29 August 2023

AFME: The EU's Cybersecurity Agenda: Coherent or Chaotic ?

The question, however, is whether each of these initiatives are effectively aligning, or whether EU officials are tripping over each other in the rush to get files over the line ahead of next year’s elections?

In the digital age, the creativity of cyber criminals requires constant vigilance. Banks are conscious that they remain the number one target for cyber-attacks. Therefore, the European Union’s focus on cybersecurity is both welcome and acutely needed.

The intention to embed cybersecurity into the various aspects of financial regulation, including risk management controls, supervisory stress tests and incident management will ensure a holistic approach, which best protects the stability of financial markets.  

The question, however, is whether each of these initiatives are effectively aligning, or whether EU officials are tripping over each other in the rush to get files over the line ahead of next year’s elections?

 

What is currently at play?

Cybersecurity has been a priority for the  outgoing Commission and in the realm of financial services, this focus was one of the drivers behind DG-FISMA’s DORA – the EU’s milestone Digital Operational Resilience Act. The Regulation harmonises the operational risk landscape for financial entities, and encompasses cybersecurity, albeit partially on a voluntary basis.

Alongside the sectoral overhaul, financial services are impacted by the cross sectoral cybersecurity package coming out of DG-CNECT, as underpinned by the technical cybersecurity certification schemes.

Moreover, cyber risk has increasingly become an area of focus for supervisors, including the ECB, in assessing the resilience of market participants, with Threat Led Penetration Testing (TLPT) providing real-time simulations of cyber threats and a firm’s response capabilities.

The overall framework  is comprehensive, and the level of ambition laudable, but there are serious concerns across the industry regarding the practical implementation of these well-intended proposals  

 

Why the cause for concern?

While the Commission is aware of the risks of duplication and overlap, its approach has not been consistent, and the incoming Cyber Resilience Act has caused significant worry across the industry.

At first glance, this piece of product regulation could neatly sit in parallel to the entity regulation under DORA. However, the commercial reality is not so straightforward.

Many financial services firms today offer products and services via technology systems and applications, which could be captured under both frameworks. The Cyber Resilience Act proposal in fact makes explicit reference to banking apps as one example. Yet this ‘product’ is very different from a good which is sold to a consumer and whereafter the provider or merchant relinquishes control. Instead a bank would retain control over such devices, and be responsible for ensuring that security and software updates are reviewed and installed. The application would, therefore, be covered by the existing DORA requirements, rendering the CRA superfluous.

Within the EU institutions, some do not believe that this overlap is overly worrying. They perceive  that since checks are already taking place, any additional burden would be limited. Such thinking fails to recognise that a single “service offering” can have hundreds of applications and processes sitting under it. The resourcing burden of any duplication in cybersecurity measures is therefore significant, and also ever increasing, as cyber controls and testing continue to become more enhanced and extensive. While firms are repeatedly addressing the same cyber risk, they are impeded from devoting time and effort to tackling new cyber threats.

In an emerging area such as cyber, firms must retain the capacity to respond to arising threats and the increasing regulatory load is constraining EU financial firms’ agility.

 

AFME

© AFME