Central bank beefs up internal cybersecurity controls

  • Lusa
  • 11 February 2022

Portugal's central bank revealed that it had "intensified and directed the focus of internal controls" of cybersecurity.

The Bank of Portugal told Lusa on Thursday that it had “intensified and directed the focus of internal controls” of cybersecurity because of recent cyber-attacks in Portugal.

“The Bank of Portugal (BoP), within its internal processes and its cybersecurity activities, has intensified and directed the focus of internal cybersecurity controls on the threats that seem to be emerging with recent attacks,” an official source from the institution led by Mário Centeno, said in response to questions from Lusa.

Asked whether the institution had strengthened digital security after the recent cyber-attacks, the Portuguese central bank explained that it “has implemented a model of governance of cybersecurity, which includes processes and procedures for response and recovery to cyber-attacks” and that the updating of these processes and procedures “is always done in a logic of continuous improvement, namely from lessons learned from tests and simulations that are carried out periodically”.

The European Central Bank (ECB) on Thursday asked banks in the eurozone to prepare for possible economic sanctions against Russia if there is no détente in the crisis with Ukraine.

Andrea Enria, president of the ECB’s supervisory board, told a virtual press conference that direct exposures of eurozone banks to Russia are “contained”, not very high and therefore not a significant concern, with the latter having more to do with sanctions and possible turbulence in financial markets if tensions between Ukraine and Russia escalate further.

Asked about the issue, the BdP said it “has implemented several actions to assess and act on the information and communication technology risk of these institutions”, having defined the cybersecurity risk and operational resilience of institutions as a supervision priority of the Single Supervisory Mechanism (SSM) for the period 2022-2024 “and will continue to intensify its supervisory actions in this area”.

“There is, in this context, a close and continuous supervisory dialogue of the Banco de Portugal and the ECB with supervised institutions to ensure that they comply with applicable regulatory requirements, alongside continuous monitoring on cybersecurity risk management. Factors such as the growing digitalisation of banking services, among others, increase institutions’ exposure to cybersecurity risk. This context justifies the relevance and concern with the topic by the Supervisory Authorities, including the Banco de Portugal, which is translated into their actions,” an official source from the Portuguese regulator told Lusa.

The BoP said that in 2021 it set up a Forum with the Industry for Cybersecurity and Operational Resilience to “strengthen the financial sector’s robustness in this matter, through greater articulation and coordination between the main institutions and the relevant Competent Authorities, and promote the development of highly complex initiatives for the management of cybersecurity risk”. It also recently published a set of recommendations on business continuity management.

An official source from the BoP also noted that the institution, “within the scope of its supervisory powers, has close contact and develops joint efforts with the other National Competent Authorities on this matter, namely the National Cyber Security Centre”.