Cybersecurity - WSBI ESBG

Establish a single authority that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.

Create a standing mechanism to exchange incident reports among competent authorities to ensure that best practices are shared among financial players. It should be designed on two pillars: i) sharing good practices between authorities which support their supervisory powers and ii) receiving feedback from authorities to improve banks’ internal practices.

The legislator should examine the authorisation schemes based on compliance with pre-determined requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a standardisation of all the main clauses is needed. In addition to the main standard contractual clauses (clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to handle the potential “conflict” between GDPR and the Cloud Act (US).

The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is a first and important reply. Nevertheless, this raises the question of which regulatory framework will be chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory framework that could legally embed providers in the application of the major, mandatory Cloud clauses. The current overlapping of reporting obligations regarding cyber incidents creates negative effects for all types of institutions. ESBG therefore urges regulators to harmonise their reporting requirements and processes as a fragmented approach diverts resources away from addressing the issue. It is necessary to introduce materiality thresholds. The reporting obligation of financial institutions must be relevant and fit for purpose.

Identified Concerns

The proportionality principle must also apply here. Reporting every single incident is not productive, and financial institutions might not always have the required capacity to do so. ESBG members have experienced serious difficulties when negotiating certain outsourcing clauses related to contractual agreements with ICT third-party providers. We explore this aspect further in our position on Cloud computing.

Why Policymakers Should Act

The number of incident reporting requirements is increasing and can also vary from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries. European regulators should reduce compliance complexity by integrating regulatory guidance, expectations and requirements.

Background

In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity. The increasing digitalisation of finance is set to accelerate this trend.

Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of cyber-attacks than any other sector.

ESBG submitted a response to the European Commission consultation on a digital operational resilience framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber incident response and recovery in July 2020. The European Commission launched a public consultation on the revision of the NIS Directive. On 24 September 2020, in the context of the Digital Finance Package, the European Commission published a ‘Digital Operational Resilience Act’ (DORA), aiming to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity.

European Banking Authority (EBA) on ESG risk management

The European Savings and Retail Banking Group (ESBG) submitted its response to the consultation launched by the European Banking Authority (EBA). ESBG insists on the need for consitency with CSRD and CSDDD, the addressees of this guideline should also

Enhancing Transparency in Bank Disclosures: ESBG delivers comprehensive response to the EBA’s Pillar 3 data hub consultation

On 14 December 2023, the European Banking Authority (EBA) published a discussion paper on the Pillar 3 data hub processes and its possible practical implications.

IASB Exposure Draft (ED) on Financial Instruments with Characteristics of Equity

On 29 November 2023, the International Accounting Standards Board (IASB) proposed amendments in an Exposure Draft to tackle challenges in financial reporting for instruments with both

ESBG’s response to the EFRAG Comment Letter on Financial Instruments with Characteristics of Equity

On 29 November 2023, the International Accounting Standards Board (IASB) proposed amendments in an Exposure Draft to tackle

ESBG advocates for increased clarity and streamlining of supervisory reporting requirements

On 14 March, ESBG submitted its response to the European Banking Authority (EBA) consultation on ITS amending Commission Implementation Regulation (EU) 2021/451 regarding supervisory reporting

WSBI-ESBG advocates for robust implementation of the BCBS Pillar 3 framework for climate-related financial risks

On 14 March, WSBI-ESBG submitted its response to the Basel Committee on Banking Supervision (BCBS) consultation on its Pillar 3 disclosure framework for climate-related financial risks

ESBG stresses the need for consistency and clarity in its Response to the SFDR Review Consultation

ESBG submitted its response to the European Commission’s consultation on the SFDR review, aiming to enhance transparency in sustainability-related disclosures within the financial services sector

ESBG response to the EBA’s consultation on Guidelines on preventing the abuse of funds and certain crypto-assets transfers for ML/TF

The guidelines on the “travel rule” delineate the actions that Payment Service Providers (PSPs), Intermediary PSPs

ESBG responds to the SRB consultation on the future MREL policy

The European Savings and Retail Banking Group (ESBG) submitted its response to the consultation launched by the Single Resolution Board (SRB) in December 2023 on the future of the Minimum Requirement for own funds

ESBG’s response to the Commission’s consultation on the GDPR

The primary EU legislation ensuring the fundamental right to data protection is the General Data Protection Regulation

