monday, june 10, 2019 · transactions rely on distributed ledger technology (dlt), sometimes...

P a g e | 1

____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)

Monday, June 10, 2019 Top 10 risk and compliance related news stories and world events that (for

better or for worse) shaped the week's agenda, and what is next

Dear members and friends, I have just received a paper from the Irving Fisher Committee on Central Bank Statistics, IFC Bulletin No 50, “The use of big data analytics and artificial intelligence in central banking”. In 970 pages, there are many hidden gems. At page 12, for example, we find an interesting approach from Okiriza Wibisono, Hidayah Dhini Ari, Anggraini Widjanarti, Alvin Andhika Zulen and Bruno Tissot: “Another rapidly developing area of big data analytics is text-mining, ie analysis of semantic information – through the automated analysis of large quantities of natural language text and the detection of lexical or linguistic patterns with the aim of extracting useful insights. While most empirical work in economics deals with numerical indicators, such as prices or sales data, a large and increasing amount of textual information is also generated by economic and financial activities – including internet-based activities (eg social media posts), but also the wider range of textual information provided by, say, company financial reports, media articles, public authorities’ deliberations etc. Analysing this unstructured information has become of key interest to policymakers, not least in view of the important role played by “soft” indicators such as confidence and expectations during the GFC. As illustrated in the lecture delivered by Stephen Hansen (University of Oxford), text-mining techniques can usefully be applied to dealing with these data in a structured, quantitative way.

P a g e | 2


Text analysis typically starts with some standard pre-processing steps, such as tokenisation (splitting text into words), stopword removal (discarding very frequent/non-topical words eg “a”, “the”, “to”), stemming or lemmatising (converting words into their root forms, for instance “prediction” and “predicted” into “predict”), and merging words within a common message (eg “Bank” and “Indonesia” grouped into “Bank Indonesia”). Once this is done, the initial document can be transformed into a document-term matrix, which indicates for each specific text a term’s degree of appearance (or non-appearance). This vectoral text representation is made of numerical values that can then be analysed by quantitative algorithms; for example, to measure the degree of similarity between documents by comparing the related matrixes (Graph 3).

One popular algorithm for working on textual information is the Latent Dirichlet Allocation (LDA). This assumes that documents are distributed by topics, which in turn are distributed by keywords.

For example, one document may combine, for a respective 20% and 80%, a “monetary” and an “employment” topic, based on the number of words reflecting this topic distribution (ie 20% of them related to words such as

P a g e | 3


“inflation” or “interest rate”, and the remaining 80% related to words such as “jobs” and “labour”). Based on these calculations, one can build an indicator measuring how frequently a specific topic appears over time, for instance, to gauge the frequency of the messages related to “recession” – providing useful insights when monitoring the state of the economy.

Besides quantitative algorithms, simpler dictionary-based methods can be also employed for analysing text data. A set of keywords can be selected that are relevant to the topic of interest – for example, a keyword related to “business confidence”.

Then an index can be constructed based on how frequently these selected keywords appear in a given document, allowing the subject indicator to be assessed (eg the evolution of business sentiment).

A prominent example is the Economic Policy Uncertainty (EPU), which quantifies the degree of uncertainty based on the appearance of a set of economic-, policy-, and uncertainty-related keywords in news articles; by the end of 2018, more than 20 country-specific EPU indexes had been compiled.”

Read more at Number 6 below. Welcome to the Top 10 list. Best regards,

George Lekatis President of the IARCP 1200 G Street NW Suite 800, Washington DC 20005, USA Tel: (202) 449-9750 Email: [email protected] Web: www.risk-compliance-association.com HQ: 1220 N. Market Street Suite 804, Wilmington DE 19801, USA Tel: (302) 342-8828

mailto:[email protected]

http://www.risk-compliance-association.com/

P a g e | 4


Number 1 (Page 8)

Back to stable Yves Mersch, Member of the Executive Board of the European Central Bank, at the Zahlungsverkehrssymposium, Deutsche Bundesbank, Frankfurt am Main

“The primary objective of the ECB is to ensure price stability. This is also the best contribution we can make to achieving sustainable growth. Since the launch of the euro, the ECB has delivered on this commitment and rendered price stability a reality, maintaining an average inflation rate of below, but close to, 2%. And that is why the majority of euro area citizens trust the euro.”

Number 2 (Page 13)

A handful of cyber - five key issues for international cooperation Agustín Carstens, General Manager of the BIS, at the conference on "Cybersecurity: coordinating efforts to protect the financial sector in the global economy", Paris.

“Cyber security is in the minds of all of us in the central banking community, and international cooperation is of the essence. As many of you here know, part of the BIS's mission is to foster international cooperation in serving central banks in their pursuit of monetary and financial stability. Cyber security is a more recent concern for the BIS. However, as it has become increasingly important, our contribution to the central banking community's efforts has also grown.”

