BYOK: a Solution for EBA’s New ICT and Security Risk Management Guidelines

The European Banking Authority's (EBA’s) new ICT and Security Risk Management Guidelines provide guidance for cybersecurity requirements for financial institutions and third-party partners.

As of June 30, 2020, financial institutions throughout the EU are required to follow the cybersecurity requirements that are provided under the EBA's new Guidelines on ICT and Security Risk Management. These requirements replace the previous guidelines that were issued in 2017 and apply not only to the financial institutions themselves but also to any third party providers they might use.

Guidelines for Using Third-Party Providers

Section 3.2 of the EBA’s Guidelines on ICT and Security Risk Management addresses the guidelines for managing and mitigating ICT and security risks by establishing sound internal governance and internal controls for the staff and management bodies of financial institutions. However, with more financial institutions taking on expanded business models that offer a wider variety of products and service options for their customers, ICT and security risks for third party providers must also now be taken into consideration to protect customer, transaction, and payment data. 

Under the Guideline’s 3.2.3. – Use of Third Party Providers, the EBA requires that financial institutions:

• Should ensure that when they outsource operational functions of their payment services or ICT services and ICT systems activities to third parties or group entities, that their risk-mitigating measures that are defined by their risk management framework are effective. These measures are included in the Guidelines on ICT and Security Risk Management and should be used without prejudice to the EBA’s Guidelines regarding outsourcing arrangements (EBA/GL/2019/02) and PSD2’s Article 19.
• To ensure continuity of ICT services and systems, their contracts and service level agreements with third-party providers, group entities, or outsourcing providers shall include for both normal operations and service disruption events:
  • Minimum requirements for cybersecurity
  • Requirements for data encryption
  • Data life cycle specifications
  • Network security
  • Security monitoring processes
  • Data center locations
• Information security-related objectives and measures that are appropriate and proportionate to the scope of operations, such as:
• Handling procedures for operational and security incidents, including escalation and reporting procedures
• Should monitor and seek assurance that their third-party providers, group entities, or outsourcing providers are maintaining the level of compliance with security objectives, measures, and performance targets required by the institution.

Bring Your Own Key (BYOK) and Manage Your Own Key (MYOK) for mitigating ICT and security risks

Having control over cryptographic keys is mandatory to assure sound governance and establishing  internal governance and internal controls. Cryptographic security, operational security, security incident handling, monitoring, and control can only be maintained when banks and other financial institutions remain in control of their cryptographic keys using both logical and physical security methods.

An appropriate example of a security model for this might be:

The bank’s security administrator can activate / customize data encryption.

No matter which applications the bank runs, encryption applies to

• Data at rest in the database
• In transit between user devices or between the data centers (e.g., during synchronization)
• Public endpoints through TLS

For end-to-end banking-grade encryption and key management, the main characteristics needed are:

• Consistent encryption policies, and manageable from one central control center
• Auditable and compliant with data protection and banking regulations (PCI-DSS, FIPS 140-2, CC, PSD2, GDPR)
• Flexible and supporting easy and unhampered orchestration of services
• Universal over system boundaries including IBM mainframes and other legacy architecture
• Automated Bring Your Own Key (BYOK) 
• Comfortable and Automated “Manage Your Own Key” (MYOK) in the frame of banking grade key lifecycle management

With the right key management for BYOK in place, no third party employee will have ever access to unencrypted data and the bank will fully comply with the requirements of Guidelines 3.2.3.

References

• FINAL REPORT (EBA/GL/2019/04 - EBA Guidelines on ICT and security risk management  (29 November 2019), by the European Banking Authority EBA 
• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• CKMS Product Sheet (2016), by Cryptomathic

• White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic