Speech by Director Tim Hermans

Speech by Director Tim Hermans at the CISO conference organised by the DNB and the NBB, 26 October 2023

Good morning, everyone.

First, I'd like to thank Nicole for kicking things off. That makes it easier for me, and I can keep it a little shorter. Unlike Nicole, I will not confess to anything, though I must agree on many points.

For starters, cybersecurity is indeed a global problem. Let me give you some statistics for 2023. Almost every 10 seconds, somewhere in the world, there is a ransomware attack on an organisation.

In the past few months, 300,000 instances of malware have been generated per day. Every day.

A cyber report I read a few days ago mentioned that [in 2022] malware was up for the first time since 2018, with year-on-year growth of 2%, surging to 5.5 billion cyberattacks in a single year.

And when we take a look at our own sector, we see that there has been a significant uptick in recent years in the frequency and sophistication of attacks in the financial and banking industry. According to numbers from a cybersecurity service provider, cyberattacks on European financial services firms more than doubled between Q2 2022 and Q2 2023, surging 119% in that period.

Now as is the case with so many facets of society, there are mainly two things that drive modern-day cyberattacks: money and power, probably both in quite a few cases. On the one side, criminal organisations use the digital [realm] for monetary gain and, on the other side, nation-state actors use it to (try to) influence the balance of power, especially in the light of important geopolitical events, of which we have had our fair share in the last few years.

It goes without saying that these events, continuations of conflicts of the past, present and most likely future, only feed what is smouldering on the dark side of the Internet. As for organised crime groups, they are not becoming less criminal ... if anything they are becoming even more organised.

Nicole also indicated that 2018 was a turning point in the cyber threat landscape. And that’s absolutely true because in 2018, TIBER-BE was launched. This marked the first “official” implementation of TIBER-EU! Technically, TIBER-NL was implemented before TIBER-EU, so we never miss an opportunity to clarify this awkward situation. But all jokes aside, we really appreciate the great help and inspiration provided by our Dutch colleagues during the first years of our programme.

Since then, we have accompanied many tests. Whether alone or together with other authorities, we have learnt a lot, and we hope that you, as CISOs, have too.

Even in this brave new world, one of our main missions remains to ensure financial stability. IT systems, including their strengths but also their weaknesses, are paramount in fulfilling this mission. New technologies are emerging and are defining the rules for the chapters to come.

WormGPT, FraudGPT, DarkBERT, phishing emails and other social engineering campaigns with near perfect pretexts, unskilled hackers abusing new generative AI to deploy elaborated malware ... and this is only the beginning.

But one aspect has always been, and will always be, the weakest link: the human factor. This is yet another reason why we should continue to work together, share experience and knowledge, and carry on building stronger cyber security awareness in the financial sector.

On the legal front, changes and developments are also in sight. We have for example NIS2, PSD3 and of course DORA. DORA is indeed approaching but rest assured: TIBER is the best preparation and most likely the best implementation of DORA TLPT,  the specific articles on threat led penetration testing.

The biggest challenge will not be the tests themselves, at least not for you as you are (more than) familiar with TIBER. Growing from 14 [national] implementations to 28 will not be an easy task. Finding sufficient capable and trustworthy suppliers, aligning the conduct of tests across Europe, and evolving together with the cyber threat landscape are three of the many challenges we will face in the next five years.

Let me conclude on a positive note, though. Whatever DORA brings, our teams will be there to assist you with the tests, to aim for the best possible added value, to build a sense of community and trust, and to invite you to share and connect, very much as we are doing here today.

We hope, we believe…allow me to correct myself, we know that you will be part of this journey and we are certain you will continue to share and connect, because as Nicole stated very well, only together can we tackle the challenges of the future.

Thank you.