P a g e | 5


Number 3 (Page 18)

PCAOB Announces New Liaison for Investors, Audit Committees, and Preparers

The Public Company Accounting Oversight Board announced that Erin Dwyer has been named deputy director of the Office of External Affairs where she will serve as the direct point of contact for and liaison to investors, audit committees, and preparers.

Number 4 (Page 19)

Modelling the Cognitive Work of Cyber Protection Teams Colonel Stoney Trent, Dr. Robert R. Hoffman, Lieutenant Colonel David Merritt, Captain Sarah Smith

Cyber Protection Teams (CPTs) defend our Nation’s critical military networks. While Cyber Security Service Providers are responsible for the continuous monitoring and vulnerability patching of particular networks, CPTs perform threat-oriented missions to defeat adversaries within and through cyberspace.

Number 5 (Page 22) Occasional Paper No. 95

Is This the Beginning of the End of Central Bank Independence? Kenneth Rogoff, Published by Group of Thirty, Washington, D.C., May 2019

Central bank independence in advanced economies stands at a crossroads. Post-financial crisis, the public has come to expect central banks to shoulder responsibilities far beyond their power, and even farther

P a g e | 6


beyond their remit. At the same time, populist leaders have been pressing for having much more direct oversight and control over central bank policy choices.

Number 6 (Page 23) Irving Fisher Committee on Central Bank Statistics, IFC Bulletin No 50

The use of big data analytics and artificial intelligence in central banking Proceedings of the IFC – Bank Indonesia International Workshop and Seminar in Bali, May 2019

Information and internet technology has fostered new web-based services that affect every facet of today’s economic and financial activity. This creates enormous quantities of “big data” – defined as “the massive volume of data that is generated by the increasing use of digital tools and information systems” (FSB (2017)).

Number 7 (Page 25)

Flipboard NOTICE OF SECURITY INCIDENT

Flipboard recently identified and addressed a security incident involving a subset of user data. We know transparency is important to our community, and we have created this page to share what we have learned from our investigation, measures we have taken, and what steps users can take in response.

Number 8 (Page 28)

CPMI quantitative review of correspondent banking data

Cross-border payments are vital for global trade and for migrants who send remittances home, yet they are generally slower, more expensive and more opaque than domestic payments.

P a g e | 7


Most cross-border payments flow through the so-called "correspondent banking network" - a network that is reportedly shrinking and becoming more concentrated.

Number 9 (Page 30)

Fix released for Windows vulnerability discovered by NCSC

Microsoft has released a fix for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows.

Number 10 (Page 32)

ENISA's workshop in Warsaw to discuss innovation in the context of National Cyber Security Strategies

On 26 September 2019, ENISA will organise in Warsaw a workshop in cooperation with the Polish National Research Institution NASK to discuss innovation in the context of National Cyber Security Strategies (NCSS). The discussions will focus on national objectives and priorities supporting research and innovation of cybersecurity technologies and services.

P a g e | 8


Number 1

Back to stable Yves Mersch, Member of the Executive Board of the European Central Bank, at the Zahlungsverkehrssymposium, Deutsche Bundesbank, Frankfurt am Main

The primary objective of the ECB is to ensure price stability. This is also the best contribution we can make to achieving sustainable growth. Since the launch of the euro, the ECB has delivered on this commitment and rendered price stability a reality, maintaining an average inflation rate of below, but close to, 2%. And that is why the majority of euro area citizens trust the euro. Their trust is contingent on the independence of the central bank. Independence is granted to central banks to prevent politicians from seeking electoral gain through measures which boost economic activity in the short term but damage the long-term health of the economy and the country. It is also recognised that legal tender needs to be issued by a public authority. In the case of the EU, it falls to the ECB to issue the euro and decide on the denomination of banknotes. We could not accept a situation in which, for anti-European or populist motives, certain euro denominations were not allowed to be used in some parts of the EU. This established consensus is being challenged by private initiatives triggered by technical innovation. We are seeing ever more solutions in search of a problem. Bitcoin and other crypto-assets claim to need neither trust nor the backing of a sovereign. They reject the paradigm of state-supported currencies governed by central banks, along with the role of financial institutions as trusted intermediaries.

P a g e | 9


These self-proclaimed currencies, more accurately described as crypto-assets, have proved to be unfit for purpose, demonstrating that well-executed central bank policies are still the only sound basis for stability.

