Cyber risk and regulation for European banks
Building resilience to cyber risk is a rapidly growing priority for regulators
This report, written by the ECRS in conjunction with the Cyber Risk Practice, explains why banks in Europe should expect a growing level of scrutiny from authorities in how they deal with cyber risk, and greater pressure to demonstrate that they are addressing emerging regulatory concerns in a timely way. Taking steps now to get ahead of the game will be crucial for clients.
- Considerations and challenges
- Areas of regulatory focus
- The regulatory horizon
- Next steps for banks
- More information?
Considerations and challenges
Almost three quarters of the G20 Financial Stability Board’s members have indicated that in 2018 they intend to release new standards or supervisory initiatives on financial services cyber security. In doing so, regulators are clearly signaling that they see a need to be involved in shaping cyber resilience for the sector.
Even though banks are heavily investing in how they deal with cyber risk, the growing interest of regulators could mean that banks will have to modify their activities to suit the different priorities or pace authorities set.
Regulators face the challenge of operating in an almost entirely new and technologically complex environment. The regulatory framework, therefore, in most jurisdictions, is constantly evolving. Among the work already underway, three considerations stand out as key going forward:
- Bank stability
- System-wide risks
- A greater ambition for resilience
As regulators further develop their framework for strengthening cyber resilience, we see a number of cross-cutting challenges that they must adress in order to ensure that new standards and expectations can be effectively applied. Two of the most pressing challenges are: how to codify standards for cyber resilience that can keep pace with the rapid evolution of technology and cyber risks; and whether regulators should develop internationally consistent rules for banks that have significant operations spread across multiple jurisdictions.
Three areas of regulatory focus for cyber resilience
As regulators get to grips with the nature and complexity of cyber threats, their approach to identifying unacceptable risks and desired responses by banks will become more sophisticated.
Jurisdictions that demonstrate regulatory good practice in cyber resilience are likely to be copied by other jurisdictions seeking solutions that are demonstrably working. In this respect, taking stock of what has already happened is instructive in determining what the banking sector can expect next.
Therefore, three areas of regulatory focus for cyber resilience:
- Cyber risk identification: regulators are increasingly focused on the ability of a bank to understand and map its exposure to cyber risk.
- Cyber risk governance: scrutiny of governance is growing, taking a whole-of-bank approach to minimising and responding to cyber risk.
- Cyber risk resilience: significant progress had been made on developing a supervisory toolkit for testing the cyber resilience of individual institutions.
What's on the regulatory horizon?
We expect regulators in European jurisdictions to pursue a combination of the following measures;
- Communicate clearer standards for the level of cyber resilience.
- Assess where firm-specific enhanced supervision or enforcement action will be necessary.
- The timeliness and effectiveness of firms' breach reporting procedures.
- Increase pressure on bank Boards to demonstrate that they are able to provide effective challenge to their management teams
- Encourage the development op more sophisticated approaches to quantify cyber risk.
- A firm-specific supervisory decision to require additional capital to be held in the form of Pillar 2 buffers.
- An increasingly mature programme of resilience testing.
- Examine barriers to the sharing of real-time threat intelligence between firms.
Next steps for banks
Executives with responsiblities for cyber and IT in banks need to anticipate what these regulatory and supervisory developments mean for their organizations and make decisions now on how best to align their cyber resilience activities and investments with them. Those in other roles including internal audit functions and Board members will also need to gain a better understanding of what to do next.
There are a number of key actions that need to be owned - by Chief Risk Officers (CROs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and Chief Operating Officers (COOs) and other executives in relevant functions. These include the following:
- Engaging early
- Thinking globally
- Measuring exposure
- Getting the right talent
- Establishing clear accountability
- Improving recoverability
Do you want to know more about regulation in cyber security for banks? Please contact Harmen Meijnen or Rob Stout via the contact details below.
The Network and Information Security Directive
How are organisations facing the challenge of complying with the GDPR?