ESBG argues for single authority for reporting
>> See ESBG Positions
BRUSSELS, 17 November 2020 – ESBG argues for a single authority established that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.
The association argues for creating a standing mechanism to exchange incident reports among competent authorities to ensure that best practices are shared among financial players. It should be designed on two pillars: i) sharing good practices between authorities which support their supervisory powers and ii) receiving feedback from authorities to improve banks’ internal practices.
The legislator should examine the authorisation schemes based on compliance with pre-determined requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a standardisation of all the main clauses is needed. In addition to the main standard contractual clauses (clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to handle the potential “conflict” between GDPR and the Cloud Act (US).
The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is a first and important reply. Nevertheless, this raises the question of which regulatory framework will be chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory framework that could legally embed providers in the application of the major, mandatory Cloud clauses.
Why policymakers should act
The number of incident reporting requirements is increasing and can also vary from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries. European regulators should reduce compliance complexity by integrating regulatory guidance, expectations and requirements.
Why it matters
In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity. The increasing digitalisation of finance is set to accelerate this trend. Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of cyber-attacks than any other sector. ESBG submitted a response to the European Commission consultation on a digital operational resilience framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber incident response and recovery in July 2020. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity