Nos derniers articles

This peer review assesses the Dutch authorities' frameworks for monitoring cyber risks, implementing supervisory practices, and coordinating incident response mechanisms. Key findings highlight the Netherlands' significant progress, including the development of the Threat Intelligence-Based Ethical Red-teaming (TIBER) and Advanced Red Teaming (ART) frameworks, while also identifying areas for improvement, such as streamlining information sharing mechanisms and analyzing third-party risks. Overall, the report underscores the persistent challenges posed by the evolving threat landscape and the strategic steps taken by the Netherlands to maintain financial stability against operational and cyber threats.

Le G7 Cyber Expert Group analyse l’impact croissant de l’intelligence artificielle sur la cybersécurité du secteur financier. L’IA, notamment l’IA générative et les systèmes agentiques, offre des capacités avancées pour renforcer la détection des menaces, automatiser l’analyse d’anomalies, améliorer la réponse aux incidents et surveiller plus efficacement les fournisseurs et chaînes d’approvisionnement. Ces atouts peuvent accroître la résilience opérationnelle des institutions financières.

Parallèlement, l’IA génère de nouveaux risques. Les acteurs malveillants peuvent utiliser ces technologies pour créer des attaques plus sophistiquées, automatiser le développement de maliciels, produire des campagnes d’hameçonnage hautement personnalisées ou contourner des systèmes de défense. Les modèles d’IA eux-mêmes deviennent vulnérables à la manipulation des données, aux fuites d’informations ou aux attaques d’ingénierie sociale visant les systèmes automatisés.

Le rapport souligne que ces évolutions exigent une adaptation de la gouvernance, de la supervision, de la gestion des tiers et des compétences internes. Les institutions doivent intégrer la cybersécurité dans le développement et l’usage de l’IA, assurer une supervision humaine adéquate, protéger les données, renforcer la détection et la réponse aux incidents et investir dans les compétences spécialisées. Les autorités sont encouragées à actualiser leurs cadres de risque, à coopérer avec l’industrie et la recherche, et à promouvoir une IA sûre, fiable et transparente pour préserver la stabilité du système financier.

This paper explores the role of a cybersecurity engineer within existing cybersecurity workforce frameworks. It specifically compares how the NIST NICE Framework, the European Cybersecurity Skills Framework (ECSF), and the UK Cyber Security Council (UKCSC) pathways align with and diverge from the cybersecurity engineer job title. The research employs a machine learning methodology to analyze job advertisements from LinkedIn against these frameworks to identify commonalities in required Tasks, Knowledge, and Skills (TKS). The central finding suggests that while the engineer title is highly in demand, its functions are distributed across multiple work roles in these frameworks, with US-based frameworks focusing more on technical abilities and breach prevention, while UK/EU frameworks emphasize operational roles and risk assessment. Ultimately, the paper seeks to make recommendations for creating a distinct and standardized cybersecurity engineer career field to address workforce planning gaps.

This case study examines how a leading Australian financial organization operationalizes 𝗰𝘆𝗯𝗲𝗿-𝘁𝗵𝗿𝗲𝗮𝘁 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 (𝗖𝗧𝗜), using military intelligence doctrine (the intelligence cycle) as a theoretical lens. The research, framed as a stakeholder-activity process model, reveals 𝗮 𝗳𝘂𝗻𝗱𝗮𝗺𝗲𝗻𝘁𝗮𝗹 𝗶𝗻𝘃𝗲𝗿𝘀𝗶𝗼𝗻 𝗼𝗳 𝗲𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗻𝗼𝗿𝗺𝘀.
Instead of strategic requirements driving CTI downward from leadership, 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗳𝗹𝗼𝘄𝘀 𝘂𝗽𝘄𝗮𝗿𝗱 𝗮𝗻𝗱 𝗼𝘂𝘁𝘄𝗮𝗿𝗱 from technology operations. This challenges the assumption of intelligence-led security in civilian contexts. The study finds 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝘀 𝗽𝗮𝗿𝗮𝗱𝗼𝘅𝗶𝗰𝗮𝗹𝗹𝘆 𝗹𝗶𝗺𝗶𝘁 𝗖𝗧𝗜'𝘀 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝘃𝗮𝗹𝘂𝗲 𝗱𝘂𝗲 𝘁𝗼 𝗶𝘁𝘀 𝗹𝗼𝘄 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗽𝗼𝘀𝗶𝘁𝗶𝗼𝗻𝗶𝗻𝗴, a 𝗸𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲 𝗴𝗮𝗽 𝗯𝗲𝘁𝘄𝗲𝗲𝗻 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗜𝗧, and a lack of strategically relevant analytical products. The findings provide an empirical explanation of CTI practice and a diagnostic model for bottom-up operationalization.

Addressing Adversarial Machine Learning (𝗔𝗠𝗟) in financial systems is like designing a bank vault: not only must the vault be robust enough to withstand sophisticated attacks (𝗔𝗠𝗟 𝗱𝗲𝗳𝗲𝗻𝘀𝗲𝘀), but regulators also require that the complex mechanisms inside are transparent and explainable to auditors (𝗲𝘅𝗽𝗹𝗮𝗶𝗻𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗿𝗲𝗾𝘂𝗶𝗿𝗲𝗺𝗲𝗻𝘁𝘀). Meanwhile, the bank must ensure that the security measures don't slow down transactions (𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗱𝗲𝗴𝗿𝗮𝗱𝗮𝘁𝗶𝗼𝗻/𝗮𝗰𝗰𝘂𝗿𝗮𝗰𝘆 𝘁𝗿𝗮𝗱𝗲-𝗼𝗳𝗳) and that its staff has the specialized knowledge to operate and repair the mechanism (𝘀𝗸𝗶𝗹𝗹𝘀 𝗴𝗮𝗽).

