Establish a single authority that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.

Create a standing mechanism to exchange incident reports among competent authorities to ensure that best practices are shared among financial players. It should be designed on two pillars: i) sharing good practices between authorities which support their supervisory powers and ii) receiving feedback from authorities to improve banks’ internal practices.

The legislator should examine the authorisation schemes based on compliance with pre-determined requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a standardisation of all the main clauses is needed. In addition to the main standard contractual clauses (clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to handle the potential “conflict” between GDPR and the Cloud Act (US).

The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is a first and important reply. Nevertheless, this raises the question of which regulatory framework will be chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory framework that could legally embed providers in the application of the major, mandatory Cloud clauses. The current overlapping of reporting obligations regarding cyber incidents creates negative effects for all types of institutions. ESBG therefore urges regulators to harmonise their reporting requirements and processes as a fragmented approach diverts resources away from addressing the issue. It is necessary to introduce materiality thresholds. The reporting obligation of financial institutions must be relevant and fit for purpose.

Identified Concerns

The proportionality principle must also apply here. Reporting every single incident is not productive, and financial institutions might not always have the required capacity to do so. ESBG members have experienced serious difficulties when negotiating certain outsourcing clauses related to contractual agreements with ICT third-party providers. We explore this aspect further in our position on Cloud computing.​

Why Policymakers Should Act

The number of incident reporting requirements is increasing and can also vary from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries. European regulators should reduce compliance complexity by integrating regulatory guidance, expectations and requirements.​

​Background

In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity. The increasing digitalisation of finance is set to accelerate this trend.

Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of cyber-attacks than any oth​er sector.

ESBG submitted a response to the European Commission consultation on a digital operational resilience framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber incident response and recovery in July 2020. The European Commission launched a public consultation on the revision of the NIS Directive. On 24 September 2020, in the context of the Digital Finance Package, the European Commission published a ‘Digital Operational Resilience Act’ (DORA), aiming to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity. ​

related