Technology pervades most industries nowadays, not least the financial sector. Wallets are stored on phones; insurance premiums are calculated by algorithms; shares are traded in microseconds; and our data is increasingly stored in clouds.
The digitalisation of the sector has brought efficiencies, consumer choice, and lowered costs. But as with all high yield investments, there is risk attached. In this case, cyber and digital operational risk.
In the financial sector, the traditional mode of measuring and mitigating risk is by applying prudential regulation and requiring a commensurate level of capital to be held by each institution.
With the ever increasing digitalisation of the sector, international standard setters and regulators have begun to recognise digital operational risk as an additional vulnerability of the financial sector that cannot be mitigated by capital, but requires more practical and reactive lines of defence.
At the forefront of this work is the European Union. At the end of 2020, the European Commission published its proposal for a Regulation on Digital Operational Resilience, commonly known as “DORA”.
The Regulation takes a holistic approach to ensure that there is a consistently high level of cyber resilience across the entire financial sector, thereby recognising the interconnectedness of the sector. Arguably, the most ambitious aspect of the Regulation is that it takes a dual approach to ensure the resilience of the sector, by not only placing obligations on financial entities, but also introducing an oversight framework for the largest ICT service providers.
As the European Parliament’s penholder for the amendments to this proposal and its negotiator, I approached the legislation with three key principles in mind:
Firstly, proportionality – whilst we want to ensure a consistently high level of security across the sector, we also need to take account of the different types of financial entity and their varying levels of risk.
Secondly, competitiveness – introducing a framework that will enhance the cyber resilience of the European market will increase the confidence of investors and consumers as well as the attractiveness of the Europe as a place to do business for both financial entities and ICT service providers. However, if the requirements become too burdensome then they risk having the opposite effect.
Finally, future-proof – the digital sector is constantly evolving, both in terms of the risks posed and the solutions provided. I am acutely conscious of ensuring that the regulation is not overly prescriptive which could, in turn, hamper innovation.
With these principles in mind, the most challenging aspects of the negotiations on the Regulation are the requirements on financial entities to establish a robust ICT risk management framework, the specifications for testing cyber resilience procedures, and the oversight of the most critical ICT service providers.
Concerning the ICT risk management framework, there is broad consensus between the legislators and the stakeholders that such a framework is necessary. ICT risk considerations need to permeate all business lines and there needs to be a clear chain of command and responsibility.
However, the co-legislators are grappling with balancing the need for harmonisation and ensuring the requirements are not too prescriptive and their implementations is feasible and effective.
Likewise, the necessity of a testing regime is not disputed. However, the involvement of third-party ICT service providers adds an additional level of complexity. We need to recognise that the ICT service provider may be providing services to a multitude of entities, each undertaking periodic testing.
Moreover, the testing environment may include systems of the ICT provider and these systems may not exclusively be used by financial entities but also by other customers not subject to DORA.
For these reasons, the co-legislators are considering a pooled-testing regime to allow ICT service providers to conduct the necessary tests on their systems on behalf of all their financial entity customers whilst ensuring the continuity and security of services for their other clients.
A similar concern has been highlighted in respect of the oversight framework for the largest, most critical ICT service providers. The framework would afford the European financial supervisory authorities the competence to conduct investigations, including on-site.
The co-legislators do not oppose the oversight framework, rather they agree with its necessity given the interconnectedness of the financial and ICT sectors. However, they have taken steps to ensure that the supervisory authorities take due consideration of the confidentiality, data security and continuity of services of any other customers of the ICT service provider.
At present, the co-legislators – the European Parliament and Council – are in negotiations to agree on the final text. Against the backdrop of the current geo-political situation, we are acutely aware of the need to ensure our financial sector is resilient against cyber-attacks.
Risks can arise from nefarious actors, state actors and even human error or technical fault. To give citizens and investors the confidence they need to engage with the financial sector and use it to their benefit, it is key that the sector is robust, stable, assertive and defensive.
My focus as the Parliament’s negotiator is ensuring that our three key priorities – proportionality, competitiveness and future-proofing are retained across this entire regulation. We have some work today but I believe a common sense agreement with the European Council can be reached as it is in all of our interests to make sure European financial entities are protected and competitive.