The European Central Bank has mandated all major banks under its control to report ‘all significant cyber incidents’ starting this summer.
British banks operating in the Eurozone will be required to comply with the ECB’s fresh guidelines on reporting cyber incidents.
The European Central Bank presently supervises 125 significant entities that include banks and other financial institutions. In a recent statement, ECB’s executive board member Sabine Lautenschlaeger has called upon all banks supervised by the ECB to “report all significant cyber incidents” starting this summer.
“This will help us to assess more objectively how many incidents there are and how cyber threats evolve. It will also help us to identify vulnerabilities and common pitfalls,” she said. British banks operating in the Eurozone, namely Royal Bank of Scotland, Barclays and HSBC, will be required to comply with the decision.
In a press release, the ECB further stressed that the objective of the institution is to ‘gain a deeper understanding of the cyber threat landscape in Europe’ and that it aims to allow banks to work together and collaborate ‘to enhance the cyber resilience of financial market infrastructures.’
“More specifically, we would like to assess with you how much interest there is in creating a high-level cyber resilience forum for pan-European financial market infrastructures, critical service providers and competent authorities,” it said.
The ultimate aim of the ECB is to ensure that all banks will wield similar cybersecurity capabilities in all the member states and as a result, will be able to exchange information and best practices with each other.
“Besides the undeniable advantages of information and communication technology, the increase in users and data on digital platforms, in cloud computing and across networks has also created greater opportunities for cyber-crime,” said Benoît Cœuré, an ECB executive board member.
“There are a variety of agents involved: criminals, hacktivists or nation states. They may have different motives: financial gain, espionage, disruption and destabilisation. But what they all have in common is that they are steadily increasing their level of sophistication and exploring ways of attacking. A sound operational risk management and IT security framework are the first line of defence,” he added.
The ECB’s latest decision is very similar to a rule in the upcoming General Data Protection Regulation (GDPR) which will make it mandatory for institutions to report cyber incidents to the Information Commissioner’s office within 72 hours of being detected. A number of banks have so far expressed serious concerns on their ability to adapt to the upcoming legislation in the next twelve months.
“Banks are struggling with legacy systems. From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go,” said Chris McMillan, a partner at consultancy firm Oliver Wyman to FT.
“At some banks, a customer’s data may be held on more than 100 systems, and each of these takes a long time to change, even for a simple change. Sometimes even the simplest changes take months and months. Multiply that by a hundred and it becomes a very complicated task,” he added.
While GDPR is still a year away, the ECB expects all banks to comply with its decision starting this summer. It remains to be seen how well British banks will be able to comply with the ruling in the coming days.