INCIBE and CECA Sign a Collaboration Agreement to Promote Cybersecurity in the Financial Sector

The agreement focuses on dissemination and awareness to consolidate a culture of cybersecurity among users alongside the associated banking entities.

The National Cybersecurity Institute (INCIBE), an entity dependent on the Ministry for Digital Transformation and Public Function through the Secretary of State for Digitalization and Artificial Intelligence, and CECA (a banking association made up of CaixaBank, Kutxabank, and Cajasur Banco, ABANCA, Unicaja, Ibercaja Banco, Caixa Ontinyent, Colonya Pollença, and Cecabank) have signed a collaboration agreement to strengthen cybersecurity and cyber resilience in the financial sector, specifically private operators, that promotes the dissemination of potential threats and cyberattacks that jeopardize essential operations and availability.

Thus, over the next four years, INCIBE will provide the necessary tools to carry out various situational analyses of the sector in terms of cybersecurity and will participate in the design and implementation of new initiatives. For its part, CECA will lead dissemination and education initiatives in cybersecurity and will promote, in cooperation with INCIBE, actions to encourage best practices in cybersecurity among its associated entities.

To date, approximately 30 financial entities, including banks and insurers, have signed confidentiality agreements to receive the services provided by INCIBE-CERT, which include: assistance and support in incident management and response; monitoring and surveillance of their assets; participation in cyber exercises for training their cybersecurity capabilities; and measurement and improvement of cyber resilience. These include BBVA, Grupo Santander, Redsys, Iberpay, Spanish Stock Exchanges and Markets (BME), Bankinter, CaixaBank, Banco Sabadell, Cecabank, Bank of Spain (BdE), ABANCA, Mapfre, and AXA, among others.

A Firm Commitment to the Financial Sector from INCIBE-CERT

Currently, INCIBE is engaging in active discussions, exchanging proposals, and forming working groups with various associations in the financial sector to establish collaboration agreements and cooperation pacts with other associations such as the Interbank Cooperation Center (CCI), the Spanish Banking Association (AEB), and UNESPA. Additionally, it is participating in relevant sector events and conferences to raise awareness of the services provided by INCIBE-CERT, such as the dedicated web space for the financial sector, where specific content—general alerts, SCI alerts, risk analyses, news, and articles—tailored to the needs of the critical sectors of the NIS2 Directive is available.

In the context of the EU Regulation on Digital Operational Resilience (DORA), created to help strengthen cybersecurity in the financial sector, INCIBE-CERT is one of the reference incident response teams that, in coordination with other national and international teams, serves as a support point to ensure an effective and efficient response to cyber incidents that may affect the integrity of the financial system.

According to DORA, financial entities are required to report any relevant incidents to the Competent Supervisory Authority (ASC) within stipulated deadlines. INCIBE, as the reference CSIRT for private entities, maintains direct contact with Supervisory and Control Authorities, such as the Bank of Spain (BdE), the National Securities Market Commission (CNMV), and the General Directorate of Insurance and Pension Funds (DGSFP), by establishing a cyber incident management procedure for the financial sector.

CyberEx Spain

Since 2012, INCIBE-CERT has acted as the coordinator for the execution of CyberEx Spain. This event comprises three different exercises designed to train an entity’s response capacity in potential real-life situations. It is worth noting the involvement of financial entities that have participated in one of the eight cyber exercises organized by INCIBE-CERT, where they have been able to practically train and assess their response capacity in circumstances they could face during a cybersecurity incident.

For instance, the 2016 edition of CyberEx Spain was developed with the financial sector (banking and insurance), and the exercise consisted of customized tests based on the types of incidents occurring in the sector itself. Furthermore, since 2015, INCIBE has been implementing the Indicators Model for Improving Cyber Resilience (IMC) in financial entities. In its eight editions, various financial entities have participated, receiving diagnosis and measurement of their ability to withstand and recover from disasters and disturbances in the digital realm.

Completing the services, there is a specific section in the Citizenship area with material available to users of financial entities for combating online fraud and social engineering, as well as the Cybersecurity Help Line to address any cybersecurity issues experienced by citizens and businesses that may be affected by cases of online fraud.

Cybersecurity: A Shared Responsibility Between the Bank and the Client

According to the first survey of “Cybersecurity and Digital Channel Usage Habits,” published by CECA in February 2024, banking entities are the institutions that Spaniards trust the most against cyberattacks. 84% of Spaniards report feeling safe when conducting their digital banking transactions, with these institutions instilling the most confidence in users, followed by public administrations.

In recent years, the digital channels of banking entities have solidified as an extremely useful tool for customers’ daily operations. Furthermore, the study reveals that Spaniards perceive cyberattacks as an increasing danger. Among the main causes of the rise in cyberattack victims is the lack of training among users of digital channels, with six out of ten respondents acknowledging limited knowledge of cybersecurity, a situation that is exacerbated among those over 65 years old.

In response to this situation, banking entities are dedicated to creating and disseminating content with the firm intention of empowering, encouraging, and providing their clients with the necessary tools to reduce their exposure to online fraud. Thus, 85% of respondents acknowledge receiving this type of communication from their banks, but—despite the efforts of the entities—only 54% claim to pay attention to it.

In April, four associations from the financial sector (CECA, AEB, Unacc, and ASNEF) along with INCIBE, the Civil Guard, and the National Police presented ‘Protect Yourself, Avoiding Fraud is in Your Hands,’ a plan to prevent cyber scams and promote the digital security of citizens. The campaign, based on videos, audio, and brochures with tips to help people operate securely and act in response to a cyber scam, has been disseminated through media and social networks, as well as in offices and branches of financial entities.

CECA Promotes Financial Education for Better Protection in the Digital Age

The CECA sector assigns absolute priority to financial education and considers it a significant lever for improving people’s lives, especially for the most vulnerable groups. Now more than ever, it is essential to enhance the financial knowledge and digital skills of society so that individuals can make sound financial decisions and navigate the digital environment with skill and security.

In this field, training in cybersecurity is particularly important amid the rising prevalence of cyber scams in recent times. For this reason, the financial sector is making substantial efforts to raise awareness among its clients through training programs focused on cybersecurity aimed at different segments of the population, constant communications to clients alerting them to the latest detected fraud mechanisms, and practical advice to minimize the risk of falling victim to cyber scams.