In the digital age, the creativity of cyber criminals requires constant vigilance. Banks are conscious that they remain the number one target for cyber-attacks. Therefore, the European Union’s focus on cybersecurity is both welcome and acutely needed.
The intention to embed cybersecurity into the various aspects of financial regulation, including risk management controls, supervisory stress tests and incident management will ensure a holistic approach, which best protects the stability of financial markets.
The question, however, is whether each of these initiatives are effectively aligning, or whether EU officials are tripping over each other in the rush to get files over the line ahead of next year’s elections?
What is currently at play?
Cybersecurity has been a priority for the outgoing Commission and in the realm of financial services, this focus was one of the drivers behind DG-FISMA’s DORA – the EU’s milestone Digital Operational Resilience Act. The Regulation harmonises the operational risk landscape for financial entities, and encompasses cybersecurity, albeit partially on a voluntary basis.
Alongside the sectoral overhaul, financial services are impacted by the cross sectoral cybersecurity package coming out of DG-CNECT, as underpinned by the technical cybersecurity certification schemes.
Moreover, cyber risk has increasingly become an area of focus for supervisors, including the ECB, in assessing the resilience of market participants, with Threat Led Penetration Testing (TLPT) providing real-time simulations of cyber threats and a firm’s response capabilities.
The overall framework is comprehensive, and the level of ambition laudable, but there are serious concerns across the industry regarding the practical implementation of these well-intended proposals
Why the cause for concern?
While the Commission is aware of the risks of duplication and overlap, its approach has not been consistent, and the incoming Cyber Resilience Act has caused significant worry across the industry.
At first glance, this piece of product regulation could neatly sit in parallel to the entity regulation under DORA. However, the commercial reality is not so straightforward.
Many financial services firms today offer products and services via technology systems and applications, which could be captured under both frameworks. The Cyber Resilience Act proposal in fact makes explicit reference to banking apps as one example. Yet this ‘product’ is very different from a good which is sold to a consumer and whereafter the provider or merchant relinquishes control. Instead a bank would retain control over such devices, and be responsible for ensuring that security and software updates are reviewed and installed. The application would, therefore, be covered by the existing DORA requirements, rendering the CRA superfluous.
Within the EU institutions, some do not believe that this overlap is overly worrying. They perceive that since checks are already taking place, any additional burden would be limited. Such thinking fails to recognise that a single “service offering” can have hundreds of applications and processes sitting under it. The resourcing burden of any duplication in cybersecurity measures is therefore significant, and also ever increasing, as cyber controls and testing continue to become more enhanced and extensive. While firms are repeatedly addressing the same cyber risk, they are impeded from devoting time and effort to tackling new cyber threats.
In an emerging area such as cyber, firms must retain the capacity to respond to arising threats and the increasing regulatory load is constraining EU financial firms’ agility.
What is next?
The immediate priority is ensuring that the incoming Cyber Resilience Act doesn’t cut across DORA. This milestone regulation marks a notable advancement for operational resilience in the digital world and merits broad Commission support. A definitive boundary needs to be established regarding the underlying systems and processes which support many outward facing products. It is also critical that any additional incoming requirements on reporting of vulnerabilities and threats is based on existing systems and lines of communication, to prevent conflicting reports and mismanaged responses.
It will be crucial that the new Commission resists the pressure to introduce new cybersecurity schemes and proposals, as the current environment needs time for embedding before addressing any remaining gaps.
Moreover, the worrying tendency to introduce localisation or sovereignty requirements under the pretext of cybersecurity must be countered. Such proposals have been debated at length as part of the passage of DORA, yet we continue to see the discussion reopened, most recently with regards to the EUCS cybersecurity certification scheme. Many cyber threats are cross-border in nature, and removing access to non-EU solutions will ultimately backfire by limiting the ability of EU businesses and clients to rely on software providers who could offer the most tailored expertise in enhancing cybersecurity in any particular field. The only beneficiaries in such a scenario would be the cyber criminals, who will be quick to capitalise on these vulnerabilities and blind spots.
AFME’s Technology &Operations team remains on hand to discuss any of these issues in further depth, or to provide an update on the organisation’s activity in this field. Please contact [email protected] for further information.