Cookie	Duration	Description
_SS	session	Bing sets this cookie to collect information on how visitors behave on multiple websites and to understand how they access the website, to provide relevant ads.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
SRCHD	1 year 24 days	Bing sets this cookie to display map content using Bing Maps.
SRCHUID	1 year 24 days	Bing sets this cookie to display map content using Bing Maps.
SRCHUSR	1 year 24 days	Bing sets this cookie to display map content using Bing Maps.
uncode_privacy[consent_types]	1 year	This cookie is set by Uncode WordPress theme and is used to manage privacy settings on the website.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_EDGE_S	session	Bing sets this cookie to display map content using Bing Maps.
_EDGE_V	1 year 24 days	Bing sets this cookie to display map content using Bing Maps.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
MUIDB	1 year 24 days	Bing sets this cookie to determine how the user uses the website and any advertising that the end user may have seen before visiting the said website.

Cookie	Duration	Description
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
rl_anonymous_id	never	RudderStack set this cookie to store statistical data of users' behaviour on the website, which can be used for internal analytics by the website operator.
rl_group_id	never	RudderStack sets this cookie to collect user activity on the web.
rl_group_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referrer	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referring_domain	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_user_id	never	RudderStack set this cookie to store a unique user ID for the Marketing/Tracking purpose.
SUID	12 hours	Google Analytics sets this cookie to collect data on user preferences and/or interaction with web campaign content (Microsoft).

Cookie	Duration	Description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
SRCHHPGUSR	1 year 24 days	No description available.
tf_respondent_cc	6 months	Description is currently not available.

The World Savings and Retail Banking Institute

The European Savings and Retail Banking Group

Focus areas

Sustainable Finance

Consumer Finance

Anti Money Laundering

Prudential, Supervision and Resolution

Capital Markets Regulation

European Social Dialogue

Auditing, Accounting and Reporting

Digital Finance and Innovation

Payments

News

The World Savings and Retail Banking Institute

The European Savings and Retail Banking Group

Focus areas

Sustainable Finance

Consumer Finance

Anti Money Laundering

Prudential, Supervision and Resolution

Capital Markets Regulation

European Social Dialogue

Auditing, Accounting and Reporting

Digital Finance and Innovation

Payments

News

Identified Concerns

Why Policymakers Should Act

​Background

related

Get in touch

WSBI

ESBG

Together

Members Area

Strengthen the means of implementation and revitalize global partnerships for sustainable development

In October 2023, WSBI-ESBG formed a strategic alliance with the

housed by the World Bank, further bolstering our commitment to inclusivity and diversity.

WSBI’s Development Finance Unit Scale2Save

works with development finance institutions to access international financing flows and with grant giving institutions to catalyse grant financing that supports the development of gender and climate smart solutions for greater impact at members.

Take urgent action to combat climate change and its impacts

WSBI-ESBG members contributed to combat climate changes:

US$ 51 billion

of green bonds were issued.

US$ 31 million

was invested in philanthropic support for the environment including biodiversity protection, eco-friendly mobility solutions, and green campaigns.

A variety of climate insurances and loans for renewable energy

are offered to their customers.

Reduce inequality within and among countries

WSBI-ESBG members contributed to reducing inequalities by serving youth and rural population:

36 %

of their customers on average are 18 to 34 years old

66 %

of their customers on average, are residing in rural areas.

Build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation

WSBI-ESBG members contributed to enhance the access of their customers to financial services:

88 %

of their network contact points are comprised of mobile banking and financial services agents and Point of Sales (POS) reaching last mile customers

Promote sustained, inclusive and sustainable economic growth, full and productive employment and decent work for all

WSBI-ESBG members contributed to the development of the local economy:

1,4 billion

customers are represented by the global WSBI-ESBG network.

US$ 13,5 trillion

in assets are valued by the members.

94 %

of the members’ corporate portfolio is comprised of micro-, small- and medium-sized enterprises (MSMEs)

Achieve gender equality and empower all women and girls

WSBI-ESBG members contributed to achieve gender equality in the workplace and in their customers portfolio:

53 %

of their staff on average, are women in a non-management and/or front-line level role.

46 %

of members’ management level staff on average, in the African and Latin American region are women.

53 %

of the member banks’ total customer base, excluding the Asian region are women

Ensure inclusive and equitable quality education and promote lifelong learning opportunities for all

WSBI-ESBG members contributed actively to quality education of their customers:

US$ 333 million

was invested in philanthropic support for the education sector including skillset-building, financial education, school visits and stationery.

US$ 4 billion

of outstanding loans for scholarships, in addition to numerous savings plans dedicated to education are currently offered.

Background