Outdated browser

You are using an outdated browser. DNB.nl works best with:

Confessions of a central bank cyber director


At a conference on cyber security for Chief Information Security Officers from Belgium and the Netherlands, Nicole Stolk stated that only together – financial institutions, central banks and supervisors – we can preserve people’s trust in the financial system, preserve financial stability and keep people’s data and money safe from cyberattacks.

Published: 26 October 2023

Nicole Stolk

Date: 26 October 2023
Speaker: Nicole Stolk
Location: CISO conference – organised by DNB and NBB

Hello everyone.

I was raised catholic, so let me start with a confession.

Seven years ago, I started working at the DNB, the Dutch Central Bank, and asked for my CISO. But there was no CISO. Your job title, the one of Chief Information Security Officer, was nowhere to be found in the personnel register of De Nederlandsche Bank.

Seven years ago, apparently, the threat of cyberattacks was not looming large enough for us, as a central bank and supervisor, to have a CISO.

But maybe because I was considered a cyber risk, I was able to hire our first CISO.

And I haven’t regretted that decision for one second. Because, and here’s another confession, our CISO got on board not a single day too late.

This was in 2017. And according to ENISA, the European Union Agency for Cybersecurity, 2018 marked a turning point in the cyber threat landscape (note 1). Cyber-criminals and state-sponsored actors changed their motives and tactics – and from then on, anyone could become a target. From key financial institutions to small third-party service providers. From government organisations to private companies. From boardroom directors to coffee corner colleagues.

A mere year later, we were hit by a global pandemic. This was an immense impetus to go digital. And with almost our entire workforce working remote, we needed to ramp up our security measures accordingly.

And then Russia invaded Ukraine. An atrocity with great human losses and suffering. One that also severely strained international relations. And as a consequence, added to the already expanding cyber threat landscape.

And more recently, we also witnessed atrocities happening in the Middle East. Again, straining international relations. Currently, the impact on cyber security is still difficult to estimate.

So, a lot happened over the past seven years. And the demands on people in your positions have only increased: you have to deal with all sorts of threats, through all sorts of technological innovations, and through all sorts of channels. And you need to get your entire organisation to follow your lead.

Each of you has this obligation – both to your own organisation, but in a larger context, also to society. Because, whether we like it or not, all of you, all of us, are connected.

In being connected lies great risk. For sure. But there is also great strength in being connected. Because being connected means that we can join forces and fight cyber threats together.

And that is precisely what has brought us here today.

All of you have participated in TIBER tests. Either in Belgium or in the Netherlands. So all of you are familiar with what TIBER is and what it offers: a sort of cyber compass pointing at potential cyber weaknesses, and thus helping to answer questions like: are you investing the right amount of resources, at the right time, and in the right place to properly protect your data and assets? In other words, are you doing the right things to ensure business continuity for your customers and, more broadly, for society as a whole?

TIBER was developed by DNB in 2016. And the NBB soon came on board and developed a TIBER guide for Belgium.

Today, fourteen EU countries are using TIBER. The Dutch will always be Dutch, right? We can’t help but promote our products abroad, even when it comes to cyber tests.

Anyway – from the start, TIBER tests have been designed to be as realistic as possible. Even when reality itself became more and more strained. 

From day one, TIBER has served as a compass for individual institutions, but it has also created a community. A community of central banks; a community of financial institutions, pension administrators and insurance companies; and a community that, today, is hearing my confessions.

So let me add another one: I hope that these communities, and in particular this community here today, continue to share experiences and lessons learned.

Because, over the years, we have learned that, even though everyone needs to fight their own cyber fight, being part of a community makes us better equipped to fight that fight.

And so, when I look at Belgium and the Netherlands, I see neighbouring countries with a similar mindset, close economic ties, and a fruitful relationship. Having a Dutch father and a Belgian mother, I myself am the result of such a relationship.

So I see two countries that I believe would both benefit if they were to share more best practices and lessons learned from TIBER tests. Because this would enable everyone to better understand the scale and scope of possible threats. And hence, we would all be better equipped to fend off these threats.

I fully understand that sharing this kind of information requires trust between all parties.

Having built a strong relationship of trust over the years, DNB and the NBB could facilitate a safe and trusted environment for sharing information, and thus contribute to closer cooperation between the two communities.

As I said, a lot has happened in the past seven years. One of the latest developments on DNB’s end, is our cyber strategy.

In this strategy, we have combined our insights from these past seven years. It describes how and why we look at cyber risks at financial institutions, and the cyber risks we ourselves face; how and why we use tests, like TIBER, to strengthen cyber resilience across the financial sector; and how and why we encourage the sharing of experiences and lessons learned – between central banks and supervisors, between financial institutions, and between the two groups. 

Our cyber strategy aims to increase the cyber resilience of the entire financial sector, thereby strengthening the public’s trust in the financial system.

Looking forward, there is no way of knowing what the next seven years will bring. I don’t know how cyber threats will evolve. I don’t know how cyber resilient all of us will prove to be. And I don’t know if I will still be seen as a cyber risk.

There are many things I don’t know, but here’s a final confession: I believe that no single one of you, no single one of us, NBB or DNB, will be able to preserve people’s trust in the financial system. That no single one of us will be able to preserve financial stability. That no single one of us will be able to keep people’s data and money safe from cyberattacks. I believe that no single one of us will be able to this… on their own.

Together, however – financial institutions, central banks and supervisors, from Belgium or the Netherlands – together we stand strong for whatever the future holds.

Thank you.

Note 1: ENISA Threat Landscape Report 2018 — ENISA (europa.eu)

Discover related articles