Innovation_circuit_board_lo

In April, the Joint Committee of the European Supervisory Authorities (ESAs) published their advice to the European Commission on the strengthening of EU cyber and IT security regulation in the financial sector.

These recommendations are an early signal of what we believe will be increased activity by EU financial authorities on cyber risk from 2020 onwards. Going beyond cyber risk, they show an interesting convergence of thinking with UK authorities in recognising that all forms of IT operational disruptions increasingly threaten the stability of the financial sector. The recommendations also note that the emergence of various approaches to cyber and technology risk across countries in the EU could benefit from added facilitation, harmonisation and cooperation. While a number of regulatory challenges could arise from a strengthened EU approach to cyber risk in the financial sector, greater alignment between countries in addressing this risk area should be welcome news for cross-border financial services firms.

What was published?

The ESAs’ recommendations came in two documents, with the first focusing on legislative improvements that can be made to EU law to strengthen financial authorities’ ability to address risks arising from cyber and IT threats, and the second looking at the pros and cons of establishing an EU-wide cyber resilience testing regime for financial firms.

Both documents were requested by the Commission in its March 2018 Fintech Action Plan, and both essentially amount to a menu of options for the Commission’s future cyber and IT security agenda. The focus on future legislative work is very important at this stage given that European Parliament elections in May and a newly installed European Commission taking office in November 2019 will lead to a significant agenda refresh for European policymakers later this year. It has been clear for some time that EU officials see cybersecurity as one of their top financial services priorities going forward. The ESAs’ recommendations are designed to help the Commission’s new leadership build a legislative agenda prioritising the initiatives that are most pressing.

As such, the ESAs’ recommendations should be seen as an important first step in what could become a multi-year process of developing an EU-level framework for the regulation of cyber risk in the financial sector.

The ESAs’ recommendations to the Commission

The ESAs (comprising the European Banking Authority (EBA), European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority (EIOPA)) proposed initiatives that range from small tweaks to existing EU laws, to more ambitious initiatives that could have significant implications for how financial institutions manage cyber and IT risk.  

Arguably, the most important of the projects called for by the ESAs was for the Commission to develop an EU oversight framework for third party providers active in financial services with a particular focus on cloud service providers (CSPs). Here, the ESAs focus on concentration risk among CSPs and the vulnerabilities that this could create in financial markets, noting that: ‘there are concerns that the interconnectedness of CSPs in the financial system could be a single point of failure if one were to be subject to a serious breach’. This is familiar language to hear from financial regulators when discussing large banks or market infrastructures, but is an important new signal that EU authorities increasingly see certain non-financial entities as potentially systemic actors in the market. This also mirrors the UK Financial Policy Committee’s statement in late-2018 that it would begin close monitoring of financial sector risks associated with CSPs and recent moves by Switzerland’s Financial Markets Supervisory Authority to begin carrying out on-site inspections of third party outsourcing partners. Concerns around whether financial supervisors have the power to oversee the activities of CSPs have historically contributed to their reluctance to allow systemically important firms to move core functions onto the cloud.

Given that there is currently no basis in EU law for European authorities to address third party concentration risk in the financial sector directly, the ESAs recommend the Commission take legislative action to remedy this. The ESAs suggest doing further work on a framework that would determine, among other things, when certain providers would be considered ‘critical’, and designate the authorities that would be responsible at the national or EU level to supervise them.

Bringing CSPs into the financial supervisory realm will be no easy task, either legislatively or practically. In our view, there will be a number of challenges in designing an effective oversight framework for this purpose, particularly when authorities confront the question of how supervision can be meaningfully carried out for CSPs without having any corresponding control over their authorisation. In this respect, it is surprising to see that the ESAs have not suggested creating an authorisation regime as part of this framework. It may also prove difficult to understand what constitutes the EU activities of CSPs and isolate those from the rest of their operations for the purposes of EU oversight.

Another interesting recommendation from the ESAs comes in their paper on developing an EU-wide framework for testing the cyber resilience of important financial institutions. This is an area where considerable work has already been done by some national authorities, and most recently by the European Central Bank (ECB). In 2018, the ECB developed standards for Threat Intelligence-based Ethical Red-Teaming (called TIBER-EU) to be adopted voluntarily by EU Member States to carry out cyber penetration testing on financial firms (read our earlier blog on TIBER here). Since then, a number of countries have indicated that they are planning to begin such testing programmes in the next few years based on the ECB’s framework. Given this progress, the ESAs do not recommend any significant break from the TIBER-EU path in the short term, and even offer their assistance to help facilitate the consistent adoption of TIBER programmes in Europe, but they do request an explicit mandate from the Commission to explore more permanent solutions in the longer term. This raises the prospect of the ESAs and the Commission eventually looking to put in place an EU-wide regime for cyber risk testing with a stronger legal footing whose participation might be mandatory and whose scope and terms could be set by the EU rather than at national levels.

In addition to the two initiatives above, the ESAs also recommended making a number of targeted amendments to existing EU legislation covering banking, payments, insurance and markets, where the management and governance of cyber risk and operational resilience are implicitly covered, but could be referenced more explicitly. Both the EBA and EIOPA have further indicated that they would like to issue additional Guidelines on how national authorities should interpret the IT resilience aspects of laws such as the EU Capital Requirements Directive and Solvency II.

The ESAs also recommend that the Commission consider changes that could harmonise the various existing IT incident reporting frameworks, including those under the General Data Protection Regulation, the Network Information Security Directive and the ECB’s cyber incident reporting framework for banks and financial market infrastructures. Such harmonisation could include legislative fixes to standardise the taxonomies and templates used by the frameworks, their reporting timelines, and also address any overlaps or other inconsistencies between them.

A foundation for a future EU legislative agenda

The ESAs’ reports are recommendations to the European Commission, and it will be for the next Commission to decide whether and, if so, how to reflect them in its legislative proposals. That said, they are an important indicator of the direction of travel that EU authorities can be expected to take on cyber and IT risk in the coming years.

Financial regulators in some countries are more advanced than others in the development of cyber and IT resilience standards for financial firms. The Netherlands, for instance, has been the Eurozone’s leader on the development of a TIBER testing regime for the financial sector. UK authorities have published some of the most advanced thinking about how the operational resilience of firms could be supervised (and as mentioned above, it is interesting to see the ESAs adopt the broader concept of ‘operational resilience’ rather than narrowly refer to cyber and IT risks). Nevertheless, EU authorities usually view inconsistent national practices as ripe territory for regulatory initiatives that bring consistency to rules in the EU Single Market. All of this potentially puts operational resilience at the top of the agenda of the EU’s next Commissioner for Financial Services.

Some of the ESAs’ recommendations, such as harmonising IT incident-reporting practices, will likely be seen as commonsense upgrades for EU authorities to make relatively early in the Commission’s new mandate. Others, such as an oversight framework for CSPs, will require considerably more study. Although the Commission’s work on initiatives such as CSP oversight could begin quite soon, public consultations, more detailed advice from the ESAs, and a longer legislative drafting period would push back an actual legislative proposal by several years. These proposals could also prove to be quite controversial with many countries and industry actors and, as such, may take some time to make their way through political negotiations.    

Not all controversy is bad, however, and some of these issues do merit a robust debate at the European level. The next Commission’s mandate will run for five years, from 2019 to 2024, and not all of its initiatives will come at the same time. Anyone wishing to understand what to expect from Brussels on operational resilience in the financial sector over the next half-decade should give the ESAs’ recommendations a careful read.


David

David Strachan – Partner, Head of EMEA Centre for Regulatory Strategy

David is Head of Deloitte’s EMEA Centre for Regulatory Strategy. He focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/ operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn 

Simon

Simon  Brennan – Director, Centre for Regulatory Strategy

Simon is a Director in Deloitte’s EMEA Centre for Regulatory Strategy, specialising in prudential regulation for banks. Simon joined Deloitte after 11 years at the Bank of England, where he worked in a number of areas covering macro and micro prudential policy, and financial institution risk assessment.

Email | LinkedIn 

SCott MArtin

Scott Martin – Senior Manager, Centre for Regulatory Strategy

Scott is a Senior Manager in the Centre for Regulatory Strategy advising on international banking regulation, with a particular focus on bank capital, strategy, cyber risk and public policy-making processes. Scott is also the host of Deloitte's financial services podcast Regulated Radio. Before joining Deloitte in 2015, he worked in Brussels as an EU regulatory strategist advising a number of global banks and other financial institutions. He is a graduate of the London School of Economics and previously worked as a political advisor to Canada’s Minister of Finance and Minister of Foreign Affairs.

Email | LinkedIn

QM

Quentin  Mosseray – Senior Associate, Centre for Regulatory Strategy

Quentin works in Deloitte's Centre for Regulatory Strategy. The Centre's work focuses on the strategic impact of financial regulation for firms.Quentin work in the Centre focuses on insurance regulation, and cyber regulation.
Prior to joining the Centre, Quentin completed an LL.M in law & economics, and have a degree in international relations, with a heavy focus on international law and international trade.

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.