Trustless is pointless The original bitcoin vision replaces trust in a dedicated intermediary with cryptographic proof. In other words, any two parties can transact directly with each other as peers without requiring a trusted third party. Their transactions rely on distributed ledger technology (DLT), sometimes floridly referred to as the "trust engine" of crypto-assets. By leveraging cryptography and mechanisms to reach consensus among peers in a distributed system, DLT ensures the integrity and security of records which, in a centralised system, would be entrusted to a responsible third party. Users of crypto-assets can therefore depend on the underlying blockchains to avoid double spending and validate ownership. However, trust isn't entirely dispensable. In fact, users place their trust in the opaqueness of the arrangements through which influence is dispersed across the blockchain. Public blockchains still rely on key players to perform certain tasks, but these players are often unidentified and unaccountable. A protocol has to be created, maintained and operated, while the transactions it supports need to be validated. Developers and miners perform actions that affect the outcome of public blockchains. Furthermore, the practical usability of crypto-assets relies to a great extent on identifiable intermediaries to act as "gateways" between the crypto-asset ecosystem on the one hand and the financial markets and the economy on the other. I have said before that we need to differentiate between "assets" such as bitcoin and the technology behind them, such as blockchain. Indeed, some of the technology is worth exploring and could also be of interest to central banks. That said, our role is not to drive technological adoption by the industry and the general public, but to ensure that changing preferences can be satisfied in a secure way. While DLT is a necessary element of crypto-assets, it is not in itself their defining feature.

P a g e | 10


The single distinguishing feature of crypto-assets such as bitcoin is the absence of an underlying claim, which makes it difficult for them to maintain price stability. Crucially, crypto-assets aren't backed by any sovereign authority and, unlike financial instruments, they don't give their holders ownership or contractual rights. Central banks provide confidence in money - as a store of value, unit of account and means of payment - by safeguarding the stability of the currency. By contrast with traditional currencies, bitcoin has been highly volatile over the past two years. Bitcoin's average volatility in that period was close to 80 %, while many other crypto-assets showed even higher levels of volatility. This makes it impossible to use crypto-assets for anything but outright speculation. Some crypto-assets have recently emerged that strive to minimise fluctuations in value against a currency of reference, but even they are no alternative to the euro. These so-called "stablecoins" broadly fall into two categories: those that are backed with an underlying asset and those that rely on an algorithm to continuously match the supply and demand of circulating units. Unsurprisingly, the stablecoins that show the least volatility are those that back every issued unit with an equal amount of fiat currency. Why use a proxy, then, if you can have the real thing - unless the issuers of that proxy seek to interfere with the control of trusted assets circulating in the economy The poor performance of crypto-assets is not an excuse for complacency, but rather a reminder of the importance of the central bank's objective to maintain price stability. Fulfilling this objective is conditional on the independence of the central bank, as ensured by a narrow but clearly defined mandate. Central banks must not be overburdened with multiple goals without having the appropriate instruments to achieve them. This brings me to the role of the ECB in the oversight of market infrastructures.

Less is more The ECB has a Treaty-based task to promote the smooth operation of payment systems, as part of which it takes a close interest in the regulatory

P a g e | 11


framework for market infrastructures which clear and settle securities and derivatives in euro, in particular central counterparties (CCPs). This reflects the systemic impact CCPs can have in situations of extreme stress, by disrupting repo markets or channelling liquidity strains to banks - which are also monetary policy counterparties - thus affecting the circulation of liquidity in payment systems. Ultimately, CCPs may need to rely on central banks as lenders of last resort. Central banks therefore have an important role to play in the regulation of central clearing - a notion which is largely recognised but often misunderstood. In this context, let me say a few words about recent developments in the area of CCP regulation, and in particular the outcome of the legislative process regarding the revision of the supervisory framework for CCPs, the European Market Infrastructure Regulation (EMIR II), and the recommendation to amend Article 22 of the Statute of the ESCB and the ECB. The ECB recommended to EU legislators that its Statute be amended to clarify that the ECB had legal competence over CCPs, which would have allowed it to perform its statutory monetary policy role under EMIR II. We made the case that the ECB needed explicit general competence to monitor and address risks relating to our mandate, including broad discretion to take necessary measures in exceptional situations where the stability of the euro is at stake. We also cautioned repeatedly against the positions taken by some Member States - particularly those who traditionally uphold the independence of monetary policy - and ultimately reflected in the draft amended text of Article 22 discussed by EU legislators. Under this approach, the ECB would have had no competence over EU CCPs, contrary to its mandate as central bank of issue for the euro, which calls for powers over all euro clearing regardless of its location. The ECB would have been given an exhaustive list of specific and circumscribed powers - replicating the present and future provisions of EMIR II - in respect of some systemic third-country CCPs, as designated by the European Securities and Markets Authority (ESMA). This would have been uncharacteristic and overly granular for the ESCB Statute, which is primary law and gives the ECB broad discretion in the

P a g e | 12


exercise of its monetary mandate, and it would have violated the ECB's functional independence. This was compounded by a requirement that ECB measures be "in alignment with" legislative acts and measures taken under those acts. Given these grave legal concerns, the Governing Council concluded that the final text seriously distorted its recommendation and interfered with fundamental principles of the Treaty, including the independent exercise by the ECB of its monetary policy. The recommendation to amend the Statute was therefore withdrawn, which is a matter of regret. The Governing Council did, however, make it clear that the ECB remains supportive of the objectives of EMIR II and is fully committed to contributing to its implementation where legally possible and in line with its mandate. The ECB looks forward to fruitful cooperation with ESMA and other authorities in taking this forward. In times of upheaval in global payment markets, it is all the more important for Europe to close ranks. In the United States we have already seen two mergers of two significant payment service providers this year. Both mega-mergers had a market value of $55 billion and more could follow. In such dynamic markets, in which economies of scale play a pivotal role, we should not get lost in national details but should self-confidently enhance the conditions of the European single market and the competitiveness of its participants, without, however, putting up protectionist barriers.

Conclusions Allow me to conclude. As central banks, we must remain true to our core mandate. Through change or crisis, we must retain the capacity to adapt to evolving needs and do what needs to be done. But that should not come at the expense of independence or accountability. Ultimately, we will be judged on how we deliver price stability. Trust is the central bank's most valuable asset.

P a g e | 13


Number 2

A handful of cyber - five key issues for international cooperation Agustín Carstens, General Manager of the BIS, at the conference on "Cybersecurity: coordinating efforts to protect the financial sector in the global economy", Paris.

Introduction Many thanks for inviting me to speak here today. Cyber security is in the minds of all of us in the central banking community, and international cooperation is of the essence. As many of you here know, part of the BIS's mission is to foster international cooperation in serving central banks in their pursuit of monetary and financial stability. Cyber security is a more recent concern for the BIS. However, as it has become increasingly important, our contribution to the central banking community's efforts has also grown. We have convened many discussions with experts from the public and private sector and academia. Cooperation is of course not an end in itself: the ultimate aim is to be better prepared for cyber attacks. I want to put five points on the table today.

Criminals are coordinating First, criminals are mastering the art of international cooperation. Hacktivists, cyber criminals and nation states are coordinating with one another. This coordination is sophisticated and market-based. We have before us a very skilled set of adversaries. Recent high-profile attacks have shown that attackers are also active in reconnaissance. They gather up seemingly harmless information (such as the online social media profiles of firms' staff) to better plan and execute attacks.

P a g e | 14


Moreover, sophisticated hacking tools can be acquired on the black market at low cost, lowering the level of technical skills required by criminal organisations. This black market, together with the coordination it enables, is international. It brings together cyber criminals and nation states to execute targeted attacks for financial gain. If cyber criminals are embracing the benefits of cooperation, we need to embrace it as well.

International law is not up to speed Second, international legal arrangements are not up to speed. Detecting criminal activity is not easy, and tracing it back to where it came from is even more difficult. Yet, even if a suspected criminal can be identified, international law may not support any action against them. The current international legal framework for cooperation on cyber crime is fragmented. Hacking is not necessarily a crime, for example. Differing domestic laws and regulations, uncertainty in establishing which jurisdictions are responsible for what, and ambiguity regarding evidential standards are a significant hurdle. Harmonisation of laws defining criminal behaviour could help here, but laws are not enough on their own. We also need international cooperation among the investigatory agencies. This cooperation would help prevent delays and loss of evidence. Only with cross-border cooperation is it possible to catch cross-border criminals. There are a number of workstreams currently under way to address this and improve investigation and prosecutions between domestic authorities. One example is the Council of Europe's Convention on Cybercrime - the Budapest Convention. However, it is likely to be some time before current laws catch up with the internet age. This makes adequate defences an even greater imperative. If there is limited risk of being stopped by authorities, then preventing criminals from stealing is the most effective deterrent.

P a g e | 15


Compliance is not security Third, compliance is not security. The standard-setting bodies are prioritising cyber. The Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions led the way with their cyber guidance some years ago; the Basel Committee on Banking Supervision (BCBS) recently published a report on a range of cyber resilience practices; and the Financial Stability Board is currently also working on aspects of resilience and recovery. Supplementing this work, there are a number of best practice cyber resilience frameworks available, including ISO27000 and the NIST framework. However, "compliance" is different for cyber. Getting the basics right makes a significant difference. An accurate IT inventory and a strong patching process are the cornerstones of any defence. "Basic" does not imply that this is an easy or simple task. The complexity and diversity of most modern networks create significant challenges. However, at the same time, most of the organisations that have experienced highly publicised breaches were in compliance with some form of control framework. So while compliance is clearly necessary, it is not sufficient for security. Even with every box ticked, an organisation can still be vulnerable. A list of controls simply cannot keep pace with threat developments. An organisation needs a "cultural shift", driven by a strong governance framework that learns and evolves, to go beyond compliance. An example of this is a cyber security department's engagement with the other staff in an organisation. Users need to be part of the security of an organisation. To achieve this, organisations need to innovate in how they communicate and engage with staff to make them feel like they are the ones tasked with defending their organisation - not that it is someone else's responsibility to do so on their behalf.

For defence, bigger is better Fourth, to be effective, cyber defence needs scale and it needs to cross borders. The threats we face are international and the financial system we defend is global, and interconnected. We need to cooperate. One aspect of cooperation is sharing information on threats and incidents. Beyond vulnerabilities, we all have an interest in broad cooperation in this

P a g e | 16


area. Progress is reportedly being made. A BCBS survey found that 75% of banks have mandatory or voluntary cyber risk information-sharing arrangements in place. However, only 30% of their regulators had equivalent arrangements. We need to do more. Another cooperative aspect is in the services, tools and software provided for cyber security. We cannot all be the best at everything. Even larger international companies can struggle to do everything themselves. We need to learn from one another, and we need to know who we can trust to provide services for us. The current pool of service providers is international. Sophisticated IT or security companies do not operate purely domestically, even in the largest countries. Yet the accreditation schemes to help guide people towards the best service are currently domestic. Extending the schemes currently provided by some national governments or agencies internationally could help. It is also worth noting that economies of scale in this area are not a one-way street. There are challenges to putting all our eggs in one basket. For example, while cloud computing may bring significant efficiency and security benefits, we need to cooperate to ensure that arrangements are safe.

Cyber is not going away Finally, cyber risk is here to stay. Many risks can be tied to an economic or business cycle, but cyber is not one of them. It will not disappear overnight or be "solved". Therefore we can engage in some longer-term thinking about how to tackle it, and plan for the future. Central banks realise this, and also appreciate that we need more technical cyber expertise. Yet cyber experts are hard to find and, once hired, they need to keep up to date. Significant training and experience are required to transform new recruits into cyber security professionals. However, this is not a new problem. We had a similar issue with bank supervisors, which was one of the driving factors behind setting up the Financial Stability Institute at the BIS, which celebrated its 20th anniversary last year. Now that we are in a similar situation, the BIS is again helping to coordinate international central bank efforts to train and develop the next generation of central bank staff.

P a g e | 17


Concluding thought I close with this thought: Coordinating our efforts is important, but we cannot coordinate work that is not shared. There can be no sharing without trust. That is why central banks - institutions that are experts in trust - have such a vital role to play in bringing people together. Many thanks to our hosts, the Bank of France, who are demonstrating this today. The Convention on Cybercrime of the Council of Europe (CETS No.185), known as the Budapest Convention:

https://www.coe.int/en/web/cybercrime/the-budapest-convention To read more:

https://www.bis.org/cpmi/publ/d146.htm https://www.bis.org/bcbs/publ/d454.htm

https://www.coe.int/en/web/cybercrime/the-budapest-convention

https://www.bis.org/cpmi/publ/d146.htm

https://www.bis.org/bcbs/publ/d454.htm

P a g e | 18


Number 3

PCAOB Announces New Liaison for Investors, Audit Committees, and Preparers

The Public Company Accounting Oversight Board announced that Erin Dwyer has been named deputy director of the Office of External Affairs where she will serve as the direct point of contact for and liaison to investors, audit committees, and preparers. As outlined in its 2018-2022 Strategic Plan, the PCAOB is committed to advancing its engagement with investors, audit committees, and preparers. This newly-created role will be dedicated to expanding outreach to and events for these key stakeholders. "The Board is dedicated to enhancing transparency and accessibility through proactive engagement," said PCAOB Chairman William D. Duhnke. “Erin brings more than twenty years of experience working with investors and in the past several years, audit committees and preparers, which will be critical to the Board’s ability to cultivate a more dynamic dialogue with them. We encourage investors, audit committees, and preparers to reach out to Erin at any time with questions or feedback for the PCAOB.” Prior to joining the PCAOB, Ms. Dwyer served as managing director of stakeholder engagement and communications at the Center for Audit Quality, where she led strategic initiatives to build and strengthen relationships with key capital markets participants, including institutional investors, boards of directors, issuers, and other key governance leaders. She started her career as a sell-side analyst for eight years in Prudential Financial’s Washington D.C. equity research office. "This Board is undertaking significant, positive steps to connect with its stakeholders, solicit their views, and provide relevant and useful information to all interested parties," said Ms. Dwyer. "I am delighted to join the PCAOB and Office of External Affairs at this exciting time and look forward to continuing to work with key members of the capital markets ecosystem." Ms. Dwyer can be reached at [email protected] or (202) 591-4176.

