2025 Public Sector Perspectives

to understand and implement best practices of cyber resilience, hygiene, and response. I had the honor of participating in a cyber war game at a U.S. War College. In the advanced simulation, a nation state attacked each of the U.S. economy’s critical industries simultaneously. The red team adversaries won and exposed, at lightning speed, the degree of interconnectivity between industries and the cyber and physical worlds. While the loss was discouraging, it was not my biggest takeaway. My biggest takeaway was that commercial and financial C-suite professionals still lack the preparation to responsibly manage the mounting and evolving threat of a major cyber incident. Whereas war games, in a purely military context, the military decision makers – up and down and across chains of command—have been drilled, trained, and prepared for the worst incursions. The cyber call to action is now! At Citi, we place considerable focus on developing core, non-cyber decision makers in the firm, and you should be aggressively doing the same. Our Fusion Centers maintain and rehearse cyber crisis playbooks for Citi’s senior- and mid-level executives regularly. During a cyberattack, there is no time for leadership of either a central bank or a financial institution to learn their organization’s cybersecurity protocols. That is why Citi educates our executives about incident response and, utilizes specific playbooks that reduce the number of decisions to avert unnecessary distractions that could inhibit an executive during a Terms Glossary Internet of Things Encompasses devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks Near field communication (NFC) A set of communication protocols that enables communication between two electronic devices through the use of inductive coupling between two electromagnetic coils over a distance of 4 cmor less NotPetya cyberattack A series of powerful cyberattacks using the Petya malware in June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers, and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia Password spraying A formof brute force attack where an attacker will attempt logins with default passwords onmany different usernames rather than brute forcing a single account withmany passwords in order to avoid account lockouts Quantumcomputing Quantum computing is an emergent field of computer science harnessing the unique qualities of quantummechanics to solve problems beyond the ability of even the most powerful classical computers. Theoretically a large-scale quantum computer could break widely used encryption schemes Ransomware Malicious software designed to block access to a computer systemuntil a sumof money is paid Session cookies or Session hijacking The exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system SIMswapping Attack where cybercriminals use a target’s personal information to deceive telecomproviders who “port out” and grant them control of a target’s phone number. Hackers can then use the target’s phone number to receive authentication token codes and compromise other systems Spear-phishing A type of phishing attack that targets a specific individual, group, or organization. These personalized scams trick victims into divulging sensitive data, downloading malware or sending money to an attacker Targeting of tokens or Token cracking Attacks that target security tokens used to authenticate users by interception or other means Whaling Whaling attacks are also known as “CEO fraud” or “executive phishing.” They involve cybercriminals using social engineering techniques tomanipulate high-ranking executives into divulging sensitive information cyber crisis. This includes educating executives about the potential impacts of a cyberattack on liquidity, market, and counterparty risk. These resiliency plans go into extraordinary detail, even identifying precisely who must be on an initial incident conference call. This is just one of the many tools Citi uses to prepare for cybersecurity incidents, and it reflects our “not if, but when” attitude to cyber threats. We must always be ready, and so should you. So, as you digest what you just read, you should be thinking about two questions: If I was given 30 seconds to make a cyber decision for my central bank, would I be ready? If not, what can I do to get myself and my colleagues ready? Winter is coming, and it is essential to be prepared. Citi Perspectives for the Public Sector 39