International Committee on Credit Reporting (ICCR) Publishes Guidance on Cybersecurity

The ICCR, the recognized international standard setter in credit reporting and of which BIIA is a founding member, has published two separate guidance notes covering cybersecurity in credit reporting and approaches to credit scoring.

Cybersecurity in Credit Reporting

On the guidance on cybersecurity in credit reporting, Neil Munroe, Deputy Managing Director of BIIA who is also Deputy Chair of the ICCR and who chaired the Committees Cybersecurity Working Party writes:

The importance of credit reporting systems to the global financial system has been increasing over time. Robust credit reporting systems can promote not only access to affordable and sustainable credit for individuals and companies but also financial

stability and economic growth. Credit reporting service providers (CRSPs) have been at the frontier of technology adoption to enhance their efficiencies as well as data acquisition, processing, and storage capabilities.

The credit reporting industry landscape has changed over the past decade with the adoption of new technologies and business models and the emergence of new players helping improve the speed of service provided and the quality and completeness of credit data.

These positive changes in the credit reporting ecosystem, however, also present a source of risk for CRSPs. Several CRSPs have been subject to data breaches, denial-of –service attacks, and phishing attacks, among other cyber incidents in the past decade.

The incidents have resulted in severe financial, economic, operational, and reputational loss for the targeted organization and the industry at large. The implications can also be far reaching owing to increasing interconnectedness of the financial sector.

Against this background, the ICCR believes there is need for enhanced cybersecurity and data standards at the CRSP and jurisdiction levels.

The guideline, which can be accessed on the World Bank website via the following link http://pubdocs.worldbank.org/en/735641585870130697/Cybersecurity-in-credit-reporting-guideline-final.pdf , provides findings of a landscaping survey conducted by the Committee across the globe on current practices , detailed guidance to CRSPs on managing cybersecurity and data privacy risk and policy considerations that address some of the weaknesses identified in the survey.

The survey that was undertaken found that CRSPs across the globe were generally implementing cybersecurity practices. It also identified the following key issues and characteristics:

CRSPs have been subjected to fewer attacks than have data providers and other prominent institutions.
The most common incident among CRSPs has been denial of services.
The majority of jurisdictions have enacted legislation or regulations to deal with cybersecurity and information security. Central Bank emerged as the regulatory authority for most of the respondents. All but one of the jurisdictions place an obligation on CRSPs to notify the affected parties.
CRSPs have broadly embedded cyber and information security in their governance processes. They are also building capacity for both staff members and board members. A growing number of CRSPs have created a position of Chief Information Security Officer (CISO) or its equivalent that is responsible for cyber and information security.
Cyber insurance is gaining prominence as one of the risk mitigation options.
CRSPs are increasingly considering outsourcing of their critical services.
The sharing of information on cyber incidents is gaining momentum; the majority of CRSPs participate in industry programs designed to promote information sharing. Third parties are also significantly contributing to information sharing.
CRSPs are increasingly committing specific resources to improve their cybersecurity capabilities.
The majority of CRSPs have a formal risk management framework that includes cyber risk as one of the risk areas. Institutions are also recognizing the importance of an internal audit as a central pillar in cybersecurity.
Most CRSPs have documented incident response plans; however, notable gaps were observed with respect to partnerships with a computer emergency response team (CERT), external communications, and simulation exercises.
CRSPs have implemented programs to monitor and prevent breaches and certain rules to control printing of sensitive information.
CRSPs are successfully implementing controls against cyber risks.

The guidance to CRSPs on managing cybersecurity and data privacy risk provided in the report focuses on the areas of strategy, governance, risk management, compliance, functional operations, technology operations, data privacy,

awareness and education, information sharing and communications and incident response and business continuity. The report emphasizes the need to ensure a risk-based approach and proportionality in the application of the guideline.

About the ICCR:

The ICCR is the only recognized international standard setter in credit reporting. The Committee is a responsible to (i) further develop the international agreed framework, (ii) identify areas of further consideration and (iii) devote resources to the elaboration of papers, reports, guidelines and other relevant materials that will effectively support the adequate implementation of the General Principles. The ICCR supports a forward looking and broad approach to specific issues while achieving consensus in policy aspects that affect public interest. To this end, the ICCR has developed the General Principles for Credit Reporting (2011), the report Facilitating SME Financing through Enhanced Credit Reporting (2014), The Role of Credit Reporting in supporting Financial Regulation and Supervision (2016) and the Policy Brief on Credit Reporting Contribution to Financial Inclusion (2017). All these documents are part of the Standards and comprise the framework for credit reporting systems.