EU financial regulators push forward plan to improve coordination in cyber incidents –

The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – collectively known as the three European Supervisory Authorities (ESAs) – are working together to establish the ‘EU Systemic Cyber ​​Incident Coordination Framework’ (abbreviated ‘EU-SCICF’).

The framework, which has been in development for more than two and a half years, aims to “enable an effective response by the financial sector to a cyber incident posing a risk to financial stability by strengthening coordination between financial authorities and other relevant bodies in the EU, as well as with key actors at international level”.

According to an update from EU-SCICF (17 June), the ESAs will kick-start the implementation of the framework in the coming months. This includes the establishment of an EU-SCICF Secretariat, an EU-SCICF Forum that will work on testing and further developing its functionality, and an EU-SCICF Crisis Coordination that will facilitate the coordination of actions among the authorities involved during a crisis.

The ESAs will “identify legal and other operational hurdles encountered during the initial set-up” and report them to the European Commission, the announcement said, adding that “further development of the framework will depend on the availability of resources and other actions taken by the Commission.”

*** GET GLOBAL GOVERNMENT FINTECH’S FREE EDITORIAL NEWSLETTER ***

“The risk must be addressed”

EU-SCICF will be established following a recommendation by the European Systemic Risk Board (ESRB) in December 2021 and a (related) 46-page report “Mitigating systemic cyber risk”, published by the ESRB in January 2022. The ESRB is responsible for macroprudential supervision of the financial system within the 27-member EU bloc.

“There is a risk of coordination failure on the part of authorities and this must be addressed,” warned the ESRB recommendation. “Competent authorities in the Union will need to coordinate with each other and with other authorities, such as the European Union Agency for Network and Information Security (ENISA), with which they do not normally cooperate,” it added. It also said that “since a significant number of Union financial institutions operate globally, a major cyber incident is unlikely to be confined to the Union or to be triggered outside the Union and could require global response coordination.”

EU-SCICF must also be seen against the background of the EU’s Digital Operational Resilience Act (DORA). DORA, which came into force in January 2023 and will apply from 17 January 2025, sets out technical standards that financial institutions and their critical third-party technology providers must implement.

The ESRB recommendation states: “Given the threat posed by cyber risks to financial stability in the Union, preparatory work for the gradual establishment of the EU SCICF should, where possible, start before the necessary legal and policy framework for its establishment is fully applicable.” It goes on to say: “This legal and policy framework will be fully completed and finalised once the relevant provisions of DORA and its delegated acts become applicable.”

Last year, the ESAs, the European Central Bank (ECB) and the competent national authorities of the EU Member States appointed a main contact person for the EU SCICF.

*** JOIN GLOBAL GOVERNMENT FINTECH ON LINKEDIN ***

Dangers of reinforcement

The December 2021 recommendation warned that “serious cyber incidents could pose a systemic risk to the financial system as they have the potential to disrupt critical financial services and operations.”

“The amplification of an initial shock can occur either through operational or financial contagion effects or through a loss of confidence in the financial system,” the ESRB explained, adding: “If the financial system is unable to absorb these shocks, financial stability is at risk and this situation can lead to a systemic cyber crisis.”

ESA’s EU-SCICF update was released a few days before a global IT outage caused by a faulty security update from a cybersecurity company.

CrowdStrike inadvertently caused crashes of Microsoft Windows-based systems around the world, including banks, airlines, and hospitals.

The company’s CEO apologized for the situation in a statement (July 19), saying the outage was caused by “a defect in a Falcon content update for Windows hosts” and was “not a cyberattack.”