bank2Expand financial sector resilience through3Inspire confidence in the financial system through clearof Canada business operations as the Bank evolvescollaboration and partnershipscyber security guidance within the Bank’s mandate
Cyber Security Strategy 2022–24Bank of Canada7Cyber Security Risk AppetiteThe Cyber Security Strategy has been aligned with the Bank’sCyber Security Risk Appetite. Four risk appetite statements willguide the assessment of cyber security risk in pursuit of theBank’s business objectives.Acknowledging the Bank of Canada’s important role in the financialsystem and recognizing that cyber events will happen:1All Bank employees understand and hold themselves,partners and vendors accountable for their role inprotecting Bank systems and information.2The Bank has cyber talent and cyber system protection,response and recovery above or on par with those of itspeers.3The Bank strategically re-evaluates its cyber security4The Bank collaborates and takes informed risks withexposure to balance risk and opportunity.verified partners to optimize both its own cyber riskposture and that of the Canadian financial system.The sections below outline the Bank’s internal and external cybersecurity priorities that will contribute to the achievement of thesegoals over the next three years.
Cyber Security Strategy 2022–24Bank of Canada8Internal prioritiesThe Bank’s current resilience capabilities will serve as a strong foundationto manage cyber risks for 2022–24. Cyber security will continue to be anessential part of managing the new technologies and digital platformsthat will support the Bank’s core functions in the years ahead.With the increased complexity of business needs, technology and threatlandscapes, business units will become fully integrated partners in themanagement of cyber risks.The Bank will increase its emphasis on the zero trust5 model of cyberdefence, which assumes that all connected devices bring some risk, evenwithin secure networks. The Bank will also work with public and privatesector partners to prepare for the new age of quantum computing.Responding to the competitive market for cyber security talent remainsa priority. In addition to strategies to identify and recruit new people, theBank will work on retaining experienced employees. Diversity andinclusion, training and skills development will be emphasized.The Bank will once again group its internal objectives, outcomes andstrategic actions into five NIST categories: identify and manage, protect,detect, respond and recover. Investments in the identify, protect anddetect categories will continue. But, recognizing that cyber attackscannot be completely prevented, the new strategy puts more emphasison response and recovery initiatives.IDENTIFYPROTECTDETECTRESPONDRECOVER5 Zero trust is the term for an evolving set of cybersecurity paradigms that move defences from static, network-basedperimeters to focus on users, assets, and resources. SP 800-207, Zero Trust Architecture CSRC (nist.gov)
Cyber Security Strategy 2022–24Bank of Canada9Category 1 IDENTIFY AND MANAGEBuild cyber security into Bank of Canada operationsThe Bank will ensure that its employees, inf rastructure, and assets achieve business objectives in linewith the Cyber Security Risk Appetite.OutcomesActionsCyber risk management processes are well defined,Advance development of cyberimplemented and measured to enable effective risk-risk processes and toolsbased decision making.Implement updated people strategyThe Bank attracts, retains and develops skilledcyber talent, emphasizing diversity and inclusion.Test quantum readiness frameworkand assess systems resilienceThe Bank has a defined plan for becomingquantum resilient.Category 2 PROTECTMaintain a proactive posture against cyber attacksThe Bank will use its cyber security systems, tools and policies effectively to secure its information and digitalassets. More emphasis will be placed on adopting a zero trust architecture.OutcomesActionsPrivileged identities at the Bank are rigorously protectedContinue to advance identity andand automated through the identity life cycle.access management controlsThe cyber security awareness program is responsiveEnhance cyber securityto emerging threats.awareness initiativesThe cyber security testing program assures that cyberContinue to evolve the cyberhygiene remains strong.security testing programData loss prevention and application security controlsEvolve measures for data lossare implemented based on defined risk scenarios.prevention and application security
Cyber Security Strategy 2022–24Bank of Canada10Category 3 DETECTStrengthen systems to detect and identify a cyber security eventThe Bank will advance the integration of threat intelligence, detection engineering and cyber securitymonitoring.OutcomesActionsAdvanced detection analytics are leveragedEvolve, automate and integratewith a focus on priority cyber threats.cyber security monitoringThreat intelligence, detection engineering andMature the cyber threatcyber security monitoring processes areintelligence frameworkintegrated throughout the Bank.Expand detection engineeringdata analyticsCategory 4 RESPONDEnhance measures to limit the impact of a potential cyber incidentThe Bank will improve its ability to assess, triage, and respond to cyber events and incidents.OutcomesActionsThe actions and processes to respond to cyberConduct regular exercises at all levels ofincidents are well developed and practised regularly.the organization to test cyber defence,response and decision-makingDecision makers and cyber responders havetimely access to data on cyber incidents.Continually validate incidentresponse playbooksDevelop advanced analytics to facilitateearly detection and response
