The agreement focuses on dissemination and raising awareness to consolidate a culture of cybersecurity among users, in conjunction with the associated banking institutions
The Spanish National Cybersecurity Institute (INCIBE), an entity reporting to the Ministry for Digital Transformation and the Civil Service, through the Secretary of State for Digitalisation and Artificial Intelligence, and CECA (a banking association comprising CaixaBank, Kutxabank and Cajasur Banco, ABANCA, Unicaja, Ibercaja Banco, Caixa Ontinyent, Colonya Pollença and Cecabank), have signed a collaboration agreement to reinforce the cybersecurity and cyber resilience of the financial sector, in particular private operators, to encourage the disclosure of potential threats and cyber-attacks that jeopardise their critical operations and availability.
Thus, over the next four years, INCIBE will provide the necessary tools to perform various situational analyses of the sector in terms of cybersecurity and will participate in the design and implementation of new initiatives. In turn, CECA will spearhead initiatives to disseminate and educate on cybersecurity and, in cooperation with INCIBE, will promote actions to foster best practices in cybersecurity among its member entities.
To date, a total of approximately 30 financial institutions, including banks and insurance companies, have signed confidentiality agreements to receive the services provided by INCIBE-CERT, which include the following: assistance and support in incident management and response; surveillance and monitoring of its assets; participation in cyber exercises to train their cybersecurity capabilities; and the measurement and improvement of cyber resilience. These include: BBVA, Grupo Santander, Redsys, Iberpay, Bolsas y Mercados Españoles (BME), Bankinter, CaixaBank, Banco Sabadell, Cecabank, Bank of Spain, ABANCA, Mapfre and AXA, among others.
INCIBE-CERT's steadfast commitment to the financial sector
INCIBE is currently engaged in active discussions, exchanging proposals and establishing working groups with various associations in the financial sector, with the aim of entering into collaboration and cooperation agreements with other associations such as the Interbank Cooperation Centre (CCI), the Spanish Banking Association (AEB) and UNESPA. In addition, INCIBE-CERT is participating in sector events and congresses to showcase the services it provides, such as the webspace dedicated to the financial sector, where specific content is provided (general warnings, ICS alerts, risk analysis, news and articles) adapted to the needs of the critical sectors of the NIS2 Directive.
Within the context of the European Union's Digital Operational Resilience Act (DORA), enacted to help strengthen cybersecurity in the financial sector, INCIBE-CERT is one of the incident response teams of reference that, in coordination with other national and international teams, acts as a point of support to ensure an effective and efficient response to cyber incidents that may affect the integrity of the financial system.
Under DORA, financial institutions are obliged to report any relevant incidents to the Competent Supervisory Authority (CSA) within the stipulated time limits. INCIBE, as a benchmark CSIRT for private entities, is in direct contact with the Supervisory and Control Authorities, such as the Bank of Spain, the Spanish National Securities Market Commission, and the Directorate-General for Insurance and Pension Funds, with the establishment of a cyber incident management procedure for the financial sector.
CyberEx España
Since 2012, INCIBE-CERT has acted as coordinator in the implementation of CyberEx España. This is an event consisting of three different exercises, the purpose of which is to train an entity's capacity to respond to circumstances that could arise in actual situations.
It is worth highlighting the involvement of the financial institutions that have participated in some of the eight cyber exercises organised by INCIBE-CERT, where they were able to train and obtain a practical assessment of their capacity to respond to situations that could arise in the event of a cybersecurity incident.
For example, the 2016 edition of CyberEx España focused on the financial sector (banking and insurance) and the exercise consisted of tests customised to the type of incidents inherent to the sector.
In addition, since 2015, INCIBE has been developing the Cyber Resilience Improvement Indicators model in financial institutions. In its eight editions, a number of financial institutions have participated, which have undergone a diagnostic test and measurement of their capacity to withstand and overcome digital disasters and disruptions.
These services are complemented with a specific section for the Public, with material available to users of financial institutions to combat on-line fraud and social engineering, and the Cybersecurity Helpline to deal with any cybersecurity problems encountered by the public and companies that may be affected by cases of on-line fraud.
Cybersecurity, a shared responsibility between the bank and the customer
According to the first survey on 'Cybersecurity and digital channel usage habits', published by CECA in February 2024, banks are the institutions that Spaniards trust the most when faced with cyber-attacks. Some 84% of Spaniards say they feel safe when banking on-line, making banks the institutions that inspire the most confidence among users, followed by public administrations.
In recent years, banks' digital channels have established themselves as a very useful tool for the day-to-day operations of their customers. In addition, the study reveals that Spaniards perceive cyber-attacks as a growing danger. Among the main causes of the rise in the number of cyber-attack victims is the lack of training of users of digital channels, with six out of ten respondents acknowledging that they have limited knowledge of cybersecurity, and this is more pronounced among the over-65s.
Faced with this situation, banks are committed to creating and disseminating content with the firm intention of promoting, encouraging and offering their customers the necessary tools to reduce their exposure to on-line fraud. Thus, 85% of respondents acknowledge receiving this type of communication from their bank, but despite these efforts, only 54% say that they pay any attention to it.
In April, four associations from the financial sector (AEB, CECA, Unacc, ASNEF), in conjunction with INCIBE, the Civil Guard and the National Police, presented 'Protect yourself, avoiding fraud is in your hands', a plan to prevent cyber scams and promote the digital security of citizens. The campaign, based on videos, audio and brochures with tips to help people operate safely and take action when faced with a cyber scam, was disseminated through the media and social networks, as well as in offices and branches of financial institutions.
CECA promotes financial education for better protection in the digital age
Financial education is a top priority for the CECA sector, which views it as an important lever for improving people's lives, especially the lives of society’s most vulnerable groups. Today, more than ever, there is a need to improve the financial literacy and digital skills of society so that they can make sound financial decisions and not only navigate the digital environment proficiently, but also do so safely. In this area, cybersecurity training is particularly important in view of the widespread increase in cyber scams in recent times.
For this reason, the financial sector engages in extensive efforts to raise customer awareness with training programmes, focusing on cybersecurity and targeting different segments of the population, constant communications to customers to alert them to the latest fraud mechanisms detected and practical advice on how to avoid, to the extent possible, cyber scams.