Europe making progress on harmonised cyber-crime rules

New European Directive seeks to tighten rules on how institutions deal with cyber-crime amid environment of increasing attacks.

European policymakers are a step closer towards pushing through harmonised regulation around cyber-security amid a growing number of cyber-breaches and hackings at financial institutions.

The Network and Information Security Derivative, which is part of the EU’s broader Digital Single Market initiative, will seek to improve member states’ cyber-security capabilities and bolster cooperation between EU bloc countries. The initiative is directed at numerous sectors including banking and cloud providers.

The European Commission (EC) said it hoped to have political agreement on the text by 2017. A number of financial institutions including J.P. Morgan and CME have suffered high-profile hacks over the last few years. A much cited study in 2013 by the then Committee on Payments and Settlement Systems (CPSS), International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) said 53% of exchanges had suffered a cyber-attack in the previous 12 months.

The Depositary Trust & Clearing Corporation’s (DTCC) Systemic Risk Barometer Study in May 2015 found 46% of market participants said cyber-security was their top concern, up from 24% in 2014. 80% of respondents to the DTCC ranked cyber-security as a top five risk overall. This growing concern around cyber-security comes amid an increased level of sophistication and frequency of cyber-incidents.

Analysis by British Telecom (BT) found roughly 41% of businesses globally had suffered a Distributed Denial of Service (DDoS). A number of firms including some asset servicers have reported malicious leakage of confidential data. Those behind the attacks are varied, and include nation states, sophisticated criminals and aggrieved employees.

Regulators globally are assessing the implications of cyber-threats. The Bank of England (BOE) recently subjected financial institutions in London to a simulated cyber-security breach. The Securities and Exchange Commission (SEC) has been examining the cyber-protection mechanisms in place at asset managers and broker dealers.

The SEC found 88% of broker-dealers and 74% of investment advisers had encountered cyber-threats directly or through a third party. Meanwhile, the Central Bank of Ireland (CBI) is assessing the veracity of asset managers’ cyber-security. Senior US officials have also warned financial institutions they must disclose cyber-incidents to the authorities.

The SEC laid down market best practice standards to reduce cyber-risks. Some are these are fairly straightforward and include having governance procedures and controls in place to curb the risk of cyber-threats. Many financial institutions will have a business continuity plan (BCP) to deal with a cyber-incident, and this will be routinely tested. Other organisations have strict policies on the use of removable storage devices and privileged access to sensitive data.

Others believe the issues facing financial institutions and market infrastructures are more fundamental. A number of banks and market infrastructures utilise legacy technology systems, which can be more vulnerable to cyber-breaches.