Cybersecurity is an increasingly important topic and the level and volume of sophisticated attacks grows with every year with damages from cybercrime expected to cost the world $6 trillion by 2021. Reason enough that financial institutions take it seriously and assign the necessary resources to tackle the problem. The following article gives an overview of the implications of cybersecurity for financial services compliance and describes what banks need to focus on.
Last month the governor of New York and its top banking regulator, the New York State Department of Financial Services announced the proposal of a cybersecurity regulation. The new rules would require banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. Financial institutions under the jurisdiction of the State, i.e. everyone on Wall Street, will be required to adopt a written cybersecurity policy, designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy as well as introduce policies and procedures designed to ensure the security of information systems.
It’s only the latest in a string of examples of regulators increasing their focus on cyber risks and controls. In May this year the British government urged businesses to better protect themselves from cyber criminals after research had found that 2/3 of large UK businesses hit by cyber breach or attack in past year. Other interesting insights from this report were that only a third of the UK’s top 350 businesses understand the threat of a cyber attack; only a fifth of businesses have a clear view of the dangers of sharing information with third parties; and many firms are, however, getting better at managing cyber risks, with almost two thirds now setting out their approach to cyber security in their annual report. As a result the government launched the government’s new National Cyber Security Strategy, which will set out decisive action to protect the UK economy and the privacy of British citizens, while encouraging industry to up its game to prevent damaging cyber-attacks, and committed §1.9 billion in investments.
Last year, the Joint Committee of the European Supervisory Authorities (ESAs) published already its fifth Report on Risks and Vulnerabilities in the EU Financial System with a strong focus on cybersecurity. The report came to the conclusion that though the six-months review period in 2015 risks affecting the EU financial system have not changed in substance, but have further intensified. Accordingly, the subject has also moved up on the agenda for European regulators. While the EU had taken a first step with its EU Directive on the protection of personal data in the electronic communications sector, known as the ePrivacy Directive, other legislative initiatives like the General Data Protection Regulation (GDPR) or EU Directive 2013/40 on attacks against information systems and replacing Council Framework Decision aim to further strengthen its rules in this respect are necessary.
However, it is not just new regulation that needs to be introduced as the FCA’s Director of Specialist Supervision, Nausicaa Delfas, pointed out in a recent speech. Existing regulation must be leveraged better and in many cases simply need to be harmonised rather than the introduction of new rules. Collaboration and information exchange is also an aspect that should be improved, which is also something a report by IOSCO, international Organization of Securities Commissions, earlier this year picked up on.
IOSCO highlighted that cyber risk is a highly complex and rapidly evolving phenomenon. And the human element of cyber risk, combined with rapidly evolving technologies, gives it some unique characteristics: as organizations upgrade their defenses, criminals continuously develop new and more complex approaches. Ultimately, in a highly interconnected and interdependent financial ecosystem, cyber attacks may have systemic implications for the entire financial system, and also affect over time the trust on which financial markets are built. For these and other reasons, regulators, market participants, and other stakeholders must work together to enhance cyber security in securities markets.
The report also outlined some of some current cyber security practices adopted by securities market participants as well as of emerging trends and approaches in cyber security, which Nausicaa Delfas touched upon in her speech, too. Not limiting herself to explain how regulators need to respond to the growing threat, she described what the regulator expects from financial institutions in respect of a “security culture” driven from the top, i.e. the Board, to senior management, down to every employee:
- Create good governance around cyber security in their firms and effective challenge at the Board;
- Firms have to identify their key assets and that the protections around them are appropriate including personnel security, e.g. how well trained are staff to recognise phishing emails, how good is the security screening of staff, and how often are defences tested;
- Establish adequate detection capabilities, i.e. how well do you know whether you have been attacked or not; and
- Focus on recovery and response, i.e. firms should have systems and controls to ensure they can carry on in the event of an unforeseen interruption, and to be able to recover from interruptions, preserving essential data.
Especially the last bullet point, business continuity, is a main aspect raised by almost all regulators and banks therefore need to consider what happens in the case of a cyber attack? Will the organisation be able to continue to function in case of, for instance, a major breach of IT security and how?
And lastly, a point that we haven’t stressed yet but that is under particular scrutiny since it is often the weakest link in the chain and the furthest removed from the control influence of a financial institution: Third Party Relationships. For most banks one of the key risks lays within managing the risk stemming from the collaborations with their vendors, so it is important that they are appropriately included in all security considerations and involved in the process to achieve the best results.