Cybersecurity regulation – what’s on the menu?
September 2013 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
The protection of electronic data and IT systems against theft and compromise is a rapidly increasing challenge for all businesses, but in particular for those (such as financial institutions) which are heavily reliant on networks and IT services to conduct their day-to-day operations.
Cyber threats have grown in frequency and magnitude, and become more technologically sophisticated and diverse in nature. The European Commission recently pointed to estimates that 150,000 computer viruses are in circulation and 148,000 computers are compromised daily. In the banking sector alone, McAfee reported that fraudsters using malware, and replicating the same scheme in several countries, have attempted to steal up to €2bn from accounts in Europe and the Americas.
However, the implications for financial institutions do not stop there. The hack of the Associated Press’s Twitter feed earlier this year, resulting in bogus posts about an explosion at the White House, caused significant short-term changes in the stock market, with the potential for market-abuse.
Against this background it is unsurprising that authorities have increased their focus on legislative, regulatory, and standards-setting measures to tackle the growing problem. In this article, we look at EU and US developments in particular, and some of the implications for financial institutions.
EU legislative developments
On 7 February 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, published a cybersecurity strategy (Cyber Security Strategy of the EU – An Open, Safe and Secure Cyberspace) along with a proposed Directive on network and information security in the European Union.
While the EU has previously addressed the issue of cybersecurity, the strategy is the first comprehensive document produced by the EU in this area. It represents the EU’s vision on how best to respond to the growing cyber attacks articulated in five priorities: (i) achieving cyber resilience; (ii) drastically reducing cyber crime; (iii) developing cyber defence policy and capabilities; (iv) developing the industrial and technological resources for cyber security; and (v), establishing a coherent international cyberspace policy for the EU.
The accompanying proposed directive is a key tool by which the EU seeks to progress these aims. It has three key components. The first and second components propose: (i) the set-up and development of national frameworks and strategies on network and information security at member state level; and (ii) a cooperation network involving the European Commission and each member state’s ‘competent authority’ to share information on cyber threats, and to coordinate responses to them at an EU level.
However, it is the third component which would most directly impact financial institutions. This component envisages specific security and notification requirements for ‘market operators’ providing services within the European Union. Market operators is defined to include ‘information society service providers’ – itself a broad concept in EU legislation, potentially encompassing any provider of an online service. However, the definition also specifically references credit institutions in the banking sector, and stock exchanges and central counterparty clearing houses in terms of financial market infrastructure, as well as e-commerce platforms and internet payment gateways.
If implemented, such market operators would be required to put in place appropriate technical and organisational measures (likely to be a framework determined at EU level) to manage the risks posed to their business, particularly with respect to their core services. In addition, market operators would be required to notify the competent authority in their member state of any incidents having significant impact on the security of the core services they provide.
A ‘competent authority’ would have: (i) investigatory powers to check that the market operator’s internal business procedures meet the standards of the EU framework; (ii) the ability to inform the public of a cybersecurity incident, where deemed to be in the public interest; and (iii) the ability to impose sanctions on the market operator for failure to comply with the proposed directive.
It is unclear when the proposed directive will be finalised. It has proved controversial already with member states voicing concern over the cost and obligatory nature of the proposed directive (see the European Council progress report of 28 May 2013). As such, it seems unlikely to be finalised this year, with 2014 or 2015 more likely.
In any event, once agreed, member states would have 18 months from publication to implement the proposed directive meaning that the EU is unlikely to have a harmonised cybersecurity regime in place at EU level before 2016 at the earliest.
US legislative developments
On 12 February 2013, President Obama’s Executive Order, ‘Improving Critical Infrastructure Cybersecurity’, set in train the development of a new US cybersecurity framework.
Describing cybersecurity as “one of the most serious national security challenges” the US must confront, the Executive Order directs federal agencies to engage with the private sector on a number of fronts. Of these, the most notable for financial institutions is likely to involve the introduction of baseline standards for cybersecurity and greater information-sharing about cyber threats.
The Order’s proposal for information-sharing (‘Enhanced Cybersecurity Services’) envisages enhanced efforts by the US government to share timely cyber threat information to a broader group of businesses than the current defence-industry base. This would be with the expectation that those businesses would then take action when provided with such information. Enhanced Cybersecurity Services would involve participation from businesses in critical infrastructure sectors, including the financial services sector.
The proposal for the introduction of baseline standards for cybersecurity envisages a new ‘Cybersecurity Framework’ compiled by the National Institute of Standards and Technology (NIST) which would become a baseline against which the corporate cybersecurity programs of businesses operating in the US would be measured. The Cybersecurity Framework would include a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risk; it would also include performance metrics to measure a business’s implementation of the framework.
Since the Order was made in February, the NIST has actively organised workshops in which to consult with businesses on the proposed Cybersecurity Framework and anticipates publishing a preliminary framework for public comment on 10 October this year.
Impact on banking sector
The US and EU legislative proposals on cybersecurity raise a number of implications for financial institutions and other parts of the sector.
A key implication is the increased compliance costs involved in meeting any new legislative requirements – a sticking point for financial institutions which in the past few years have already had to address a substantially increased regulatory burden.
Linked to the issue of cost is the further implication of complying with two sets of framework standards and legislative regimes with respect to cybersecurity. The global reach of most large-scale financial institutions, both in terms of market presence and information technology infrastructure, makes the task of devising a consistent corporate standard on cybersecurity which can seamlessly be compliant in the EU and the US, a challenging one.
There are other implications too. In the US, any proposal for information sharing between businesses about cyber breaches brings into focus the question of how a business might do so, without prejudicing its own confidential information. Antitrust, privacy, and liability protection are other areas of potential concern.
Meanwhile in the EU the implication of financial institutions needing to notify the ‘competent authority’ of a security breach has reputational implications – particularly as thecomponent authority may inform the public. At a time when the issue of cybersecurity is becoming more prominent in the media, financial institutions can ill-afford the reputational impact of a highly publicised security breach.
It is also unclear how the EU’s proposed directive will interact with the EU’s proposed data protection regulation. The European Data Protection Supervisor, Peter Hustinx, made this point in a paper he published on 17 June 2013. In it he highlighted that the directive does not address the relationship between security obligations under it and those in other EU legal instruments. The directive also fails to address the level of confidentiality and security to be applied to information (particularly personal data) received by the competent authorities under the new notification procedure. It remains to be seen how these issues will be resolved.
It remains to be seen precisely what frameworks and regulatory measures will be adopted in the US and EU, and indeed elsewhere. Indeed, now is the time for institutions and relevant industry bodies to engage so as to shape the legislation and measures being developed.
What is for certain is that the procedural and technical measures that were reasonable and prudent in the recent past for financial institutions are unlikely to meet customer, regulator and investor expectations in future.
Mark Taylor is a partner and Alexandra Grundy is an associate at Hogan Lovells. Mr Taylor can be contacted on +44 (0)20 7296 2000 or by email: firstname.lastname@example.org. Ms Grundy can be contacted on +44 (0)20 7296 2000 or by email: email@example.com.
© Financier Worldwide
Mark Taylor and Alexandra Grundy