2018 will be an important year for the regulation of cyber resilience in banks. Indeed, almost three quarters of the G20 Financial Stability Board’s members recently indicated that they intend to release new standards or supervisory initiatives on cyber security in the year ahead. As part of this drive, regulators are not only likely to clarify their expectations for the level of cyber resilience they expect to see in banks, but they will also begin to intervene more actively when they observe deficiencies.
As regulators get to grips with the nature and complexity of cyber threats, their approach to identifying unacceptable risks and desired responses by banks will also become more sophisticated. Banks should consequently expect a growing level of scrutiny of how they deal with cyber risk and increased pressure to demonstrate that they are addressing emerging regulatory concerns in a timely way. To add to these demands, the potential for key jurisdictions to adopt materially different approaches to cyber regulation will also present challenges. It is therefore crucial that senior risk and information officers at banks as well as Boards get an early handle on how the cyber regulatory framework is evolving and consider how best to respond.
In a report released this week by Deloitte’s EMEA Centre for Regulatory Strategy, we explore a number of steps that banks can take now to get ahead of the game as cyber risk and resilience comes to the fore in banking regulation.
A complex international regulatory landscape
One of the biggest challenges in cyber regulation that executives at internationally-active banks often point to is the sheer number of rules and procedures related to cyber that are emerging in jurisdictions where they operate, and the lack of alignment between many of them.
The ‘WannaCry’ ransomware attack in May 2017, infecting over 200,000 systems in more than 150 countries in less than a day, demonstrated the immediate global impact that a single coordinated cyber attack can have. Cyber risks, and the system-wide spillovers associated with those risks crystallising, are not limited by national borders and their spread cannot be easily controlled by national laws or authorities working in isolation, particularly not in the financial sector.
Equally, from a bank’s perspective, emerging regulatory regimes for cyber resilience that develop unevenly create the potential for overlaps and gaps. This could give rise to significant complexity and costs which may even unintentionally weaken their efforts to defend against cyber attacks in future.
There is, as a result, a strong need for a global framework to lay the groundwork for creating complementary national or regional cyber standards that minimise overlaps and gaps. Some important advances have already been made, particularly through the ‘Fundamental elements of cybersecurity for the financial sector’ agreed by the G7 in 2016, but much still remains to be done.
This, however, is an area where the level of regulatory integration in the EU presents an opportunity. In fact, European banks may soon be at the forefront of efforts to put in place a working template for how cross-border coordination on the regulation of cyber risks can function effectively and reduce the sector’s vulnerability to the spread of cyber threats.
The European Commission’s upcoming release of its long-awaited FinTech Action Plan looks likely to set a number of initiatives in motion which could ultimately lead to EU-wide guidelines that encourage convergence in the regulatory approach to IT risk management and cyber resilience testing. Solutions may also be forthcoming that address the barriers limiting real-time information sharing on cyber threats among authorities and financial market participants.
What banks can do now
Boards and executives with responsibilities for cyber and IT in banks will need to evidence that they understand clearly the cyber vulnerabilities across their global groups and have put in place effective organisation-wide responses to them. As part of this, it is crucial that they are in early contact with their supervisors to discuss their emerging concerns and better understand how their bank’s cyber risk management practices can strike an equilibrium between commercial priorities and a supervisory view of good practice.
Given the challenges regulators and supervisors themselves face in grappling with the complexity of cyber risks as a relatively new competency area, these interactions will often be mutually beneficial.
To learn more about how banks can respond to the new regulatory interest in cyber – including the six actions that we see as critical for bank executives to take now – read our new report Cyber Risk and Regulation in Europe: A new paradigm for banks where we look at these issues in more depth, and give our views on what we expect regulators to do next.