The EBA, alongside ESMA and EIOPA, plans 𝗷𝗼𝗶𝗻𝘁 𝗼𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗼𝗳 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗖𝗧 𝗧𝗵𝗶𝗿𝗱-𝗣𝗮𝗿𝘁𝘆 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 (𝗖𝗧𝗣𝗣𝘀) from 2026, following their 2025 designation. Measures include direct engagement on governance, thematic contract reviews, and 𝗼𝗻𝘀𝗶𝘁𝗲 𝗶𝗻𝘀𝗽𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗼𝗳 𝗵𝗶𝗴𝗵-𝗿𝗶𝘀𝗸 𝗮𝗿𝗲𝗮𝘀, with recommendations passed to financial entities. Supervisors will assess institutions’ 𝗜𝗖𝗧 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝗿𝗶𝘀𝗸 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀, 𝗶𝗻𝗰𝗹𝘂𝗱𝗶𝗻𝗴 𝗹𝗲𝗴𝗮𝗰𝘆 𝘀𝘆𝘀𝘁𝗲𝗺 𝗿𝗶𝘀𝗸𝘀. The EBA will analyze major ICT incidents, contribute to a pan-European coordination framework for systemic events, collect new datasets via EUCLID, and support supervisory convergence to ensure 𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗗𝗢𝗥𝗔 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗮𝗰𝗿𝗼𝘀𝘀 𝘁𝗵𝗲 𝗘𝗨.

This publication presents recommendations for integrating cybersecurity incident response into risk management, using the 𝗡𝗜𝗦𝗧 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 (𝗖𝗦𝗙) 𝟮.𝟬 as a reference model. It defines a life-cycle based on the six CSF functions (𝗚𝗼𝘃𝗲𝗿𝗻, 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝘆, 𝗣𝗿𝗼𝘁𝗲𝗰𝘁, 𝗗𝗲𝘁𝗲𝗰𝘁, 𝗥𝗲𝘀𝗽𝗼𝗻𝗱, 𝗥𝗲𝗰𝗼𝘃𝗲𝗿), outlines roles and responsibilities, and provides a “Community Profile” mapping priorities, recommendations, and considerations for incident response. The document also emphasizes continuous improvement, customizing guidance to organizational context, and leveraging other NIST and external resources.

The EU Cyber Resilience Act (CRA) establishes cybersecurity standards for connected digital products across the EU. The act aims to enhance transparency and reduce vulnerabilities through risk-based assessments and a CE (Conformité Européenne) marking scheme. While the CRA is seen as a crucial step to address systemic digital risks and regulatory gaps, this analysis suggests it is premature and underdeveloped. The paper raises concerns about the feasibility of its implementation, particularly for small and medium-sized enterprises (SMEs), and highlights challenges with standardized norms and third-party assessment frameworks. The CRA's success, the paper concludes, will depend on its adaptability and sensitivity to economic realities, suggesting it could otherwise hinder innovation.

There is an increasing AI use in insurance—50% in non-life, 24% in life. To address emerging risks, undertakings must clarify supervisory responsibilities, maintain full accountability, and implement proportionate governance. Risk managers should conduct impact-based assessments, emphasizing data sensitivity, consumer impact, and financial exposure. Strong governance includes fairness, data quality, transparency, cybersecurity, and human oversight. Oversight extends to third-party providers, with contractual safeguards required. AI systems must align with existing frameworks like ERM and POG, ensuring traceability, explainability, and resilience throughout their lifecycle. Supervisory convergence across the sector remains a key regulatory goal.

The paper 𝙏𝙝𝙚 𝙍𝙚𝙜𝙪𝙡𝙖𝙩𝙞𝙤𝙣 𝙤𝙛 𝘿𝙖𝙩𝙖 𝙋𝙧𝙞𝙫𝙖𝙘𝙮 𝙖𝙣𝙙 𝘾𝙮𝙗𝙚𝙧𝙨𝙚𝙘𝙪𝙧𝙞𝙩𝙮 by Jasmin Gider (Tilburg University - Tilburg University School of Economics and Management), Luc Renneboog (Tilburg University - Department of Finance), and Tal Strauss (European Central Bank ECB) compares and contrasts the regulatory landscapes of data privacy and cybersecurity in the EU and the US. It outlines the fragmented nature of US regulations, often relying on state-specific laws and sectoral approaches, in contrast to the EU's more unified framework like 𝗚𝗗𝗣𝗥 and 𝗡𝗜𝗦 Directives. The text details the increasing costs and frequency of cyber incidents, emphasizing the insufficient mandatory disclosure requirements in both regions. Furthermore, it identifies gaps in current legislation and ongoing efforts, such as the 𝗘𝗨'𝘀 𝗖𝘆𝗯𝗲𝗿 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗔𝗰𝘁 and the US.'s 𝗖𝗜𝗥𝗖𝗜𝗔, to enhance 𝗱𝗶𝗴𝗶𝘁𝗮𝗹 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 and address underinvestment in 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆.