Centenial Celebration

Transaction Search Form: please type in any of the fields below.

Date: November 25, 2024 Mon

Time: 8:03 pm

Results for retail banking

1 results found

Author: Parlour, Richard

Title: Cybersecurity in Finance: Getting the Policy Mix Right!

Summary: Executive Summary Amid several large cyberattacks in 2017, the European Commission adopted in September 2017 its multi-sector cybersecurity package. Whereas this initiative should contribute to strengthening the cyber-resilience and response of EU financial firms, several policy issues and unanswered questions remain. In order to analyse the issues that are considered to be relevant to financial fields (retail banking, corporate banking, capital markets, financial infrastructure and insurance), CEPS-ECRI organised a Task Force between September 2017 and May 2018 with a group of experts from the financial industry, tech industry, national supervisors and European institutions, as well from one consumer association and one law firm. Nine more policy issues need to be further addressed in order to bolster the financial industry’s cyber-resilience against current and future threats. These issues are itemised below, followed by a more in-depth discussion of each issue. Main policy recommendations 1. Convergence in the taxonomies of cyber-incidents is needed. 2. The framework for incident reporting needs to be significantly improved to fully contribute to the cyber-resilience of financial firms. 3. Authorities should assess how and to what extent the data held by the centralised hub should be shared with supervisors, firms and clients. 4. Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends. 5. Best practices for cyber-hygiene should be continuously enhanced by regulators and supervisors. 6. The European Cybersecurity Certification Scheme needs to be strengthened to contribute better to cybersecurity, cyber-risk management and capability. 7. In order to improve the processes of attribution and extradition, the reinforcement of cross-border cooperation and legal convergence remains a priority, both within the EU and more widely. 8. Best practices in remedies in case of cyberattacks need to be further encouraged. 9. Policy-makers should further assess the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks. 1. A common taxonomy for cyber-incidents A common taxonomy across regulations, jurisdictions and sectors should ease the understanding of multi-country and multi-sector cyberattacks, and eventually strengthen the quality of responses. Given the ever-changing nature of cyberspace, the reference taxonomyshould be flexible enough to be revised on a regular basis. Also, for better readability by CSIRTs, this common taxonomy should include specific sections on the variants applicable to different sectors, if relevant. Wherever possible, convergence in templates for incident reporting is needed across legislation. However, given the diversity in the purposes of legislation, full harmonisation in those templates remains challenging. 2. Need to develop an efficient legislative and institutional framework for incident reporting The emergence of different reporting requirements (notably in GDPR, PSD2, NIS Directive, ECB/SSM, eIDAS regulation and Target 2) raises questions about what is the most adequate cyber-incident framework for boosting the cyber-resilience of financial firms. For that purpose, regulators, supervisors and financial firms need to address five issues. First, national templates for the NIS Directive and the GDPR should be harmonised across the EU. Secondly, large firms active in different countries need to develop adequate consolidation processes of the “overall cyber-risk” at group level. Thirdly, authorities should be able to exploit the content of incident reporting to inform and advise CSIRTs in return. For that purpose, policymakers and firms should assess together the risks and opportunities of developing a system of standard messaging services. Fourthly, the creation of a European sectoral hub for finance in charge of centralising all incident reports, dispatching the right information to stakeholders and advising both authorities and CSIRTs could greatly reinforce the incident reporting framework. Finally, in order to create a resilient cybersecurity framework that could efficiently handle multi-sectoral cyberattacks and prevent contagion from one sector to another, the hub should also be able to cover all the other sectors of the EU economy. 3. Sharing of the data held by the centralised hub with supervisors, firms and clients Authorities should encourage the set-up of platforms aimed at facilitating the voluntary exchange of cyber-information between financial firms. In parallel, authorities should ensure that incident reporting requirements fully contribute to the cyber-resilience of financial firms. For that purpose, when deemed pertinent, the information contained in incident reporting should be quickly shared with the most relevant stakeholders. First, the centralised hub in charge of incident reporting should quickly provide relevant supervisors with the right information on cyberattacks. Secondly, the hub also needs to share relevant information with financial firms, provided that the right balance is found between building up an efficient collective response to cyberattacks and safeguarding firms’ interests. To provide technical assistance to those firms, the hub would need a clear mandate from regulators. Sharing some information with firms’ potential clients through the development of cyberratings that mirror the cyber-risk to which each supplier, and therefore their potential clients, is exposed should be based on market rather than regulatory initiatives. Whatever policy options are selected, tight security of the data managed by the centralised hub should be considered one of the main priorities. 