BBVA has been involved in the creation of Pinakes, the Interbank Cooperation Center (ICC) platform that simplifies the provider evaluation process in areas relating to cybersecurity. The aim of this platform is to offer the 124 financial institutions associated with the ICC and the more than 400 providers that provide products and services to the financial sector a new efficient mechanism for ensuring their reliability and ensuring compliance with the demanding banking sector regulations when it comes to managing technological risks.
Pinakes is a unique service in Europe in terms of the financial security offered by the ICC. Thanks to the platform, the Spanish financial ecosystem will benefit from greater transparency in relation to the level of cybersecurity of the different actors involved and, therefore, it will be more cyber secure.
How is the business continuity and cybersecurity risk management of service providers assessed? How much time and effort do banks/companies dedicate to risk analysis and assessment? "The convergence of companies offering services to financial institutions was so high, that creating a shared hub providing coverage to all of them was logical as all institutions have the same obligation when it comes to supervising providers", asserted Juan Corredor, Head of the Data Culture, Awareness and Security Team at BBVA Spain.
As part of the provider cybersecurity supervision strategy, BBVA has promoted and collaborated with the Interbank Cooperation Center and the most important financial institutions in the country to create a model that offers a shared, homogenized vision of the level of cybersecurity offered by the bank's providers. This solution is offered on the Pinakes platform. "The difficulty does not lie just in the amount, but also the diversity of providers and services, ranging from consultancy firms and technology firms to ATM maintenance and card printing firms", continued Corredor. These companies will no longer have to be assessed on a one-by-one basis by each of the institutions they provide services to, "which requires significant time and effort", he added.
Thanks to Pinakes "we have an efficient mechanism for ensuring the reliability and continuity of the services provided and can satisfy the most demanding regulations in technology risk management, established by the European Banking Authority (EBA), which will not entail any additional cost for financial institutions, as it is offered as an additional service", explained Herminio del Campo, Managing Director of the ICC.
How Pinakes works
Pinakes uses a rating system similar to the system used by financial rating agencies like Moodys Investor Service or Standard and Poor’s Corporation (S&P); however, in this case, it assesses the security of one service or another, considering three main aspects: integrity, confidentiality and availability. These three concepts, the classic concepts of security, are scored from D to A+ in each of the areas indicated above. For example, the final rating might be CBA or ABA.
Financial institutions needs to understand the design and functioning of the controls defined by our service providers with a view to managing cybersecurity risks and business continuity; furthermore, service providers, thanks to this method that involves a single assessment, avoid repeated inspection processes performed by each separate institution. Pinakes is on hand to help both sides, with a series of approved audit firms, which evaluate the cybersecurity of the different services", stated Herminio del Campo.
Today, cybersecurity has become a decisive factor for large and medium-sized companies. However, it is clear than having their own protection measures in place is no longer enough, rather, they need to understand the level of protection that the companies they collaborate with have, to ensure the entire supply chain is adequately protected and security gaps are reduced to a minimum, to offer a better service and greater security to customers.