Three Principles for Mitigating Cyber Risk

Delivering a presentation on cybersecurity Wednesday morning at the SIA Expo 2014 in Milan, Voormeulen, who is also division director of cash and payment systems at De Nederlandsche Bank, noted that teams in the Netherlands have achieved success against fraudsters by implementing a geoblocking system on cards issued in the country. This system means that payments and cash withdrawals cannot be made outside of Europe on a payment card issued in the Netherlands unless the user has specifically allowed this via their online banking portal.

While many market infrastructures may view cybersecurity as part of an overall operational risk management prism, cyber should be viewed differently as it can move much faster, Voormeulen said. He noted that specific prescriptions can become out-of-date very quickly due to this pace of change, and that more general principles and frameworks are required. Specifically, he focussed on principles of governance, scope and range.


Starting with the principle of governance, Voormeulen stressed that cybersecurity is much more than an IT issue, and that all staff need to be engaged with the programme. Having a good cyberculture within an organisation requires training, awareness and an open environment where staff feel comfortable bringing forward any concerns they have. Voormeulen commented that when an organisation is designing new processes, it is vital to ask whether the process makes your company more or less cyber secure. If the answer is less, you have time to work on a fix before the process goes live.

Voormeulen also made the point that communication is vital in the digital payments space. He stressed that cybersecurity should not be a competitive issue, and that it is important for all stakeholders in the industry to work together for common solutions.


Cybersecurity threats have a considerable scope. Voormeulen listed some of the following issues:

  • Confidentiality – where files are stolen
  • Availability – if your service suffers a DDoS attack
  • Integrity – where outside elements are able to manipulate your internal data.

Voormeulen said that, while all of these issues could be classified as cybersecurity issues, each are quite distinct for the others and may well require different approaches to tackle the problems that they raise.


Voormeulen was clear that organisations need a range of measures to cover prevention, detection and recovery issues in the wake of cybersecurity threats. While he acknowledged that a clear prevention strategy is crucial, organisations also need to be prepared to implement proactive detection processes and also have a clear recovery plan in place.

Adhering to the principles of governance, scope and range should form part of an integrated approach to tackling cybersecurity threats. Voormeulen commented that even if every market infrastructure had a clear cybersecurity strategy, that would not be enough, and rather a sector-wide approach is required, bringing onboard other market infrastructures, regulators, critical service providers and customers. In addition, he closed by saying that the issues of cybersecurity need to be on the desk of top management within organisations, again highlighting that this is not purely an IT issue.


Related reading