Update on Cybersecurity

September 16, 2016

Bankers Push Cybersecurity



A committee of central bankers is looking to draft international guidelines covering cybersecurity responsibilities for banks and fund transfer providers, aiming to make the global payments system safer, said people familiar with the plans.

The group plans to devise a framework that will divvy up cybersecurity responsibilities between sending and receiving banks, as well as at payment infrastructure providers, the people said.

The guidelines are being put together by the Committee on Payments and Market Infrastructures, which was convened by the Bank for International Settlements to analyze cross-border payment and settlement networks in an effort to protect the banking system.

The effort comes as the financial messaging system Swift and some of its member banks have attracted scrutiny in the wake of recent cyberattacks at customer sites. In February, cyberthieves made off with $81 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

The committee aims to set out a global framework for cybersecurity standards where one doesn’t exist. Its challenge is that guidelines from such international groups tend to have limited enforceability by law, because each jurisdiction involved can choose what policies to adopt.

Rep. Barry Loudermilk (R., Ga.)—chairman of the subcommittee on oversight for the U.S. House Science, Space and Technology Committee, which is reviewing the Bangladesh Bank incident—said Federal Reserve explanations of how recent cyberattacks occurred “raise additional questions.”

“It is troubling to me that bad actors were able to successfully extract millions of dollars from the Federal Reserve banking system,” he said. “My subcommittee is working to find out how this happened and how to prevent it from happening again.”

Workers at the New York Fed don’t manually screen most central-bank payment orders as they come in, and instead rely heavily on authentication by Swift, known formally as the Society for Worldwide Interbank Financial Telecommunication.

This summer, Swift became subject to a new set of cyber rules also developed by the payments committee and the International Organization of Securities Commissions. Those rules, once implemented, will require Swift and financial market-infrastructure providers to prove they can resume operations within two hours of a disruption.

A Swift spokeswoman had no immediate comment. A spokesman for the National Bank of Belgium, which is the lead overseer of Swift, declined to comment on its specific oversight actions on the company. Benoît Coeuré, chairman of the Committee on Payments and Market Infrastructures, wasn’t immediately available to comment.


Rise at 11? China’s Single Time Zone Means Keeping Odd Hours


Some days, the sun doesn’t come up until 10 a.m. or later. People eat lunch after 2 p.m., or even after 4 if they’re not in a rush. The school day stretches so late that children can’t get home in time to catch their favorite cartoon shows.

Why are the clocks in Urumqi, China, so far out of kilter with the cycles of the sun? Because of a legacy of Mao Zedong and the Communist Party’s desire for unified control. Though China is almost as wide as the continental United States, the whole country is officially in just one time zone — Beijing time.

So when it’s 7 a.m. in the Forbidden City, it’s also officially 7 a.m. 2,000 miles to the west in Urumqi, the capital of the Xinjiang region — even if the stars are still out there.

That can lead to headaches — and lost sleep. “It’s hard to adjust,” says Gao Li, a sanitation worker in Urumqi. “I often think we must be the only people who eat dinner at midnight.”

So schools, airports and train stations operate at odd hours; national exams are sometimes given in the dead of night; and restaurants stay open for dinner into the wee hours.

The eccentricities of the clock also tend to divide people in Xinjiang by ethnicity. The Uighurs, Turkic-speaking Muslims who consider the region their homeland, tend to set their clocks two hours earlier, to more closely match the local day. But the Han Chinese who live there, members of China’s predominant ethnic group, generally follow Beijing time. The discrepancies can be a source of confusion and frustration, especially for younger people who frequently socialize across ethnic lines.

Jin Xiaolong, 28, who teaches parkour, a French athletic discipline, says scheduling classes with his Uighur friends in Urumqi can be a challenge.

“I used to arrive early, all alone,” he said. “I’d go to a restaurant to eat, wait some more, and eventually grow impatient and start practice by myself.”

Now, he makes a point of clarifying to his friends: He only deals in Beijing time.

Follow Javier C. Hernández on Twitter @HernandezJavier.


2016 Sep 08

Multinational Companies Wary of Transatlantic Data-Transfer Agreement

A survey shows multinational companies remain wary of a new international data-transfer agreement between the United States and the European Union, and many are relying on contract provisions that could be invalidated by Europe’s highest court. The survey of 600 privacy professionals, conducted in June and July, found only about one-third say they plan to use the agreement, known as Privacy Shield, which allows businesses to transfer personal data on European citizens to the United States. The European Commission says 103 companies have been certified under Privacy Shield since the U.S. Commerce Department began accepting applications, and the Commerce Department is reviewing the privacy policies of 190 other companies. By comparison, more than 4,000 firms had been certified under an earlier agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year.

In the survey, by the International Association of Privacy Professionals and consulting firm EY, 81 percent of respondents said they are relying on model contract clauses approved by the European Union to transfer personal data on EU citizens. But those clauses are considered likely to be invalidated by the European Court of Justice, which would again expose companies to sanctions for moving data improperly. Legal experts say the model clauses are on shaky legal ground because they do not adequately restrict the access of U.S. authorities to data of European citizens. The court used similar reasoning in striking down Safe Harbor. Legal experts offered several reasons why companies are not embracing Privacy Shield, including the possibility that it, too, will be invalidated. Another reason companies may be holding off is that another set of rules, known as the General Data Protection Regulation (GDPR), is scheduled to take effect in May 2018, meaning the Privacy Shield regime may have a limited lifespan. The GDPR rules are much broader, including, for example, the so-called right to be forgotten that forces companies to delete personal data of European citizens upon request. In the survey, 89 percent of respondents said they are taking steps to comply with the GDPR rules, reports the Wall Street Journal (7 September, Heide).

From “Multinational Companies Wary of Transatlantic Data-Transfer Agreement”
Abstract News © 2016 Information, Inc.