With the rise and rise of e-commerce comes the rise and rise of the e-criminal. Cybercrime is now the world’s fastest growing crime.
It has leapt to number two of the top ten business risks worldwide, from not even appearing in that list five years ago. For certain countries, cyberattack is now the risk of greatest concern.
Gone are the days of concern about a low level hack of a website by a script kiddie.
Today’s attackers are multi-faceted and increasing in sophistication, ranging from advanced persistent threats, corporate espionage, organised crime, and hactivists to cyberterrorists.
Cybersecurity has moved from being a technical issue to a political and boardroom issue. Financial markets are particularly important as they oil the wheels of all Member State economies.
So what should the priorities of cybersecurity be? A preliminary survey revealed six priorities, of which the first five were confirmed to be addressed by the EU Task Force on Cybersecurity Policy in the EU Financial Sector:
- Cooperation, coordination and consistency in cybersecurity needs to be improved, cybersecurity capacity reinforced and the robustness of the regulatory framework enhanced;
- An EU labelling scheme for ICT security products should be considered. Currently there is little transparency of product capability, little if any security built into products, and even if it has been, the default position is often for security to be turned off;
- Data breaches: GDPR will fundamentally change the EU data environment, but much remains to be clarified in practice;
- Recommendations as to how to harmonise rules, standards and guidelines for clouds and data location are needed;
- Recommendations are needed for policies to develop a balanced digital authentication system that strikes the right balance between security and consumer convenience.
- Blockchain and its application to cryptocurrencies and ICOs are developing rapidly, though regulation is lagging far behind: policies are needed to exploit the technology yet alleviate the related risks;
As the Task Force debated the above strands, the following recommendations arose:
- Convergence in the taxonomies of cyber-incidents is needed;
- The framework for incident reporting needs to be significantly improved to fully contribute to the cyber-resilience of financial firms;
- Authorities should assess how and to what extent the data held by the centralised hub should be shared with supervisors, firms and clients;
- Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends;
- Best practices for cyber-hygiene should be continuously enhanced by regulators and supervisors;
- The European Cybersecurity Certification Scheme needs to be strengthened to contribute better to cybersecurity, cyber-risk management and capability;
- In order to improve the processes of attribution and extradition, the reinforcement of cross-border cooperation and legal convergence remains a priority, both within the EU and more widely;
- Best practices in remedies in case of cyberattacks need to be further encouraged;
- Policy-makers should further assess the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks.
A combination of the above entails the concept of cybersecurity being replaced by the concept of cyber resilience.
The Task Force report contains lots of detailed information as to how financial institutions should address the above.
It was released on 7 June, and can be found here.
About the author: Richard Parlour is the founder of Financial Markets Law International and Chairman of the EU Task Force on Cybersecurity Policy for the Financial Sector.