4. The need to build a benchmark for macro statistics The absence of a benchmark for macro statistics on cyber-trends and the poor consistency across sources raise the risk that the cyber-strategies of firms and cyber-policies are not wellfounded. If a centralised framework is developed for incident reporting, robust and relevant macro statistics could be developed at national and European level. Specifically, the creation of robust statistics on the financial impact of cyberattacks is necessary to better understand the overall impact of attacks and to adjust cyber-policies and strategies as needed. However, the complexity of measuring the financial impact at firm level has made it so far impossible to have consistent methodologies across organisations. A principle-based list should operate at EU level, with the aim of enhancing best practices to measure both “tangible” and "intangible” factors. Convergence should be achieved provided that collaboration is improved between cyber-authorities, CSIRTs, chief financial officers and chief financial officers of organisations, authorities in charge of setting accountancy norms, etc. 5. Promoting cyber-hygiene Authorities should continue to enhance best practices in terms of cyber-hygiene. Principle-based lists should be updated on a regular basis. At present they should for example include conducting adequate education and awareness activities, updating programs regularly and patching systems, creating complex passwords and changing them frequently, using microsegmentation, multifactor authentication and encryption of sensitive data, implementing the least privilege principle, developing an adequate strategy to handle shadow IT and establishing an incident response and reporting plan. 6. The European Cybersecurity Certification Scheme needs to be strengthened to contribute to improve cybersecurity Given the rising importance of digital technologies and their vulnerability to cyberattacks, authorities need to address persistent information asymmetries and the fragmentation of standards in national certifications. A European Cybersecurity Certification Scheme could be a powerful tool for reinforcing harmonisation, raising awareness and ensuring mutual recognition. Yet the current Commission’s proposal might lack practical operability and add unnecessary complexity. As the scheme’s success depends on the voluntary participation of the private sector, it is imperative that its value added exceeds its costs. With too many issues left unclear, the current European Cybersecurity Certification Scheme needs to be strengthened to have a clear positive impact on cybersecurity. 7. Reinforcing cross-border cooperation and legal convergence in order to improve the processes of attribution and criminalisation Authorities need to develop further a cross-border framework that facilitates the exchange of information and electronic evidence for the purpose of prevention, investigation and attribution of cross-border cybercrimes. When the cyber-criminals behind cross-border attacks are identified, there is a need for convergence in relevant national legal frameworks in order to facilitate their extradition. 8. Enhancing best practices in remedies after cyberattacks Best practices in remedies in case of cyberattacks need to be encouraged by EU and national supervisors through the creation of core principles. These principles should cover the use of robust methodologies to assess the degree to which firms and/or clients share the cyberliability. They should also help firms assess when consumer financial compensation that goes beyond the actual financial loss incurred should be provided. Finally, these principles should also provide guidelines on the best type of remedies in case of data theft without immediate financial loss. 9. Assessing the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks Authorities should assess further the pros, cons and feasibility of developing an emergency cyber-fund aimed at alleviating the risk of financial instability in case of major cyberattacks in the financial industry. Should the EU proceed in that direction, criteria for a cyber-incident to qualify and necessary conditions for the fund to be used will have to be well defined in advance. The benefits and costs of the different options available to create such a fund should be carefully analysed. In particular, could existing EU funding schemes for natural disasters be extended to large-scale cyberattacks? Who should bear the costs? Would it preferable to design a fund specifically for the financial sector? Or would it make more sense to create a fund that covers all operators of essential services, as defined in the NIS Directive?

Details: Brussels, Belgium: Centre for European Policy Studies, 2018. 52p.

Source: Internet Resource: Accessed January 14, 2019 at: https://www.ceps.eu/publications/cybersecurity-finance-getting-policy-mix-right

Year: 2018

Country: International

URL: https://www.ceps.eu/system/files/TFRCybersecurityFinance.pdf

Shelf Number: 154159

Keywords:
Corporate Banking
Cyber-Attacks
Cyber-Hygiene
Cyber-Resilience
Cyber-Risk Management
Cyber-Trends
Cybersecurity
European Cybersecurity Certification Scheme
Financial Industry
Retail Banking