What New Cybersecurity Rules in Europe Mean for Financial Bodies

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://blogs.cfainstitute.org/marketintegrity/2016/01/05/what-new-cybersecurity-rules-in-europe-mean-for-financial-bodies/


Very few investment management professionals spend time thinking about
cybersecurity. It’s considered an issue that has little influence on
investors’ day-to-day work, and is a domain usually covered by chief
information officers. However, as we point out in a recent blog post,
cybersecurity matters to everyone working in finance.

In the European Union (EU), cybersecurity has gained more and more focus by
policymakers. To a large extent, European cybersecurity rules are covered
by the broad  Digital Single Market (DSM) initiative. The European
Commission published its DSM Communication in May 2015. Just like the
Capital Markets Union initiative aims at further integrating European
financial services markets, the DSM is a broad umbrella framework that aims
at deepening European cloud computing services and digitalisation markets
through various initiatives. The Commission notes that the creation of a
single digital market in the EU could contribute €415 billion per year to
the European economy and create hundreds of thousands of new jobs.

New Cybersecurity Legislation

In February 2013, the European Commission published its EU-wide
Cybersecurity Strategy. It proposed 14 actions to improve cybersecurity in
the EU. The key proposal was for a Directive for a high common level of
network and information security (NIS) across the Union. The Commission’s
NIS Directive proposal followed concerns over ever-increasing cyber attacks
on companies on various sectors, and it is the first EU legislation on
cybersecurity.

The political discussions on the proposal for the NIS Directive stalled for
several months until 7 December 2015, when the representatives of the
European Parliament, the European Commission, and the Council (representing
EU Member States) signed the final deal on new cybersecurity rules for
Europe. It was a deal that involved an unusually great amount of political
horse-trading, and perhaps even all the lawmakers did not believe that an
agreement could be found. In particular the scope of the proposal and
several basic definitions in the draft law caused disagreements between
national lines as well as between the negotiating EU institutions. So why
was the proposal for an NIS Directive so controversial, and what does it
mean for financial institutions?

Mandatory Reporting Obligation for Financial Institutions

Both banks and financial market infrastructure providers (including trading
venues and central counterparties) are included in the scope of the new NIS
Directive — in Article 3, they are specifically defined as “operators of
essential services”. Other entities included in the scope include
electricity and gas suppliers, operators of oil and natural gas, air
carriers, maritime carriers, railways, airports and ports, and health-care
providers.

According to the new law, the entities within the scope will have several
obligations in case of a cyber attack. The “essential services” providers
have to take appropriate and proportionate technical and organisational
measures to manage the risks posed to the security of networks and
information systems that they use in their operations (Article 14). They
also need to prevent and minimise the impact of cyber incidents.

The operators of essential services also have to notify national competent
authorities (national regulators) or specifically created Computer Security
Incident Response Teams (CSIRTs) about incidents having a “significant”
impact on the continuity of the services they provide. An incident can be
classified as “significant” depending on the number of people affected by
it, the duration of the incident, and the geographical spread (for example,
whether the incident affects services in several branches of a bank). There
will be some leeway for national regulators to develop guidelines for when
exactly the incident needs to be reported.

The final text places a great deal of responsibility on the essential
services providers. For example, even if a financial services company has
outsourced the cloud computing services to a third party, the delegating
entity still holds the main responsibility of any cyber attack data breach.

Some Cyber Coordination Across the EU

In addition to the service operators, national Member States will be
required to adopt a national NIS strategy defining the objectives and
appropriate policy and regulatory measures in relation to cybersecurity
(Article 5). Member States are also required to designate a national
competent authority for the implementation and enforcement of the
Directive, as well as create CSIRTs that will be responsible for handling
incidents and risks (Article 7).

The Member States need to compile a list of entities that are in the scope
of the Directive, and to update the list every two years. If the operator
of essential services, for example a bank, operates in several different
Member States, the Member States will have to consult each other on how to
handle possible cybersecurity incidents.

Interestingly, several parts related to cross-border cooperation have been
deleted from the final legal text, for example Article 9 on Secure
Information Sharing System, Article 10 on Early Warnings, and Article 11 on
Coordinated Response. The deletions indicate that several Member States
have wanted to keep cybersecurity policies as national competencies. On the
other hand, the Directive also notes that the Member States can adopt
higher security standards than required by the NIS Directive, thereby
allowing so-called national “gold-plating” (see, for example, Article 15 a).

Bigger Role for pan-European Cyber Agency

The pan-European Agency for Network and Information Security (ENISA) will
play a key role in many aspects of the Directive, particularly in relation
to cooperation, which now becomes mandatory between the Member States,
albeit in a limited form. ENISA will also provide the secretariat for the
European CSIRTs Network to promote operational cooperation on specific
cybersecurity incidents and to share information about risks.

Even before the agreement on the NIS Directive, ENISA has been keen on
reminding the financial services industry of the need to secure its online
services against cyber attacks. In early December 2015, ENISA published a
report on the usage of cloud services in the European banking sector. ENISA
analysed the usage of cloud services in the finance sector, and provided
recommendations to financial institutions, regulators, and cloud service
providers about what should be done to support secure adoption of cloud
services in the finance sector. The report notes that while cloud computing
is gradually being adopted within the European financial industry, the vast
majority of financial institutions (FIs) still rely on in-house
infrastructure. The study recommends that FIs develop a cloud strategy to
define their approach to cloud computing.

Public-Private Partnership on Cybersecurity

Following the political agreement on the NIS Directive, the text will now
have to be formally approved by the European Parliament and by the Council,
representing EU Member States. Once the formally adopted text has been
published in the Official Journal of the EU, most likely in the first
quarter of 2016, the Member States will have 21 months to implement the
Directive into their national laws. After that, the Member States have six
more months to identify operators of essential services.

The NIS Directive political agreement is important; however, the Commission
noted that the work on improving cybersecurity is not over yet. The
Commission has indicated its willingness to work together with the digital
security and privacy industry in Europe, with the view of establishing a
contractual public-private partnership on cyber security in 2016. The aim
of the partnership would be to stimulate the competitiveness and innovation
capacities of the industry to ensure that there will be a sustained supply
of cybersecurity products and services. A public consultation and a policy
Roadmap on the partnership were launched on 18 December, with responses due
by 11 March 2016.

Finalization of the NIS Directive does not mean that the European
cybersecurity saga is over. As the Directive has not been as prescriptive
as many anticipated, we can expect the policy discussions to continue for
years to come. The increased involvement of ENISA in the policy area also
highlights how seriously European lawmakers take the security of
information networks — this may mean increasing responsibility be placed on
financial services entities in the future. CFA Institute will continue to
monitor new rules on cybersecurity across the globe.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.