Joint Committee advice on ICT risk management and cyber security in the financial sector

On 8 March 2018, the European Commission published its FinTech Action Plan with the aim of encouraging the European Supervisory Authorities ("ESAs") to recommend to the Commission improvements that can be made to the existing supervisory practices across financial sectors around ICT security and governance requirements.

As a consequence of the increasing reliance on Information and Communication Technology (ICT) in the provision of financial services and in entities' normal operational functioning, the three ESAs have welcomed the Action Plan.

The European Banking Authority's ("EBA") proposals for banking and payments include the following legislative changes:

• New articles in the Capital Requirements Directive and the revised Payment Services Directive on operational resilience as a requirement relating to governance to address the global interdependence and reliance on technology in the financial sector.
• The new articles should include an explicit mandate for the EBA to draft guidelines on operational resilience and ICT and security risk management for institutions.

Proposals from the European Insurance and Occupational Pensions Authority ("EIOPA") within the insurance sector comprise of:

• A new provision for the Solvency II Directive should be considered which also makes operational resilience a requirement relating to governance.
• The publication of proposed Guidelines which incorporate the specific ICT security risks in the risk of profile of (re-)insurance undertakings.
• The development of a new chapter for the Supervisory Handbook on how to supervise ICT security and governance requirements.The ESA has also set out a joint proposal to streamline existing incident reporting requirements. This aims to clarify any overlapping provisions from cross-sectoral legislation such as the Directive on security of network and information systems  and the GDPR, and will also standardise reporting templates, taxonomy and timeframes. Additionally, it will help avoid inconsistencies in the reported information and will facilitate better operational resilience and business continuity by aiding smooth and efficient interactions between authorities and computer security incident response teams. To achieve this further, the ESAs have proposed that the Commission should also consider facilitating the development of harmonised templates and a uniform taxonomy of commonly used terms amongst the different systems.Cloud service providers ("CSPs") are one type of ICT services provider that are becoming increasingly common in the EU financial sector. As a result of there being only a limited number of companies that dominate cloud companies in the financial services sector, there is large concern over their interconnectedness – what would happen if one CSP were to be subject to a serious incident, simultaneously affecting multiple financial services firms? An oversight framework would provide a useful template to monitor the risks stemming from third party providers. However, it should be noted that this framework should not detract from the responsibilities of micro prudential requirements of relevant entities to monitor the risks to which they are exposed. Further information can be found here.
• The FinTech Action Plan is a significant breakthrough in the development of EU financial services policy and illustrates that technological innovation will be at the forefront of the EU's future financial services policies.
• There has been an additional joint proposal by the ESAs for the Commission to consider a legislative solution for an appropriate oversight framework for monitoring the activities of critical third party providers affecting the relevant entities. Certain entities are increasingly making use of third party providers, particularly for ICT services, to remain competitive and to respond to consumer demand. This has led to an increased concern about these third parties' operational resilience, especially their cyber vulnerabilities.

Within the Securities markets, the European Securities and Markets Authority ("ESMA") has proposed that the Commission should consider introducing specific references to cybersecurity in the areas of legislation that do not contain such references and that incident reporting requirements should be introduced within these areas.

The ESA has also set out a joint proposal to streamline existing incident reporting requirements. This aims to clarify any overlapping provisions from cross-sectoral legislation such as the Network and Information Security Directive and the GDPR, and will also standardise reporting templates, taxonomy and timeframes. Additionally, it will help avoid inconsistencies in the reported information and will facilitate better operational resilience and business continuity by aiding smooth and efficient interactions between authorities and computer security incident response teams. To achieve this further, the ESAs have proposed that the Commission should also consider facilitating the development of harmonised templates and a uniform taxonomy of commonly used terms amongst the different systems.

There has been an additional joint proposal by the ESAs for the Commission to consider a legislative solution for an appropriate oversight framework for monitoring the activities of critical third party providers affecting the relevant entities. Certain entities are increasingly making use of third party providers, particularly for ICT services, to remain competitive and to respond to consumer demand. This has led to an increased concern about these third parties' operational resilience, especially their cyber vulnerabilities.

Cloud service providers ("CSPs") are one type of ICT services provider that are becoming increasingly common in the EU financial sector. As a result of there being only a limited number of companies that dominate cloud companies in the financial services sector, there is large concern over their interconnectedness – what would happen if one CSP were to be subject to a serious incident, simultaneously affecting multiple financial services firms? An oversight framework would provide a useful template to monitor the risks stemming from third party providers. However, it should be noted that this framework should not detract from the responsibilities of micro prudential requirements of relevant entities to monitor the risks to which they are exposed.

The FinTech Action Plan is a significant breakthrough in the development of EU financial services policy and illustrates that technological innovation will be at the forefront of the EU's future financial services policies.

Further information can be found here.