Cybersecurity in the financial sector: where are we and what’s coming?

Cybersecurity in the financial sector: where are we and what’s coming?

Introduction: what do cheese, passports and oil have in common?

The Dutch research programme Zembla recently devoted a broadcast to the question of how well protected the Netherlands is against ransomware attacks: attempts by hackers to penetrate the systems of organisations, encrypt them and only release them once the organisation has paid the ransom demanded by the hackers. Most of the affected organisations approached by Zembla do not want to go public with this. This applied, for example, to a cheese producer which, following a ransomware attack earlier this year, was temporarily unable to supply any more cheese, resulting in empty cheese shelves at the Albert Heijn supermarket. In the broadcast, the mayor of Hof van Twente talks openly about what happened to her municipality last year: after a successful attack – presumably from Russia – on the account of the system manager, the municipality could no longer access its systems. The hackers demanded EUR 750,000, payable in full in bitcoins. The municipality refused to pay and decided to hire IT specialists to rebuild the network. Total costs: several million euros.

The broadcast also discusses the developments worldwide. Hackers are now also attacking vital organisations, such as energy and drinking water companies. A striking example is the attack by a hacker collective – again presumably from Russia – on the most important oil pipeline of the US this spring, which resulted in petrol-hungry Americans.

Just as a society cannot exist without properly functioning energy and drinking water companies, neither can it exist without an adequately functioning financial sector. Fortunately, no seriously disruptive cyber incidents have occurred to date in the Netherlands in the area of, for example, payments, but the (European) legislature and supervisors are not reassured.[1] This is why, in this blog, I will discuss the current regulatory framework for cyber security in the financial sector and take a look at the changes that the European Commission (EC) has proposed in this respect.

 

Current situation: legal framework is fragmented and consists mainly of (a few) open standards

In Europe, regulations for the financial sector are largely sector-based and therefore fragmented. This therefore also applies to the rules on cyber security included in such sectoral directives and regulations.

In the Netherlands, these European regulations are often implemented and merged in the Financial Supervision Act (Wft), the Decree on Conduct of Financial Undertakings Wft (BGfo) and the Prudential Supervision Decree (Bpr). For instance, Sections 3:17 Wft and 20 Bpr contain standards on cyber security for banks, insurers and payment institutions, among others. The applicable – general – core provision reads as follows pursuant to Section 20 Bpr:

The financial undertaking (…) shall have procedures and measures in place to ensure the integrity, continuous availability and security of automated data processing.

For institutions that are primarily subject to AFM supervision – such as fund managers, depositaries, investment firms and financial service providers – there are the general provisions of Section 4:14 and 4:15 of the Wft regarding sound and controlled management. Next, the BGfo must be searched with a lantern for regulations regarding cyber security. Then you find, for instance, article 30 BGfo for (managers of) UCITS and depositaries, which is just as general in its wording as article 20 Bpr. For investment firms and fund managers, directly effective European regulations do include the general assignment to provide procedures and measures in the area of information security and business continuity; this obviously includes cyber security, but it is not very specific yet.

Additional IT standards apply to some types of financial institutions on the basis of European (delegated) regulations, such as central counterparties (CCPs) and operators of trading platforms. Specific security requirements also apply to the provision of payment services (Article 26c et seq. of the Bpr). However, it is difficult to speak of a truly unambiguous and concrete legal framework for cyber security within the financial sector, especially in view of the aforementioned general provisions.

Where the law does not prescribe an unequivocal and concretised framework on cybersecurity for the financial sector, regulators in the Netherlands and Europe have tried to provide financial institutions with (more) concrete guidance on this subject. In the Netherlands, for example, DNB has been publishing a Q&A Information Security since 2010, which it updated in 2019 in the Good Practice Information Security 2019-2020. And also the AFM published its ‘Principles for Information Security’ in 2019, with which it expresses its expectations regarding the desired behaviour of supervised institutions in the field of information security. At the European level, the European Banking Authority (EBA) has published guidelines on ICT and security risk management, among other things. These guidelines apply to (i) payment institutions and (ii) banks and investment firms as referred to in Article 4(1)(3) CRR. Furthermore, since 31 July 2021, the guidelines of the European Securities and Markets Authority (ESMA) on outsourcing to cloud service providers apply. Furthermore, regulators have developed ICT test frameworks, such as TIBER-NL (an initiative of DNB and now also applied by the AFM) and TIBER-EU (developed by the European Central Bank).

Lastly, I would like to mention the Network and Information Systems Security Act (Wbni, also known as the Cybersecurity Act), which has been in force in the Netherlands since 9 November 2018. The Wbni is the implementation of the European NIS Directive and obliges providers of essential services (AEDs) to observe certain IT security requirements. The Wbni also designates banking and financial market infrastructure as essential services. DNB is authorised to designate banks, operators of trading platforms and CCPs as AEDs. However, the material security requirements of the Wbni do not apply to these entities designated by DNB[2] (reason: according to the legislature, these entities are already subject to similar requirements under sectoral financial regulations, see also above). However, under the Wbni, AEDs designated by DNB must report serious cyber incidents to DNB and the National Cyber Security Centre.[3]

 

Future situation: one European cyber security regulation for most of financial sector

The EC wants to put an end to the existing fragmentation of cybersecurity rules and uncoordinated initiatives in different member states. For this reason, on 24 September 2020, the EC proposed a new regulation entirely dedicated to cybersecurity: the Regulation on digital operational resilience for the financial sector (DORA).

 

The EC intends DORA to apply directly to the vast majority of the financial sector, including banks, insurers, investment firms, fund managers, electronic money institutions, crypto service providers, CCPs, trading venues, central securities depositories and certain intermediaries. In addition, the proposal brings statutory auditors and audit firms within the scope of DORA, as well as certain providers of ICT services.

 

DORA roughly consists of five pillars:

 

  1. ICT risk management: rules for the proper design of the ICT risk management framework, including rules for (i) governance and organisation, (ii) policies, procedures and protocols for protection against ICT risks (iii) conditions to be imposed on ICT systems, (iv) business continuity policies for detection of, response to and recovery from ICT-related incidents, (v) backup policies and (vi) and periodic testing of (inter alia) the security of the systems used.
  2. Handling of ICT incidents: standards for the identification, classification and handling of ICT-related incidents, as well as an obligation to report major ICT-related incidents to the competent authorities.
  3. ICT third-party risk management: rules for managing risks arising from the outsourcing of ICT services to third parties, including obligations relating to the content of outsourcing agreements between financial institutions and ICT providers.
  4. Supervision of critical ICT service providers: introducing an oversight framework for critical ICT third-party service providers.
  5. Cooperation and enforcement: rules on cooperation between competent authorities and rules on supervision and enforcement of DORA by competent authorities.

 

All in all, DORA is a major legislative initiative by the EC, which will demand a lot from financial institutions in the field of (the adequate management of) cyber security. With an increasingly digital financial sector (and world), I can understand why the EC has proposed DORA, as long as legislatures and supervisors keep sufficient eye on the important principle of proportionality. After all, ICT risks and especially their potential impact will differ from one institution to another. What I think is positive, is that with DORA, the current fragmented landscape will be replaced by one set of cyber security rules that will apply directly to the majority of parties active in the European financial sector.

 

From when exactly DORA will apply, and in what form, is not yet clear. Negotiations on the text are currently ongoing in Europe. In any case, the EC has proposed that DORA should apply 12 months after the entry into force date. This means that financial institutions still have some time to prepare for DORA, but at the same time it is advisable – if an institution has not already done so – to make a start with those preparations.

 

[1]  See for example the recent Basel Committee newsletter of 20 September 2021 (link) and the recent ESA report on Risks and Vulnerabilities in the European Financial System of 8 September 2021 (link).

[2] Pursuant  to Article 4 of the Decree on the Security of Network and Information Systems (Bbni).

[3]  See www.ncsc.nl. Pursuant to Article 10 of the Wbni and Article 3 of the Bbni, the duty to report also applies to settlement agents and central securities depositories designated by DNB.