EU supervisors propose writing operational resilience and cybersecurity standards into EU financial services law

The more that financial services rely on technology, the more the sector is exposed to cyber risks. But the rules on how firms should manage these risks differ in detail, scope and terminology between different countries and sectors. European supervisors are now suggesting legislative changes to harmonise EU rules in this area.

The proposals include:

  • Adding to existing laws: amending certain EU directives (e.g. CRD V, PSD2, AIFMD, Solvency II) to include specific references to operational resilience and/or cybersecurity
  • Oversight of the cloud: introducing a new oversight framework for third parties that provide critical services to the financial sector e.g. cloud service providers
  • Cyber tests: in the longer term, conducting EU-wide cyber resilience testing in the form of threat-led penetration testing.

The proposals are set out in two pieces of joint advice – on IT risk management rules and cyber resilience testing framework – presented to the European Commission. 

The advice comes from the three EU supervisors responsible for overseeing different parts of the financial services sector: the EBA (banking), EIOPA (insurance) and ESMA (securities markets).

Adding to existing laws

In their joint advice, the supervisors agree that financial services firms should manage IT risks, including cybersecurity risks. This means having in place appropriate governance, operational and control measures to mitigate those risks arising from technology.

However, they also agree that operational resilience goes beyond managing these risks. This is because in their view it is inevitable that sometimes technology will fail and that security systems will be breached (see our publication on operational resilience in the financial sector).

The supervisors’ joint advice summarises how different parts of financial services regulation deal with IT risks in different ways. Rules on IT and security risk management are explicit in some EU legislation (e.g. PSD2 for payment institutions), implicit in others (e.g. CRD for banks) and absent from others. And different EU Member States have taken different approaches too. Some have issued voluntary guidance in this area while others impose mandatory standards.

In response, the supervisors suggest to the Commission that new articles should be included in EU directives such as CRD, PSD2 and Solvency II, as well as in upcoming changes to the prudential regulation of investment firms (known as the IFR). These new provisions would refer to operational resilience as a requirement for the existing rules on governance. Specific obligations on cybersecurity and incident reporting would also be added to securities markets legislation.

Oversight of the cloud

The UK regulators and the Financial Stability Board have previously flagged their concerns about the financial sector outsourcing some services to a relatively small pool of third parties. This results in concentration risk where a technology failure or breach at one service provider could impact a significant part of the financial services market. 

In their advice, the European supervisors make a similar point and call on the Commission to put forward legislation on the oversight of critical service providers. Any new framework would initially be most relevant for cloud service providers. At this stage there is no suggestion of how “critical” should be defined for this purpose or which authorities would be responsible for overseeing the activities of those service providers.

Cyber tests

In separate advice, the supervisors consider the cost-benefit analysis of implementing a cyber resilience testing framework. The supervisors recognise that cybersecurity risks threaten the stability of the EU financial system. They suggest that in the long-term the aim should be to have a coordinated threat-led penetration testing framework across the EU. But, in the shorter term, the message from the supervisors is that individual firms should be responsible for their own cyber resilience testing.

Background

The supervisors were asked to provide their advice as part of the Commission’s EU Fintech Action Plan (see our blog on the Commission’s plan).