Cyber risk and regulation in Europe

Building resilience to cyber risk in banks is a rapidly growing priority for regulators. Deloitte EMEA Centre for Regulatory Strategy's report explains why banks in Europe should expect a growing level of scrutiny from authorities in how they deal with cyber risk, and greater pressure to demonstrate that they are addressing emerging regulatory concerns in a timely way. Taking steps now to get ahead of the game will be crucial.

Regulators face the challenge of operating in an almost entirely new and technologically complex environment. The regulatory framework, therefore, in most jurisdictions, is constantly evolving. Among the work already underway, three considerations stand out as key going forward:

• Bank stability: regulators are increasingly concerned about the overall stability implications of a successful major cyber-attack targeting a bank. Consumer data protection will remain an important focus, but cyber risk threatening the ability of a bank to continue to provide critical functions will lead regulators to broaden the scope of threats and vulnerabilities that they examine.
• System‑wide risks: as cyber risks begin to pose a greater danger to bank stability, the risk of contagion to other banks and financial services firms is also gaining more attention. Crucially this has also led regulators to focus on threats arising from links with financial market infrastructures (FMIs) and third party service providers.
• A greater ambition for resilience: leading jurisdictions are now moving towards putting in place a regulatory and supervisory framework with baseline standards that will challenge banks to be more ambitious in pursuing their cyber defenses and resilience.