Establish a single authority that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.
Create a standing mechanism to exchange incident reports among competent authorities to ensure that
best practices are shared among financial players. It should be designed on two pillars: i) sharing good
practices between authorities which support their supervisory powers and ii) receiving feedback from
authorities to improve banks’ internal practices.
The legislator should examine the authorisation schemes based on compliance with pre-determined
requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a
standardisation of all the main clauses is needed. In addition to the main standard contractual clauses
(clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location
clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard
contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to
handle the potential “conflict” between GDPR and the Cloud Act (US).
The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is
a first and important reply. Nevertheless, this raises the question of which regulatory framework will be
chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen
the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not
in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory
framework that could legally embed providers in the application of the major, mandatory Cloud clauses. The current overlapping of reporting obligations regarding cyber incidents creates negative effects for all types of institutions. ESBG therefore urges regulators to harmonise their reporting requirements and processes as a fragmented approach diverts resources away from addressing the issue. It is necessary to introduce materiality thresholds. The reporting obligation of financial institutions must be relevant and fit for purpose.
The proportionality principle must also apply here. Reporting every single incident is not productive, and financial institutions might not always have the required capacity to do so. ESBG members have experienced serious difficulties when negotiating certain outsourcing clauses related to contractual agreements with ICT third-party providers. We explore this aspect further in our position on Cloud computing.
The number of incident reporting requirements is increasing and can also vary from country to
country. For an organisation with common business infrastructure supporting operations in
several countries, this means that a single incident triggers several incident reports to multiple
authorities in many different countries. European regulators should reduce compliance
complexity by integrating regulatory guidance, expectations and requirements.
In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity.
The increasing digitalisation of finance is set to accelerate this trend.
Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of
digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial
system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in
safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated
to be three times more at risk of cyber-attacks than any other sector.
ESBG submitted a response to the European Commission consultation on a digital operational resilience
framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber
incident response and recovery in July 2020. The European Commission launched a public consultation on
the revision of the NIS Directive. On 24 September 2020, in the context of the Digital Finance Package,
the European Commission published a ‘Digital Operational Resilience Act' (DORA), aiming to ensure that all
participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other
risks. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity.