In April, the Joint Committee of the European Supervisory Authorities (ESAs) published their advice to the European Commission on the strengthening of EU cyber and IT security regulation in the financial sector.

These recommendations are an early signal of what we believe will be increased activity by EU financial authorities on cyber risk from 2020 onwards. Going beyond cyber risk, they show an interesting convergence of thinking with UK authorities in recognising that all forms of IT operational disruptions increasingly threaten the stability of the financial sector. The recommendations also note that the emergence of various approaches to cyber and technology risk across countries in the EU could benefit from added facilitation, harmonisation and cooperation. While a number of regulatory challenges could arise from a strengthened EU approach to cyber risk in the financial sector, greater alignment between countries in addressing this risk area should be welcome news for cross-border financial services firms.

What was published?

The ESAs’ recommendations came in two documents, with the first focusing on legislative improvements that can be made to EU law to strengthen financial authorities’ ability to address risks arising from cyber and IT threats, and the second looking at the pros and cons of establishing an EU-wide cyber resilience testing regime for financial firms.

Both documents were requested by the Commission in its March 2018 Fintech Action Plan, and both essentially amount to a menu of options for the Commission’s future cyber and IT security agenda. The focus on future legislative work is very important at this stage given that European Parliament elections in May and a newly installed European Commission taking office in November 2019 will lead to a significant agenda refresh for European policymakers later this year. It has been clear for some time that EU officials see cybersecurity as one of their top financial services priorities going forward. The ESAs’ recommendations are designed to help the Commission’s new leadership build a legislative agenda prioritising the initiatives that are most pressing.

As such, the ESAs’ recommendations should be seen as an important first step in what could become a multi-year process of developing an EU-level framework for the regulation of cyber risk in the financial sector.

The ESAs’ recommendations to the Commission

The ESAs (comprising the European Banking Authority (EBA), European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority (EIOPA)) proposed initiatives that range from small tweaks to existing EU laws, to more ambitious initiatives that could have significant implications for how financial institutions manage cyber and IT risk.

Arguably, the most important of the projects called for by the ESAs was for the Commission to develop an EU oversight framework for third party providers active in financial services with a particular focus on cloud service providers (CSPs). Here, the ESAs focus on concentration risk among CSPs and the vulnerabilities that this could create in financial markets, noting that: ‘there are concerns that the interconnectedness of CSPs in the financial system could be a single point of failure if one were to be subject to a serious breach’. This is familiar language to hear from financial regulators when discussing large banks or market infrastructures, but is an important new signal that EU authorities increasingly see certain non-financial entities as potentially systemic actors in the market. This also mirrors the UK Financial Policy Committee’s statement in late-2018 that it would begin close monitoring of financial sector risks associated with CSPs and recent moves by Switzerland’s Financial Markets Supervisory Authority to begin carrying out on-site inspections of third party outsourcing partners. Concerns around whether financial supervisors have the power to oversee the activities of CSPs have historically contributed to their reluctance to allow systemically important firms to move core functions onto the cloud.

Given that there is currently no basis in EU law for European authorities to address third party concentration risk in the financial sector directly, the ESAs recommend the Commission take legislative action to remedy this. The ESAs suggest doing further work on a framework that would determine, among other things, when certain providers would be considered ‘critical’, and designate the authorities that would be responsible at the national or EU level to supervise them.

Bringing CSPs into the financial supervisory realm will be no easy task, either legislatively or practically. In our view, there will be a number of challenges in designing an effective oversight framework for this purpose, particularly when authorities confront the question of how supervision can be meaningfully carried out for CSPs without having any corresponding control over their authorisation. In this respect, it is surprising to see that the ESAs have not suggested creating an authorisation regime as part of this framework. It may also prove difficult to understand what constitutes the EU activities of CSPs and isolate those from the rest of their operations for the purposes of EU oversight.

Another interesting recommendation from the ESAs comes in their paper on developing an EU-wide framework for testing the cyber resilience of important financial institutions. This is an area where considerable work has already been done by some national authorities, and most recently by the European Central Bank (ECB). In 2018, the ECB developed standards for Threat Intelligence-based Ethical Red-Teaming (called TIBER-EU) to be adopted voluntarily by EU Member States to carry out cyber penetration testing on financial firms (read our earlier blog on TIBER here). Since then, a number of countries have indicated that they are planning to begin such testing programmes in the next few years based on the ECB’s framework. Given this progress, the ESAs do not recommend any significant break from the TIBER-EU path in the short term, and even offer their assistance to help facilitate the consistent adoption of TIBER programmes in Europe, but they do request an explicit mandate from the Commission to explore more permanent solutions in the longer term. This raises the prospect of the ESAs and the Commission eventually looking to put in place an EU-wide regime for cyber risk testing with a stronger legal footing whose participation might be mandatory and whose scope and terms could be set by the EU rather than at national levels.

In addition to the two initiatives above, the ESAs also recommended making a number of targeted amendments to existing EU legislation covering banking, payments, insurance and markets, where the management and governance of cyber risk and operational resilience are implicitly covered, but could be referenced more explicitly. Both the EBA and EIOPA have further indicated that they would like to issue additional Guidelines on how national authorities should interpret the IT resilience aspects of laws such as the EU Capital Requirements Directive and Solvency II.

The ESAs also recommend that the Commission consider changes that could harmonise the various existing IT incident reporting frameworks, including those under the General Data Protection Regulation, the Network Information Security Directive and the ECB’s cyber incident reporting framework for banks and financial market infrastructures. Such harmonisation could include legislative fixes to standardise the taxonomies and templates used by the frameworks, their reporting timelines, and also address any overlaps or other inconsistencies between them.

A foundation for a future EU legislative agenda

The ESAs’ reports are recommendations to the European Commission, and it will be for the next Commission to decide whether and, if so, how to reflect them in its legislative proposals. That said, they are an important indicator of the direction of travel that EU authorities can be expected to take on cyber and IT risk in the coming years.

Financial regulators in some countries are more advanced than others in the development of cyber and IT resilience standards for financial firms. The Netherlands, for instance, has been the Eurozone’s leader on the development of a TIBER testing regime for the financial sector. UK authorities have published some of the most advanced thinking about how the operational resilience of firms could be supervised (and as mentioned above, it is interesting to see the ESAs adopt the broader concept of ‘operational resilience’ rather than narrowly refer to cyber and IT risks). Nevertheless, EU authorities usually view inconsistent national practices as ripe territory for regulatory initiatives that bring consistency to rules in the EU Single Market. All of this potentially puts operational resilience at the top of the agenda of the EU’s next Commissioner for Financial Services.

Some of the ESAs’ recommendations, such as harmonising IT incident-reporting practices, will likely be seen as commonsense upgrades for EU authorities to make relatively early in the Commission’s new mandate. Others, such as an oversight framework for CSPs, will require considerably more study. Although the Commission’s work on initiatives such as CSP oversight could begin quite soon, public consultations, more detailed advice from the ESAs, and a longer legislative drafting period would push back an actual legislative proposal by several years. These proposals could also prove to be quite controversial with many countries and industry actors and, as such, may take some time to make their way through political negotiations.

Not all controversy is bad, however, and some of these issues do merit a robust debate at the European level. The next Commission’s mandate will run for five years, from 2019 to 2024, and not all of its initiatives will come at the same time. Anyone wishing to understand what to expect from Brussels on operational resilience in the financial sector over the next half-decade should give the ESAs’ recommendations a careful read.