Cyber Security Strategy 2022–24Bank of Canada11Category 5 RECOVEREnhance operational resilience to recover from a cyber incidentThe Bank will enhance its capacity to restore key business operations in response to cyber attacks.OutcomesActionsCyber security, business process, and dataConduct cyber-driven disaster recoveryrecovery protocols are well defined andexercises more frequentlypractised regularly.Continue to enhance recoveryEnhanced data recovery capabilities areplanning, playbooks and toolsintegrated in Bank operations.Expand data recovery capabilities toinclude advanced cyber scenarios
Cyber Security Strategy 2022–24Bank of Canada12Internal prioritiesIDENTIFY &MANAGEOUTCOMESCyber riskmanagementprocesses are welldefined,implemented andmeasured toenable effectiverisk-baseddecision making.The Bank attracts,retains anddevelops skilledcyber talent,emphasizingdiversity andinclusion.The Bank has adefined plan forbecomingquantum resilient.ACTIONSPROTECTPrivilegedidentities atthe Bank arerigorouslyprotected andautomatedthrough theidentity life cycle.The cyber securityawarenessprogram isresponsive toemerging threats.The cyber securitytesting programassures that cyberhygiene n analyticsare leveraged witha focus on prioritycyber threats.The actions andprocesses torespond to cyberincidents are welldeveloped andpractised regularly.Cyber security,business process,and data recoveryprotocols are welldefined andpractised regularly.Decision makersand cyberresponders havetimely access todata on cyberincidents.Enhanced datarecoverycapabilities areintegrated in Bankoperations.Threat intelligence,detectionengineering andcyber securitymonitoringprocesses areintegratedthroughout theBank.Data lossprevention andapplicationsecurity controlsare implementedbased on definedrisk scenarios.Advancedevelopmentof cyber riskprocesses andtoolsContinue toadvance identityand accessmanagementcontrolsEvolve, automateand integratecyber securitymonitoringConduct regularexercises at alllevels of theorganizationto test cyberdefence,response anddecision-makingConduct cyberdriven disasterrecovery exercisesmore frequentlyImplementupdated peoplestrategyEnhancecyber securityawarenessinitiativesMature the cyberthreat intelligenceframeworkContinuallyvalidate incidentresponseplaybooksContinue toenhance recoveryplanning,playbooksand toolsTest quantumreadinessframework andassess systemsresilienceContinue to evolvethe cyber securitytesting programExpand detectionengineering dataanalyticsDevelopadvancedanalytics tofacilitate earlydetection andresponseExpand datarecoverycapabilities toinclude advancedcyber scenariosEvolve measuresfor data lossprevention andapplicationsecurity
Cyber Security Strategy 2022–24Bank of Canada13External prioritiesThe Bank’s internal and external cyber security activities are increasinglyinterconnected, particularly around mission-critical and critical systemssuch as payment clearing and settlement systems, securities auctionsand systems that manage foreign exchange reserves.Coordination between the public and private sectors in Canada andabroad is essential. Information sharing helps all parties define andmanage financial system cyber vulnerabilities and risks and jointlyprepare to respond and recover from any cyber attack that may affectindividual partners or larger systems.Domestically, the Bank cooperates with federal financial sector partners,other public sector security organizations, the financial industry andprovincial securities commissions whose responsibilities include cyber risk.Internationally, the Bank contributes to cyber security work at the G7 andthe Committee on Payments and Market Infrastructures, among others.Work to improve the cyber resilience of FMIs is ongoing. The Bankoversees designated FMIs whose responsibilities to clear and settlepayments are important to the stability of the financial system.The Bank will prepare for a new role in leading the retail paymentssupervision framework that will take effect around 2024. The Bank willsupervise payment service providers’ management of operational risks,enforcing regulatory requirements when necessary.The Bank will also respond to the rapidly evolving external threatenvironment and trends in information technology and digitalization.This includes potential initiatives such as the introduction of a centralbank digital currency and long-term planning for quantum computersecurity encryption.STRENGTHENENHANCEMATUREEVOLVE
Cyber Security Strategy 2022–24Bank of Canada14Category 1 STRENGTHENStrengthen financial system resilienceThe Bank will promote stability in Canada’s f inancial system by developing and implementingcollaborative measures to increase cyber security resilience.OutcomesActionsSystemically important financial institutionsDevelop a threat-led penetration testingwork effectively with the Bank to build financialframework for critical financial sectorsystem resilience.institutionsCyber security risks to Canada’s financial systemAssess financial system cyber risk usingare understood, analyzed and documented.incident data, models and researchFinancial system stakeholders are able toContribute to Canadian Financial Sectorrespond to a system-wide cyber incident.Resiliency Group (CFRG) exercises to promotecoordinated incident responseCategory 2 ENHANCEEnhance collaboration and partnershipsCollaboration within the Bank and with external partners will ensure that cyber security risks to Canada’sfinancial institutions are understood, communicated and managed effectively.OutcomesActionsThe Bank collaborates effectively with partnersWork with partners in the Resilience ofto develop cyber strategies, policies andWholesale Payments Systems program toregulatory initiatives.focus on the most critical cyber securityscenarios facing Canada’s financial sectorDomestic and international partners sharefinancial sector information well.Use CFRG partnerships to identify and bridgeany gaps in coordination of a sector-wideresponse to systemic-level operational incidentsContribute to the G7 Cyber Expert Group’swork on refining global cyber security
Cyber Security Strategy 2022–24Bank of Canada15Category 3 MATUREMature cyber security practices among financial marketinfrastructures (FMIs)The Bank will continue to fulfill its legislated mandate to promote a stable financial system through itsoversight of FMIs. This includes strengthening and evolving cyber resilience practices for FMIs.OutcomesActionsFMIs meet or exceed the Bank’sUse the expectations for cyber resilience guidelines inExpectations for Cyber Resilience ofthe next core assurance reviews for designated FMIsDesignated FMIs, including response6and recovery plans.Work with designated FMIs to improve response andrecovery from ransomware and compromised dataFMI operators understand and followrequirements for reporting cyberContinue to implement guidelines for FMI reporting ofincidents to the Bank.cyber incidentsCategory 4 EVOLVEEvolve cyber security programs in response to external trendsThe Bank will respond to the rapidly evolving external threat environment and trends in informationtechnology and digitalization. This will require collaboration with partner agencies in the Government ofCanada and the private sector.OutcomesActionsCyber security is included in the designInclude cyber security in the Bank’s new mandate forof the retail payments system and anyretail payments supervisionpotential central bank digital currency.Make cyber security part of planning for a central bankThe Bank plays a role in developingdigital currencyCanada’s long-term preparedness forquantum computing.Contribute to the research and planning of newencryption technologies through the Government ofThe Bank facilitates the sharing ofCanada’s National Quantum Strategy and Quantumappropriate cross-border cyber securityWorking Groupinformation in the financial sector.Explore Canada’s role in cross-border cyberintelligence sharing in the financial6 See the Expectations for Cyber Resilience of Financial Market Infrastructures.
Cyber Security Strategy 2022–24Bank of Canada16External prioritiesOUTCOMESSTRENGTHENFINANCIAL SYSTEMRESILIENCEENHANCECOLLABORATION &PARTNERSHIPSSystemically importantfinancial institutionswork effectively with theBank to build financialsystem resilience.The Bank collaborateseffectively with partnersto develop cyberstrategies, policies andregulatory initiatives.Cyber security risksto Canada’s financialsystem are understood,analyzed anddocumented.Domestic andinternational partnersshare financial sectorinformation well.Financial systemstakeholders are ableto respond to a systemwide cyber incident.ACTIONSMATURE CYBERSECURITYPRACTICES AMONGFMI’SEVOLVE CYBERSECURITY INRESPONSE TOEXTERNAL TRENDSFMIs meet or exceedthe Bank’s Expectationsfor Cyber Resilienceof Designated FMIs,including response andrecovery plans.Cyber security isincluded in the designof the retail paymentssystem and anypotential central bankdigital currency.FMI operatorsunderstand andfollow requirementsfor reporting cyberincidents to the Bank.The Bank plays a rolein developing Canada’slong-term preparednessfor quantum computing.The Bank facilitates thesharing of appropriatecross-border cybersecurity information inthe financial sector.Develop a threat-ledpenetration testingframework for criticalfinancial sectorinstitutionsWork with partnersin the Resilience ofWholesale PaymentsSystems program tofocus on the mostcritical cyber securityscenarios facingCanada’s financialsectorUse the expectationsfor cyber resilienceguidelines in the nextcore assurance reviewsfor designated FMIsInclude cyber securityin the Bank’s newmandate for retailpayments supervisionAssess financialsystem cyber risk usingincident data, modelsand researchUse CFRG partnershipsto identify andbridge any gaps incoordination of asector-wide responseto systemic-leveloperational incidentsWork with designatedFMIs to improveresponse and recoveryfrom ransomware andcompromised dataMake cyber securitypart of planning for acentral bank digitalcurrencyContribute to CanadianFinancial SectorResiliency Group(CFRG) exercises topromote coordinatedincident responseContribute to the G7Cyber Expert Group’swork on refining globalcyber securityContinue to implementguidelines for FMIreporting of cyberincidentsContribute to theresearch and planningof new encryptiontechnologies throughthe Government ofCanada’s NationalQuantum Strategy andQuantum WorkingGroupExplore Canada’s rolein cross-border cyberintelligence sharing inthe financial sector
Cyber Security Strategy 2022-24 will guide the next phase of work by cyber teams and business functions across the Bank. It will also give external partners clarity on the Bank's intentions. A new Cyber Security Risk Appetite has been developed to set strategic boundaries and provide overall direction for managing cyber risk.
