GreySpark Partners, the capital markets consultancy, warned that the lack of a cybersecurity plan will not be tolerated by many regulators as the European Union has adopted the first EU-wide rules on cybersecurity this week.
Yesterday the European Parliament voted to adopt the Directive on Security of Network and Information Systems, or NIS Directive.
Vice president Andrus Ansip said in a statement: “The directive requires companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities which will, in turn, be able to carry out better capacity building with greater crossborder cooperation inside the EU. It also obliges online market places, cloud computing services and search engines to take similar security steps.”
The European Commission said at least 80% of European companies have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015.
Commissioner Günther Oettinger said in a statement: “Cooperation with the industry is also essential. This is why I signed a partnership with the private sector that will trigger €1.8bn of investment to foster cross-border research and development cooperation of the cybersecurity industrial players in Europe.”
The new €1.8bn of investment is due to be triggered by 2020 and includes €450m from the EU and the remaining funds from cybersecurity market players, represented by the European Cyber Security Organisation. The partnership aims to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors including energy, health, transport and finance.
Greyspark Partners said in a report, “Countering Cybercrime in Financial Services”, that the recent ratification of the EU’s General Data Protection Regulation, which takes effect next year, requires firms to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer.
“However, if a company has encrypted the data, or taken some other security measures to protect the data, then they will not have to inform the subject,” said the report. “This means that much of the data passing though financial services systems is out of scope of this regulation.”
Cyber attacks against financial institutions are a daily occurrence and, as such, alerts and notifications play an important role in slowing the spread of any contagion. The ECB created a real-time cyberattack alert system that is expected to be piloted late thsi year and, by 2017, some 130 banks will be required to inform regulators about significant cyberattacks.
In the US there is no national breach notification law the SEC requires companies to report breaches if they are believed to have a material effect on the company and could affect investors according to Greyspark.
The Bank of England said in its 2015 Financial Stability Report that cyberrisk was among the five greatest dangers facing the financial services sector. The Bank has asked regulators to assess the resilience of financial firms and the results are due to be published this year.
Greyspark Partners said evolving technology and expanded electronification are increasing the potential risks for the cyber-defences of financial institutions. The consultancy added that an estimated 95% of cybercrime is attributed to human error, and the transient nature of many individuals in the workforce means that training programmes covering the basics of cybersecurity should be integral part of learning and development support for all staff.
Rachel Lindstrom, GreySpark senior consultant, said in a statement: “Cybersecurity for financial institutions must evolve as fast as the technology and techniques used to breach their defences. Organisations need to have a holistic view of their structure and its vulnerabilities, understanding the limitations of each of the security technologies they deploy.”
The consultancy added that vulnerabilities include network entry points, vendors and client networks as well as wireless LANs and mobile devices. “Going forward, the lack of a cybersecurity plan will not be tolerated by many regulators,” said the report.
Greyspark continued that in February this year the European Central Bank began compiling data on major cyber incidents at 18 of the largest banks and share information with other central banks.
In addition in October the UK government plans to open the National Cyber Security Centre in London to garner knowledge and information from financial firms, governments, academia, international partners, law enforcement, the UK’s security and intelligence agencies and the UK Ministry of Defence.
More on cybersecurity: