What New Cybersecurity Rules in Europe Mean for Financial Bodies
Very few investment management professionals spend time thinking about cybersecurity. It’s considered an issue that has little influence on investors’ day-to-day work, and is a domain usually covered by chief information officers. However, as we point out in a recent blog post, cybersecurity matters to everyone working in finance.
In the European Union (EU), cybersecurity has gained more and more focus by policymakers. To a large extent, European cybersecurity rules are covered by the broad Digital Single Market (DSM) initiative. The European Commission published its DSM Communication in May 2015. Just like the Capital Markets Union initiative aims at further integrating European financial services markets, the DSM is a broad umbrella framework that aims at deepening European cloud computing services and digitalisation markets through various initiatives. The Commission notes that the creation of a single digital market in the EU could contribute €415 billion per year to the European economy and create hundreds of thousands of new jobs.
New Cybersecurity Legislation
In February 2013, the European Commission published its EU-wide Cybersecurity Strategy. It proposed 14 actions to improve cybersecurity in the EU. The key proposal was for a Directive for a high common level of network and information security (NIS) across the Union. The Commission’s NIS Directive proposal followed concerns over ever-increasing cyber attacks on companies on various sectors, and it is the first EU legislation on cybersecurity.
The political discussions on the proposal for the NIS Directive stalled for several months until 7 December 2015, when the representatives of the European Parliament, the European Commission, and the Council (representing EU Member States) signed the final deal on new cybersecurity rules for Europe. It was a deal that involved an unusually great amount of political horse-trading, and perhaps even all the lawmakers did not believe that an agreement could be found. In particular the scope of the proposal and several basic definitions in the draft law caused disagreements between national lines as well as between the negotiating EU institutions. So why was the proposal for an NIS Directive so controversial, and what does it mean for financial institutions?
Mandatory Reporting Obligation for Financial Institutions
Both banks and financial market infrastructure providers (including trading venues and central counterparties) are included in the scope of the new NIS Directive — in Article 3, they are specifically defined as “operators of essential services”. Other entities included in the scope include electricity and gas suppliers, operators of oil and natural gas, air carriers, maritime carriers, railways, airports and ports, and health-care providers.
According to the new law, the entities within the scope will have several obligations in case of a cyber attack. The “essential services” providers have to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems that they use in their operations (Article 14). They also need to prevent and minimise the impact of cyber incidents.
The operators of essential services also have to notify national competent authorities (national regulators) or specifically created Computer Security Incident Response Teams (CSIRTs) about incidents having a “significant” impact on the continuity of the services they provide. An incident can be classified as “significant” depending on the number of people affected by it, the duration of the incident, and the geographical spread (for example, whether the incident affects services in several branches of a bank). There will be some leeway for national regulators to develop guidelines for when exactly the incident needs to be reported.
The final text places a great deal of responsibility on the essential services providers. For example, even if a financial services company has outsourced the cloud computing services to a third party, the delegating entity still holds the main responsibility of any cyber attack data breach.
Some Cyber Coordination Across the EU
In addition to the service operators, national Member States will be required to adopt a national NIS strategy defining the objectives and appropriate policy and regulatory measures in relation to cybersecurity (Article 5). Member States are also required to designate a national competent authority for the implementation and enforcement of the Directive, as well as create CSIRTs that will be responsible for handling incidents and risks (Article 7).
The Member States need to compile a list of entities that are in the scope of the Directive, and to update the list every two years. If the operator of essential services, for example a bank, operates in several different Member States, the Member States will have to consult each other on how to handle possible cybersecurity incidents.
Interestingly, several parts related to cross-border cooperation have been deleted from the final legal text, for example Article 9 on Secure Information Sharing System, Article 10 on Early Warnings, and Article 11 on Coordinated Response. The deletions indicate that several Member States have wanted to keep cybersecurity policies as national competencies. On the other hand, the Directive also notes that the Member States can adopt higher security standards than required by the NIS Directive, thereby allowing so-called national “gold-plating” (see, for example, Article 15 a).
Bigger Role for pan-European Cyber Agency
The pan-European Agency for Network and Information Security (ENISA) will play a key role in many aspects of the Directive, particularly in relation to cooperation, which now becomes mandatory between the Member States, albeit in a limited form. ENISA will also provide the secretariat for the European CSIRTs Network to promote operational cooperation on specific cybersecurity incidents and to share information about risks.
Even before the agreement on the NIS Directive, ENISA has been keen on reminding the financial services industry of the need to secure its online services against cyber attacks. In early December 2015, ENISA published a report on the usage of cloud services in the European banking sector. ENISA analysed the usage of cloud services in the finance sector, and provided recommendations to financial institutions, regulators, and cloud service providers about what should be done to support secure adoption of cloud services in the finance sector. The report notes that while cloud computing is gradually being adopted within the European financial industry, the vast majority of financial institutions (FIs) still rely on in-house infrastructure. The study recommends that FIs develop a cloud strategy to define their approach to cloud computing.
Public-Private Partnership on Cybersecurity
Following the political agreement on the NIS Directive, the text will now have to be formally approved by the European Parliament and by the Council, representing EU Member States. Once the formally adopted text has been published in the Official Journal of the EU, most likely in the first quarter of 2016, the Member States will have 21 months to implement the Directive into their national laws. After that, the Member States have six more months to identify operators of essential services.
The NIS Directive political agreement is important; however, the Commission noted that the work on improving cybersecurity is not over yet. The Commission has indicated its willingness to work together with the digital security and privacy industry in Europe, with the view of establishing a contractual public-private partnership on cyber security in 2016. The aim of the partnership would be to stimulate the competitiveness and innovation capacities of the industry to ensure that there will be a sustained supply of cybersecurity products and services. A public consultation and a policy Roadmap on the partnership were launched on 18 December, with responses due by 11 March 2016.
Finalization of the NIS Directive does not mean that the European cybersecurity saga is over. As the Directive has not been as prescriptive as many anticipated, we can expect the policy discussions to continue for years to come. The increased involvement of ENISA in the policy area also highlights how seriously European lawmakers take the security of information networks — this may mean increasing responsibility be placed on financial services entities in the future. CFA Institute will continue to monitor new rules on cybersecurity across the globe.
If you liked this post, consider subscribing to Market Integrity Insights.
Photo credit: iStockphoto.com/peterhowell