Perspectives 2019 2020 Public Sector

Citi Perspectives 87 To achieve this, today’s public-private partnerships need to evolve from being seen as traditional IT tactical and operational information sharing or business continuity “circles of trust” to true risk management groups focused on underlying services and functions. Evolving cyber resilience in this way would not only make it more inclusive and better connected with the real economy, but also support cyber capacity building and collective strength of the financial ecosystem. Going further, tying cyber risks to business impacts would help embed resilience in product development and daily operations (e.g., a better Secure Development Lifecycle approach that would significantly improve organizations’ abilities to innovate faster while operating with lower overhead costs and fewer errors). This is increasingly important for the financial sector participants, as organizations move to the Cloud, and into a world of real time payments, real time liquidity and global concentration “engines.” In essence, the cyber collective defense model needs to evolve into an effective enterprise-wide risk- management approach where government, central banks, and industry work side by side to address and reduce risk. This not only reduces risk; it decreases the likelihood of inefficient investment in resilience . From a development perspective, this collaborative risk management at country and sector levels would create stronger links between cyber resilience, capacity building and concessional and philanthropic funding. It will require hard work and creativity; professionals from across firms’ revenue and non-revenue generating teams will need to proactively share expertise to make cyber relatable and understood in the context of their firm’s business growth and risk appetites. And we need to do this across sectors too, with the public sector. Strategic exercises at the level of Central Bank Governor and Deputy Governor, Minister, and C-Suite would be a first step in providing a true holistic understanding of cyber risk and current state of resilience. Gamified, online interactive tools, could be leveraged in these events to anonymously gather data on decision making, and speed and certainty of response, enabling practical capacity building with credible thematic and repeatable benchmarks. These could in turn, be integrated into rankings such as the Worldwide Governance Indicators (WGI). Strategic Cyber Exercising For many years, firms have been encouraged to conduct internal exercises (or tabletops, war-games, simulations). Strategic industry-wide cyber crisis management exercises are crucial to achieving the strategic collective risk management model of public- private partnerships. The critical point here is that any strategic-level public-private exercises must be kept small to enable the institutions to debate and discuss the actions they would take and why. Whilst large sector exercises, such as those run by FS-ISAC and FSARC, are important to strengthening security, they include such a large range of people and different organizations that discussion is not possible. They also rely on participants playing “using” their firms’ capabilities — this also precludes group discussion as few firms today are willing to openly share what capabilities they do or don’t have. Small, strategic level exercises that enable scenario analysis and discussion can help institutions understand potential risks, how these may transmit, where investments need to be made, and how best to respond when systems are breached. On 2 July 2019, in support of the Commonwealth Cyber Declaration, Citi ran simultaneously a multi- country, strategic-level pilot exercise lasting four hours across six African countries. Citi conducted this in partnership with Immersive Labs, the IMF, World Bank. The exercise included SWIFT, domestic information sharing organizations, such as SABRIC, and banking associations, as well as Deputy Central Bank Governors and ICT regulators per country. Firms critical to each country’s respective financial sector from the top five local banks to mobile money service providers, stock exchanges, clearing houses, RTGS platforms, and telecommunication companies were included. The scenario involved fictitious global and local banks impacted by a malware which paralyzed their operations. As the scenario unfolded, it became evident that the driver behind the coordinated cyber- attack was payment manipulation. Each country’s participants came together in a single location, and for the first half of the exercise, they took part in the scenario within the country, before joining together on a regional video call to discuss the cross-border elements. Responses to the scenario were multiple-choice: each participant could select an answer directly in the online platform, with each country’s participants required to come to agreement