P a g e | 19


Number 4

Modelling the Cognitive Work of Cyber Protection Teams Colonel Stoney Trent, Dr. Robert R. Hoffman, Lieutenant Colonel David Merritt, Captain Sarah Smith

Cyber Protection Teams (CPTs) defend our Nation’s critical military networks. While Cyber Security Service Providers are responsible for the continuous monitoring and vulnerability patching of particular networks, CPTs perform threat-oriented missions to defeat adversaries within and through cyberspace. Each 39-person CPT must be able to work with network security teams and other CPTs to counter cyber threat actors. When fully operational, the Cyber Mission Force will include 68 CPTs, which will be manned, trained and equipped by the Military Service Departments. Within the Cyber Mission Force, CPTs are allocated to an operational command and aligned with one of four mission areas: Combatant Command (CCMD), Service Department (Army, Navy, Air Force, and Marine Corps), Department of Defense Information Network (DODIN), and National Threats. To maximize flexibility, these teams must be able to perform reliably as well as be interchangeable and interoperable. CPTs must be able to perform three basic types of missions. 1. Survey: Short duration assessments that provide the supported organization with recommended mitigations based on an assessment of network vulnerabilities. 2. Secure: Harden and defend cyber key terrain; and 3. Protect: Time-sensitive deployments that include Survey and Secure tasks, but also include helping an organization recover from the effects of a cyber intrusion. The research we report here provides a descriptive workflow of cyber defense in CPTs as well as a prescriptive work model that all CPTs should be

P a g e | 20


capable of executing. Work models, such as the one described here, provide a foundation for improvements to work processes.

P a g e | 21


As an illustration of required or desired workflows, work models provide a bridge to common ground between researchers and practitioners, particularly when the work domain is difficult to access, or is esoteric. The model in this report has multiple purposes. The first purpose is to inform the design of experiments to assess current and emerging technologies for operational fit. The second is to educate developers, who may have limited knowledge of CPT work, about the tasks that require technical support. The third is to inform revisions to operational doctrine. Finally, this model is meant to provide the basis for operational and strategic planning of defensive cyberspace operations. To read more (at page 127) you may visit: https://cyberdefensereview.army.mil/Portals/6/CDR_V4N1_FULL_WEB.pdf?ver=2019-04-30-102349-643

https://cyberdefensereview.army.mil/Portals/6/CDR_V4N1_FULL_WEB.pdf?ver=2019-04-30-102349-643

https://cyberdefensereview.army.mil/Portals/6/CDR_V4N1_FULL_WEB.pdf?ver=2019-04-30-102349-643

P a g e | 22


Number 5 Occasional Paper No. 95

Is This the Beginning of the End of Central Bank Independence? Kenneth Rogoff, Published by Group of Thirty, Washington, D.C., May 2019

Central bank independence in advanced economies stands at a crossroads. Post-financial crisis, the public has come to expect central banks to shoulder responsibilities far beyond their power, and even farther beyond their remit. At the same time, populist leaders have been pressing for having much more direct oversight and control over central bank policy choices. Central banks have long been under assault from the right for expanding their balance sheets too much during the financial crisis, but now they are under attack from the ascendant left for expanding their balance sheets too little. Just a short while ago, central bank independence had been celebrated as one of the most effective policy innovations of the past four decades, one that has led to a dramatic fall in inflation worldwide. Are today’s attacks an aberration or a sign of a deeper malaise? Here I will argue that the case for having independent, technocratically competent central banks is as strong as ever. If independence is taken away and inflation eventually rises back to uncomfortable levels, governments may find it harder to reestablish anti-inflation credibility than many now think, for some of the same reasons as the failure to reestablish the gold standard after World War I. Credibility, once lost, can be difficult to regain. To read the paper:

https://group30.org/images/uploads/publications/G30_CentralBankIndependence.pdf



P a g e | 23


Number 6 Irving Fisher Committee on Central Bank Statistics, IFC Bulletin No 50

The use of big data analytics and artificial intelligence in central banking Proceedings of the IFC – Bank Indonesia International Workshop and Seminar in Bali, May 2019

Executive summary Information and internet technology has fostered new web-based services that affect every facet of today’s economic and financial activity. This creates enormous quantities of “big data” – defined as “the massive volume of data that is generated by the increasing use of digital tools and information systems” (FSB (2017)). Such data are produced in real time, in differing formats, and by a wide range of institutions and individuals. For their part, central banks face a surge in “financial big data sets”, reflecting the combination of new, rapidly developing electronic footprints as well as large and growing financial, administrative and commercial records. This phenomenon has the potential to strengthen analysis for decision-making, by providing more complete, immediate and granular information as a complement to “traditional” macroeconomic indicators. To this end, a number of techniques are being developed, often referred to as “big data analytics” and “artificial intelligence” (AI). These promise faster, more holistic and more connected insights, as compared with traditional statistical techniques and analyses. An increasing number of central banks have launched specific big data initiatives to explore these issues. They are also sharing their expertise in collecting, working with, and using big data, especially in the context of the BIS’s Irving Fisher Committee on Central Bank Statistics (IFC); see IFC (2017). Getting the most out of these new developments is no trivial task for

