Cybersecurity in Finance
Getting the policy mix right
Cybersecurity in Finance
Getting the policy mix right
Sylvain Bouyon
Simon Krause
Report of a CEPS-ECRI Task Force
Chaired by Richard Parlour
Centre for European Policy Studies
European Credit Research Institute
Brussels
Published by Rowman & Littlefield International, Ltd.
6 Tinworth Street, London, SE11 5AL
www.rowmaninternational.com
Rowman & Littlefield International Ltd. is an affiliate of Rowman & Littlefield
4501 Forbes Boulevard, Suite 200, Lanham, Maryland 20706, USA
With additional offices in Boulder, New York, Toronto (Canada) and Plymouth (UK)
www.rowman.com
Copyright 2018 Centre for European Policy Studies
and Institute for Economic Research and Policy Consulting
Centre for European Policy Studies
Place du Congrs 1, B-1000 Brussels
Tel: (32.2) 229.39.11
E-mail: info@ceps.eu
Website: http://www.ceps.eu
Cover illustration: Shutterstock/vs148
The authors have asserted their rights to be identified as the authors of this work in accordance with the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without written permission from the publisher, except by a reviewer who may quote passages in a review.
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-1-78661-217-5 Hardback
978-1-78661-218-2 Paperback
978-1-78661-219-9 Ebook
The paper used in this publication meets the minimum requirements of American National Standard for Information SciencesPermanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.
Printed in the United States of America
The European Credit Research Institute (ECRI) is an independent think tank that carries out research and contributes to the policy debate on financial services in Europe. It is managed by the Centre for European Policy Studies (CEPS), a leading think tank covering a broad range of policies in EU affairs.
This report is based on discussions in the CEPS-ECRI Task Force on Cybersecurity in Finance: Getting the policy mix right. The group met four times between September 2017 and May 2018 under the chairmanship of Richard Parlour, Principal at Financial Markets Law International. It was established by rapporteurs Sylvain Bouyon, Research Fellow and Head of Fintech and Retail Finance at CEPS and ECRI and Simon Krause, Visiting Researcher at CEPS.
The policy recommendations offered at the beginning of this report reflect a general consensus reached by Task Force members, although not every member agrees with every aspect of each recommendation. A list of Task Force members, observers and invited guests can be found in the Annex. The members were given the opportunity to comment on the draft final report, but its contents may only be attributed to the rapporteurs and do not necessarily represent the views of the institutions to which the members belong.
CONTENTS
Boxes and Tables
ABBREVIATIONS
CSIRT Computer Security Incident Response Team
DoS Denial-of-service
EBA European Banking Authority
ECB European Central Bank
ECRB Euro Cyber Resilience Board
ENISA European Network and Information Security Agency
eIDAS Electronic identification, authentication and trust services
G-SIB Global systemically important bank
GDPR General Data Protection Regulation
IT Information technology
NCA National Competent Authority
NIS Network Information Service
PSD Payment Services Directive
PSP Payment service provider
SSM Single Supervisory Mechanism
FOREWORD
With the inexorable rise of e-commerce comes the inexorable rise of the e-criminal. Cybercrime is now the worlds fastest growing crime. It has leapt to number two of the top ten business risks worldwide, from not even appearing in that list five years ago. For certain countries, cyberattack is now the risk of greatest concern. Gone are the days of concern about a low level hack of a website by a script kiddie. Todays attackers are multi-faceted and increasing in sophistication, ranging from advanced persistent threats, corporate espionage, organised crime and hactivists to cyberterrorists, ever more competent, and ever better funded. Cybersecurity has moved from being a technical issue to a political and boardroom issue. Financial markets are particularly important as they oil the wheels of all member state economies.
So what should the priorities of cybersecurity be? Is the rise of cybercrime so fast and extensive that we should be changing the focus more to one of cyber resilience? There are three core themes to address:
Governance (at all of organisational, international and national levels)
Risk Management (both contextually and intelligence driven)
Capability (cybersecurity by design and by default, using a standard framework applied to context)
There is a multitude of issues that the financial sector needs to address. Our Task Force has chosen to focus on certain key issues rather than attempt to produce an encyclopaedic tome. Any report can only represent a snapshot in time and it will be particularly important to continue to communicate as technology and the threat advances. I hope that the work that our Task Force has undertaken in producing this report will make a valuable contribution to the advancement of cybersecurity policy and protection and safeguarding of the economies of the EU member states and the financial markets on which they depend.
Richard Parlour
Chairman of the Task Force
June 2018
EXECUTIVE SUMMARY
Amid several large cyberattacks in 2017, the European Commission adopted in September 2017 its multi-sector cybersecurity package. Whereas this initiative should contribute to strengthening the cyber-resilience and response of EU financial firms, several policy issues and unanswered questions remain. In order to analyse the issues that are considered to be relevant to financial fields (retail banking, corporate banking, capital markets, financial infrastructure and insurance), CEPS-ECRI organised a Task Force between September 2017 and May 2018 with a group of experts from the financial industry, tech industry, national supervisors and European institutions, as well from one consumer association and one law firm.
Nine more policy issues need to be further addressed in order to bolster the financial industrys cyber-resilience against current and future threats. These issues are itemised below, followed by a more in-depth discussion of each issue.
Main policy recommendations
Convergence in the taxonomies of cyber-incidents is needed.
The framework for incident reporting needs to be greatly improved to fully contribute to the cyber-resilience of financial firms.
Authorities should assess how and to what extent the data held by the centralised hub should be shared with supervisors, firms and clients.
Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends.
Best practices for cyber-hygiene should be continuously enhanced by regulators and supervisors.
