Establish a single authority that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.
Create a standing mechanism to exchange incident reports among competent authorities to ensure that best practices are shared among financial players. It should be designed on two pillars: i) sharing good practices between authorities which support their supervisory powers and ii) receiving feedback from authorities to improve banks’ internal practices.
The legislator should examine the authorisation schemes based on compliance with pre-determined requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a standardisation of all the main clauses is needed. In addition to the main standard contractual clauses (clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to handle the potential “conflict” between GDPR and the Cloud Act (US).
The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is a first and important reply. Nevertheless, this raises the question of which regulatory framework will be chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory framework that could legally embed providers in the application of the major, mandatory Cloud clauses. The current overlapping of reporting obligations regarding cyber incidents creates negative effects for all types of institutions. ESBG therefore urges regulators to harmonise their reporting requirements and processes as a fragmented approach diverts resources away from addressing the issue. It is necessary to introduce materiality thresholds. The reporting obligation of financial institutions must be relevant and fit for purpose.
Identified Concerns
The proportionality principle must also apply here. Reporting every single incident is not productive, and financial institutions might not always have the required capacity to do so. ESBG members have experienced serious difficulties when negotiating certain outsourcing clauses related to contractual agreements with ICT third-party providers. We explore this aspect further in our position on Cloud computing.
Why Policymakers Should Act
The number of incident reporting requirements is increasing and can also vary from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries. European regulators should reduce compliance complexity by integrating regulatory guidance, expectations and requirements.
Background
In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity. The increasing digitalisation of finance is set to accelerate this trend.
Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of cyber-attacks than any other sector.
ESBG submitted a response to the European Commission consultation on a digital operational resilience framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber incident response and recovery in July 2020. The European Commission launched a public consultation on the revision of the NIS Directive. On 24 September 2020, in the context of the Digital Finance Package, the European Commission published a ‘Digital Operational Resilience Act’ (DORA), aiming to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity.
related
April 28, 2022
ESBG response to ESMA’s consultation on guidelines of MiFID II suitability requirements
ESBG's response to the European Securities and Market Authority (ESMA) consultation on some MiFID II sustainability aspects. European banks calls for clear procedures and to avoid unnecessary…
April 4, 2022
Developing a proportionate, fair and efficient IRRBB framework in the EU
On 4 April 2022, ESBG responded to the EBA consultation specifying technical aspects of the revised framework capturing interest rate risks for banking book (IRRBB) positions.
March 7, 2022
European Commission review of the Mortgage Credit Directive
SBG sent its response to the European Commission questionnaire on what to include in the upcoming Review of the Mortgage Credit Directive (MCD).
March 4, 2022
Customer protection
The ESBG, together with eight other associations has written to the European Data Protection Board, the European Commission and the European Banking Authority about the EDPB Guidelines 06/2020 on the…
March 3, 2022
Strengthening the quality of corporate reporting and its enforcement in the EU
The consultation aims to evaluate the impact of the EU framework on the three pillars of high quality and reliable corporate reporting: corporate governance, statutory audit and supervision. This…
February 25, 2022
European Commission Banking Package proposal
ESBG responded to the European Commission “have your say" consultation on the Banking Package proposal.
February 24, 2022
Considerations on the BCBS principles for the management & supervision of climate-related financial risks
Considerations on the BCBS principles for the management & supervision of climate-related financial risks
February 24, 2022
Considerations on the BCBS principles for the management & supervision of climate-related financial risks
Considerations on the BCBS principles for the management & supervision of climate-related financial risks
February 16, 2022
Clear and fair rules for the use of machine learning in Internal Rating Based models
The European Savings and Retail Banking Group welcomes the initiative of the European Banking Authority to discuss the implications of the use of machine learning in the internal rating based models…
December 23, 2021
Daisy chain of internal MREL
Resolution groups with entities in only one member state should be exempted from the “daisy chain” deduction framework.