No chance for hackers: at the beginning of April, the three European Supervisory Authorities (ESAs) presented two opinions to the European Commission outlining measures for institutions in the financial sector to strengthen and improve their cyber resilience (see info box).

In doing so, the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) were responding to two requests by the European Commission contained in the FinTech action plan (see info box).

Harmonisation and convergence

The ESAs have identified a need for greater harmonisation and for the addition of concrete requirements for the security of the information and communications technology used by financial institutions. This was the conclusion of the joint opinion issued by EIOPA, the EBA and ESMA on the need for legislative amendments as regards risk management requirements in ICT. The ESAs believe that the harmonisation of such requirements across the financial sector will result in a higher overall security level, appropriate supervisory practices in the area of ICT security and an improvement in cyber security.

In concrete terms, the ESAs have recommended that the Commission make additions to the relevant European Directives¹ as regards certain aspects of ICT security in order to establish a comparable baseline across all European financial sectors. At level 3, EIOPA aims to develop guidelines for ICT security and governance requirements so that the national supervisory authorities can act on the basis of a common foundation. The key concept here is “supervisory convergence”.

In recent years, BaFin has already issued circulars as to how institutions should organise and monitor their IT resources, information risks and information security in the form of its Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) and its Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). A consultation on its Supervisory Requirements for IT in Asset Management Companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT) is currently in progress, see “Circular”. BaFin will also continue to participate vigorously at the European level when it comes to harmonising and further developing requirements for ICT security.

Framework for cyber-resilience tests

In their second opinion, the ESAs advocate the development and implementation of a coherent threat-led penetration testing (TLPT) framework for significant market participants and infrastructures in the financial sector (see info box). In the long term, it is expected that the ESAs and national supervisory authorities develop TLPTs for significant market participants and infrastructures together.

The ESAs have announced that some initial steps towards establishing a solid foundation for increased cyber resilience will be taken soon. This is to be achieved through the suggested legislative improvements put forward in the first opinion mentioned above. With its draft Guidelines on ICT and security risk management, which were open to consultation until 13 March 2019, the EBA has already made significant progress in this direction. On the basis of these attempts to achieve harmonisation and convergence, and taking into consideration the existing frameworks such as the “G-7 Fundamental Elements for Threat-Led Penetration Testing” and the framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), the ESAs have advised the Commission to set out an appropriate legal basis for the creation of a framework.

BaFin welcomes the suggestion to develop and implement a TLPT framework for significant market participants and infrastructures. This is all the more true since a working group involving both BaFin and the Deutsche Bundesbank is currently developing a German implementation proposal for penetration tests of this kind. The proposal is based on the TIBER-EU framework published in May 2018 by the European Central Bank. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) takes part in the working group meetings in an advisory capacity.

Summary

The regulatory changes suggested by EIOPA, the EBA and ESMA and the suggestion for a framework for cyber resilience testing are intended to contribute to the effective management of ICT risks as part of proper business organisation and therefore to an appropriate level of cyber resilience in regulated institutions.

Footnote: