The financial sector is increasingly at risk from cyber-attacks, the European supervisory authorities (ESAs) have warned in their latest report on the subject.
Cyber-attacks have hit the financial sector more often than other sectors, while throughout the digital economy, cyber-criminals are developing new techniques to exploit the weaknesses of systems, according to a new report from the EU's ESAs — the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Insurance Authority (EIOPA).
“It has the largest share of COVID-19- related cyber events after the health sector, with payment institutions, insurers and credit unions being most affected,” the report says.
Financial institutions will have to rapidly adapt their technical infrastructure in response to the pandemic and the crisis has acted as a catalyst for digital transformation more generally in the financial sector, the ESAs conclude.
“Financial institutions are now more heavily relying on digital and remote solutions to perform their daily operations and to deliver their services to customers,” the report says, adding that more and more reliance on digital products has also led to more opportunities for cyber-attackers, not least in the financial sector.
The ESAs believe that the COVID-19 pandemic and the associated increase in people’s reliance on digital services and infrastructure to conduct business and “telework” have made the sector more vulnerable to cyber-attacks, with insurers in some jurisdictions reporting an increase in the incidence of malware and “cyber-attempts”.
Regulators expect financial entities to intensify their efforts to offset risks to the security of information and communications technology (ICT), the report observes.
To do this, it says, people should intensify their efforts to counteract cyber-attacks and to improve logical security for ICT.
Some authorities are taking legislative action in response to these problems already.
For example, as part of its “Digital Finance Package” that it unveiled in September 2020, the European Commission has proposed to introduce the Digital Operational Resilience Act (DORA), which EU institutions — the European Commission, the European Council and members of the European Parliament (MEPs) — are discussing now.
If it becomes EU law, the act will require all firms to withstand all types of disruptions and threats that relate to ICT. It will also set up a regime to oversee ICT providers.
DORA foresees an important role for the ESAs. It proposes that they should develop a series of “Level 2 mandates” and perform new tasks in the areas of ICT-related incident reporting, digital operational resilience testing, crisis-management and contingency exercises and the overseeing of crucial ICT third-party providers.
One challenge that people face when monitoring “ICT risk” is an absence of timely and comprehensive EU-wide data, the report warns. DORA aims to remedy this by standardising incident reporting throughout the EU’s financial sector.
Meanwhile, the ESAs plan to impose a third-party oversight regime.
“This could ensure that technology services providers fulfilling a critical role to the functioning of the financial sector are adequately monitored on a pan-European scale,” the report suggests.
The idea of DORA has not been free from criticism since the European Commission proposed it. Sources have previously told VIXIO that the draft is full of good ideas but that costs and definitions are a worry for the EU's financial sector.
One source complained that firms in the EU have only recently become familiar with some guidelines on the subject that the EBA issued last year.
There is also a risk that it could overlap with the EU's Network Information Systems (NIS) Directive, which aims to make networks and information systems more secure throughout the EU's “critical infrastructure”.
Members of the European Parliament have also been concerned about the implementation of DORA. The parliament’s rapporteur, Billy Kelleher, has stressed that “proportionality” (the imposition of fewer burdens on smaller firms) will be important to its success.