P a g e | 24


policymakers. Central banks, like other public authorities, face numerous challenges, especially in handling these new data and using them for policy purposes. In particular, significant resources are often required to handle large and complex data sets, while the benefits of such investments are not always clear-cut. For instance, to what extent should sophisticated techniques be used to deal with this type of information? What is the added value over more traditional approaches, and how should the results be interpreted? How can the associated insights be integrated into current decision-making processes and be communicated to the public? And, lastly, what are the best strategies for central banks seeking to realise the full potential of new big data information and analytical tools, considering in particular resource constraints and other priorities? To read the paper: https://www.bis.org/ifc/publ/ifcb50.pdf

https://www.bis.org/ifc/publ/ifcb50.pdf

P a g e | 25


Number 7

Flipboard NOTICE OF SECURITY INCIDENT

Flipboard recently identified and addressed a security incident involving a subset of user data. We know transparency is important to our community, and we have created this page to share what we have learned from our investigation, measures we have taken, and what steps users can take in response.

What happened We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

What information was involved The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address. Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.

P a g e | 26


Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens. Importantly, we do not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information.

What we are doing As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved. You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password. As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable. Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. We also notified law enforcement.

What you can do You can continue to use Flipboard without further action. However, next time you log into your account, you will notice your Flipboard account password needs to be updated. You will find instructions on our support page (linked below) explaining how to create a new password. Also, if you use the same username and password you created for Flipboard for any other online service, we recommend you change your password there, too.

P a g e | 27


If you connected your Flipboard account to a third-party account to see its content, you may notice in some cases that you need to reconnect it. On our support page you will also find instructions for how to do this. To learn more:

https://about.flipboard.com/support-information-incident-May-2019/

https://about.flipboard.com/support-information-incident-May-2019/

P a g e | 28


Number 8

CPMI quantitative review of correspondent banking data

Cross-border payments are vital for global trade and for migrants who send remittances home, yet they are generally slower, more expensive and more opaque than domestic payments. Most cross-border payments flow through the so-called "correspondent banking network" - a network that is reportedly shrinking and becoming more concentrated.

What is correspondent banking? In the context of cross-border payments, a "correspondent bank" provides local account and payment services for banks based abroad - collectively forming the correspondent banking network. Correspondent banks make their payments by sending SWIFT messages to one another that include instructions to debit or credit their accounts. Depending on which relationships are in place (ie where a bank has an account, and can therefore send a payment), several payments between different intermediary correspondent banks might be necessary for a single underlying transaction (a "payment chain"). The data set published by the CPMI is made up of monthly payment message data, covering more than 200 jurisdictions. From these payment messages, "active correspondents" (ie banks that have sent or received at least one message in the year) and "active corridors" (ie a single-direction jurisdiction pair (eg the UK to France would be one corridor and France to the UK would be another) that processed at least one payment message in the year) can be identified. Payment chains cannot currently be identified. In the charts and tables provided, information on different regions, jurisdictions, and currencies is included. To help monitor this, the CPMI will publish, for five years, an annual quantitative review based on data that SWIFT has kindly agreed to provide.

P a g e | 29


The review includes: (i) a commentary, highlighting key trends; (ii) a chartpack; and (iii) the underlying data. To read more:

https://www.bis.org/cpmi/paysysinfo/corr_bank_data/corr_bank_data_commentary_1905.htm https://www.bis.org/cpmi/paysysinfo/corr_bank_data/chartpack_1905.pdf https://www.bis.org/cpmi/paysysinfo/corr_bank_data.htm

https://www.bis.org/cpmi/paysysinfo/corr_bank_data/corr_bank_data_commentary_1905.htm

https://www.bis.org/cpmi/paysysinfo/corr_bank_data/corr_bank_data_commentary_1905.htm

https://www.bis.org/cpmi/paysysinfo/corr_bank_data/chartpack_1905.pdf

https://www.bis.org/cpmi/paysysinfo/corr_bank_data/chartpack_1905.pdf

https://www.bis.org/cpmi/paysysinfo/corr_bank_data.htm

P a g e | 30


Number 9

Fix released for Windows vulnerability discovered by NCSC

Microsoft has released a fix for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. Microsoft has credited the National Cyber Security Centre for privately reporting the vulnerability. For background, NCSC works with vendors to help mitigate critical security issues before they cause real harm. We have a history of disclosing vulnerabilities to major software vendors and the disclosure of CVE-2019-0708 to Microsoft is an example of that. There is currently no observed exploitation of this vulnerability, however it poses a serious threat. Microsoft have taken the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected. Patches for Windows XP and Server 2003 must be applied manually and are available here. The NCSC recommends that organisations and individuals apply Microsoft’s May security patches as soon as possible. In particular, organisations should focus on the following: - external facing RDP servers - critical servers such as domain controllers and management servers - non-critical servers but those with RDP enabled - the rest of the desktop estate

Update Windows vulnerability still affecting nearly 1 million computers The vulnerability, which was privately reported to Microsoft by the NCSC, affects older versions of Windows and it poses a serious threat. The NCSC works with vendors to help mitigate critical security issues before they cause real harm.

