Existing gaps in the current structure and recent efforts for a better regulatory framework are not enough to strengthen operational resilience in the financial services sector against cyber attacks and make the EU ready for the digital future.
Just this morning the German regulator BaFin together with the German Federal Cyber Security Authority a report on Cybersecurity.
It is full of insights focusing on the various elements of cybercrime and the threat it poses for banks, insurance companies and other financial institutions.
In Germany alone the damage done by such activity to the economy has doubled over the past two years, reaching a staggering 100 billion euros and more. Nothing less than earnings in millions of dollars, painful loss of work in financial companies and eventually the trust of customers is at stake when cybercriminals attack the IT systems of these organisations, BaFin’s head writes, and unfortunately these incidents have become so commonplace that you cannot but agree with the urgency he expresses.
It’s a very readable document with its only flaw that for now it’s only available in German. It portrays the status quo in Germany and the four main types of cyber threats in the form of ransomware, identity theft, bot networks, and malware.
Little of this may be news to the industry observer, but the report then moves on the regulatory framework with regard to cybersecurity in Germany and, more interestingly, in the EU. Interesting, because it documents the gaps the existing framework has and highlights the need to address these short fallings. Yes, the European Commission is focusing on the subject and it plays an important role in its ongoing work in respect of its FinTech Action Plan towards a more competitive and innovative European financial sector. Its initiative to improve resilience against cyberattacks in financial services identified the need to update EU rules to ensure that financial-sector ICT systems can withstand security threats and that third-party ICT providers are monitored. As a result, the Commission is considering to amend existing rules, particularly in the Network and Information Security (NIS) Directive, as well as to introduce a new law on digital operational resilience for financial services.
At the same it currently runs a consultation on a new digital finance strategy for Europe / FinTech action plan that ends on 26 June and that will contribute to the EU’s five-year plan for a digital strategy.
It is a lot of effort, but it doesn’t occur without reason. Other regulators are busy working on strengthening operational resilience in the financial services sector like the Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), which recently published a shared policy summary and co-ordinated consultation papers (CPs) in order to introduce new rules. And the German report, too, highlights the gaps in the current framework. Using the example of the European insurance sector, the European Supervisory Authorities (ESAs) themselves gave a damning report in a recent opinion that showed that 22 out of 28 EEA member states had laws and / or information security requirements that showed significant differences by simply looking at its varying legally binding nature of the published requirements and the format they come in from a spectrum of laws, circulars, guidelines or mixed forms.
At the end of last year, the EBA publishes guidelines on ICT and security risk management that several areas need to be addressed urgently. Similar to the joint report stressed the overall responsibility of the management to secure sufficient resources and budget to comply with the requirements for information security as well as to take into account the importance of governance, corporate strategy, overall risk management, outsourcing and the audit by the respective companies.
But it does not end there. The increasing outsourcing and use of cloud services is an equally strategic element. With the EBA’s Guidelines on Outsourcing arrangements, which came into force on 30 September 2019, the regulator provided a clear vision of what it was expecting from financial firms. Still, it is evident that the rules in this field need to become simpler and more efficient.
It is a similar conclusion BaFIN and BSI come to in today’s report: For all actors – the EU Commission, the European supervisory authorities and BaFin as the national financial supervisory authority – harmonization and convergence of supervisory requirements for information security and cloud computing at national and European level is of great importance. As such it recognizes the efforts already undertaken. At the same time, the report underlines that the ever increasing importance of digital operational resilience comes with an associated need for harmonization and regulation and more is to be done in a European context.