Significant changes have occurred in the cybersecurity landscape in recent years and the number and diversity of cyber threats, often of borderless character, are a continued concern. Therefore, ESBG approves the aim of the Cybersecurity Act to reinforce the mandate of ENISA, with a role of coordination at EU level to develop closer cooperation for cybersecurity issues.
ESBG particularly welcomes the initiatives on the preventive side, aimed at boosting digital skills on a cross-border basis. The capabilities of industry participants to effectively fight cyber-attacks will be enhanced by adequate training in skills, and by the exchange of threat information in real time between peers, unconstrained by data privacy or competition legislation.
Cooperation with bodies outside the EU should be encouraged, such as the development of structured messages to report threats and attacks to a single point. ESBG believes that cybercrime can be fought effectively not only by a cooperation of industry sectors but also by working closely with government authorities, for the exchange of information.
Supervisors are reacting with a proliferation of cybersecurity frameworks and regulations. As a result, definitions and approaches used by supervisors vary which creates significant inefficiencies and conflicting direction to financial institutions. This is the reason why we believe it to be key that cybersecurity is coordinated at international and EU level. We welcome the intention of the president elect of the European Commission to build a real single market for cybersecurity. Highlighting the importance of looking to certification, implementing rules on security of network and information systems, rapid emergency response strategies and to build a Joint Cyber Unit to better protect ourselves.
A connected system is only as safe it as its weakest element and due to the interconnectedness of all business sectors including the financial sector, it will be critical that every institution, regardless of their size, nature or activity, acquires the same level of cybersecurity.
Cyber-attacks are increasing in number and sophistication and pose a substantial risk to the stability of the overall financial sector. Each and every financial institution must commit to the proper identification, protection, detection, response and recovery of cyber events. It is key to recommend that customer and personal data of many individuals and corporations can be exposed if a single point of entry fails to adequately protect them from ICT and security risks. We can expect hackers to attack the weakest link in the value chain and gain access to customers' transaction data.
As the financial sector becomes increasingly dependent on digital technologies, ensuring its resilience while tackling ever-growing cyber threats is becoming an important concern, for cybersecurity might represent a threat to the stability of the EU financial system.
The cross-border nature of cyber threats requires a high degree of alignment of national regulatory and supervisory requirements and expectations, yet at the same time it should be considered that cybersecurity rules should not diverge between sectors. ESBG thus advises against creating parallel structures for the financial sector but rather, in case of considerations for the need of in-depth exchange, calls for the creation of a specific expert group within ENISA (as the one established at the European Data Protection Board - EDPB) with a twofold mandate. On the one hand, mapping and evaluating specific cybersecurity challenges within the banking sectors. On the other, promoting the coordination and exchange of information among the whole spectrum of stakeholders, therefore giving an input for regulation and policy measures relating to cybersecurity issues which are common across different sectors.
ESBG welcomes the determination of the European Commission to create an EU-wide cybersecurity certification scheme to facilitate a wide and coherent cyber-resilience testing framework, which should be on a voluntary basis, and consider the specific cyber risk profile of the relevant entities tested. Bearing in mind the present significant differences across and within the financial sectors in terms of cyber maturity, ESBG agrees with the ESAs that, for pursuing a specific cyber resilience testing framework, a multi-staged approach to building a coherent cyber resilience testing framework would be the most appropriate at this stage.
An additional challenge is that the insurance market against cyber risks is relatively small and suffers disproportionally from the problems any insurance market suffers from (information asymmetry and adverse selection). In the EU, the issue is aggravated by the lack of a central security authority and information sharing. Yet, creating the right conditions for an insurance market to develop can help in two ways. First, the ability to insure against cyber risks will help cushion the cost for any individual entity that comes under attack. Second, allowing for a market, and therefore for a pricing system, to develop will help understand the extent and gravity of these risks. Helping therefore to define a methodology that is common across the EU could be an important contribution to the creation of an EU-wide insurance market. Also, creating uniform information and disclosure requirements will be a helpful step forward.
Cybersecurity should be at the forefront of digitalisation policy. Continued policy – industry dialogues need to ensure that cybersecurity standards are enhanced, and their enforcement strengthened, while coordination and information sharing between national and supranational authorities should be increased. Yet at the same time it should be considered that cybersecurity rules should not diverge between sectors – parallel structures for the financial sector should thus not be created but integrated in cross-industry frameworks.
The FinTech action plan has outlined the mission of the European Commission to enhance cybersecurity and
cyber resilience in the financial sector, which entails:
facilitating information sharing on cyber threats among market participants;
higher supervisory convergence and enforcement of IT risk management;
increased EU coordination in cyber threat testing.
The European Cybersecurity Act signed on 17 April 2019 strengthens the ENISA, by granting the agency a permanent mandate not only to provide expert advice, but also to perform operational tasks, to better support Member States with tacking cybersecurity threats and attacks through a greater role in cooperation and coordination at Union level. Furthermore, the Act establishes the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European internal market and ultimately improve cybersecurity in a broad range of ICT products and services.
In September 2018, the Commission proposed the creation of a Network of Cybersecurity Competence Centres and a new European Cybersecurity Industrial, Technology and Research Competence Centre to invest in stronger and pioneering cybersecurity capacity in the EU.
Moreover, the Commission is working on a new Directive on the combatting of fraud and counterfeiting of non-cash means of payment to provide for a more efficient criminal law response to cybercrime.
The EBA launched a consultation on its draft Guidelines on ICT and security risk management at the end of 2018, which ran until mid-March 2019, establishing requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks.
ESAs published on 10 April 2019 a Joint Advice on Information and Communication Technology risk management and cybersecurity.
ESBG has identified as main concerns for cybersecurity in the banking sector:
Increased EU coordination – as the financial sector becomes increasingly dependent on digital
technologies, the need to build greater cooperation at Union level (for example, ensuring a common
cybersecurity certification approach);
Fraud prevention – the need for a common EU approach to increase cyber resilience in the financial sector
to prevent and counter frauds. Service providers must constantly adjust, and refresh measures designed to
protect data to mirror the constantly evolving technology and thus new threat profiles.
Direct oversight/supervision of critical third
party service providers – in order to increase resilience of financial markets and safeguard
the level playing field;
Streamlining of cyber incident reporting schemes – streamlining of incident reporting and cyber resilience testing frameworks is of utmost importance to prevent red-tape and to increase European resilience overall;
Ethics Guidelines for Artificial Intelligence – future developments in the area of AI may pose a disruptive challenge towards cybersecurity. Based on the Ethics Guidelines presented the High-Level Expert Group on AI on 8 April 2019 the Commission should integrate ethical requirements into potential upcoming legislative proposals.