P a g e | 31


The vulnerability, which has been dubbed BlueKeep, has gathered more traction in the mainstream press this week. You can read further detail in the Threat Report issued on the 17th May, but our advice still stands - keep your systems up-to-date and patched. Further information about the May 2019 security updates can be found on Microsoft’s website: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

P a g e | 32


Number 10

ENISA's workshop in Warsaw to discuss innovation in the context of National Cyber Security Strategies

On 26 September 2019, ENISA will organise in Warsaw a workshop in cooperation with the Polish National Research Institution NASK to discuss innovation in the context of National Cyber Security Strategies (NCSS). The discussions will focus on national objectives and priorities supporting research and innovation of cybersecurity technologies and services. National experts will have the opportunity to share good practices and discuss gaps and challenges related to funding, incentives, collaboration mechanisms and policy initiatives that shape the national or the European market. In addition, the workshop will also cover aspects related to Information Sharing and Analysis Centres (ISACs), as well as public private co-operation.

Target audience People who are involved in the development, implementation, and evaluation of national cyber security strategies (NCSS) and people involved in ISACs, more specifically: - National policy and decision makers; - Legislators, regulators, and national authorities; - Private sector; - Academia. Experts from different Member States will be invited to present and discuss their views on the topics.

Registration You may visit: https://ec.europa.eu/eusurvey/runner/NCSSWorkshop

https://ec.europa.eu/eusurvey/runner/NCSSWorkshop

P a g e | 33


Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any individual or entity; - should not be relied on in the context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; - is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However, some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility regarding such problems incurred because of using this site or any linked external sites.

P a g e | 34


International Association of Risk and Compliance Professionals

You can explore what we offer to our members: 1. Membership – Become a standard, premium or lifetime member. You may visit: www.risk-compliance-association.com/How_to_become_member.htm Become a lifetime member of the association, and to continue your journey without interruption and without renewal worries. You will get a lifetime of benefits as well. You can check the benefits at: www.risk-compliance-association.com/Lifetime_Membership.htm 2. Weekly Updates - Subscribe to receive every Monday, the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next: http://forms.aweber.com/form/02/1254213302.htm 3. Training and Certification - The Certified Risk and Compliance Management Professional (CRCMP) training and certification program has become one of the most recognized programs in risk management and compliance. There are CRCMPs in 32 countries around the world. Companies and organizations like Accenture, American Express, USAA etc. consider the CRCMP a preferred certificate. You can find more about the demand for CRCMPs at: www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf For the distance learning programs, you may visit: www.risk-compliance-association.com/Distance_Learning_and_Certification.htm For instructor-led training, you may contact us. We can tailor all programs to meet specific requirements. We tailor presentations, awareness and training programs for supervisors, boards of directors, service providers and consultants.

http://www.risk-compliance-association.com/How_to_become_member.htm

http://www.risk-compliance-association.com/Lifetime_Membership.htm

http://forms.aweber.com/form/02/1254213302.htm

http://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

P a g e | 35


Some CRCMP jobs:

4. IARCP Authorized Certified Trainer (IARCP-ACT) Program - Become a Certified Risk and Compliance Management Professional Trainer (CRCMPT) or Certified Information Systems Risk and Compliance Professional Trainer (CISRCPT). This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more, you may visit: www.risk-compliance-association.com/IARCP_ACT.html

http://www.risk-compliance-association.com/IARCP_ACT.html

http://www.risk-compliance-association.com/IARCP_ACT.html

P a g e | 36


5. Approved Training and Certification Centers (IARCP-ATCCs) - In response to the increasing demand for CRCMP training, the International Association of Risk and Compliance Professionals is developing a world-wide network of Approved Training and Certification Centers (IARCP-ATCCs). This will give the opportunity to risk and compliance managers, officers, and consultants to have access to instructor-led CRCMP and CISRCP training at convenient locations that meet international standards. ATCCs use IARCP approved course materials and have access to IARCP Authorized Certified Trainers (IARCP-ACTs). To learn more: www.risk-compliance-association.com/Approved_Centers.html

http://www.risk-compliance-association.com/Approved_Centers.html

http://www.risk-compliance-association.com/Approved_Centers.html

monday, june 10, 2019 · transactions rely on distributed ledger technology (dlt), sometimes...

Documents