CYBER SECURITY PRACTITIONER4

The global financial system faces an unprecedented risk of disruption by cyber threat actors. Attacks like that on the SWIFT inter-bank network provide an insight into the escalating scale, sophistication, frequency, volume and impact of intrusions. At the 2016 G-7 Summit in Ise-Shima, Japan, the group of seven countries (Canada, France, Germany, Italy, Japan, the UK, and the US) listed cyber security as one of the key threats facing the world economy.

The leaders of the G-7 nations underlined the need for “an accessible, open, interoperable, reliable and secure cyberspace as an essential foundation for economic growth and prosperity1.” Whilst they recognised the benefits of technological innovations in the financial sector, they also highlighted their vulnerability and the impact of outages and intrusions on financial stability and market integrity. They also recognised the need for cooperation and information sharing to combat the malicious use of cyber space by state and non-state actors. Following the 2016 Summit, the G-7 established a working party (the G-7 Cyber Expert Group, or ‘CEG’) and published guidelines for ‘Fundamental Elements of Cybersecurity for the Financial Sector.’ These were followed by the ‘G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector.’ The 2016 paper set out eight building blocks to assist firms in designing and operating a framework for cyber security:

1. establishing and maintaining a cyber security strategy;

2. defining and implementing effective governance structures;

3. defining processes and policies to identify risks facing the organisation and to test the effectiveness of controls frameworks;

4. establishing and maintaining a systematic monitoring process;

5. implementing appropriate incident response plans;

6. defining protocols which enable the swift resumption of operations after an incident;

7. sharing information with industry bodies, law enforcement and intelligence agencies (to support the collective assessment of risks and to strengthen defences across the sector); and

8. constantly reviewing defence strategies to respond to both existing threats and future trends (taking into account innovation in financial products, new market entrants, supply chain risks, and evolving user habits).

In October 2017, the G-7 followed this with practical, commercial guidance on how financial institutions (‘FIs’) should assess the effectiveness of the elements previously outlined2. The G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector introduced five desirable outcomes and five assessment objectives:

Desirable outcomes: The Fundamental Elements (‘G-7FE’) are in place; cyber security influences organisational decision making; there is an understanding that disruption will occur; an adaptive cyber security approach is adopted; and there is a culture that drives secure behaviours. Assessment components: Establish clear assessment objectives; set and communicate methodology and expectations; maintain a diverse toolkit and process for tool selection; report clear findings and concrete remedial actions; and ensure assessments are reliable and fair.

It is clear that the guidelines are not intended to be prescriptive, but rather to serve as a checklist for firms and their leadership and to inform internal discussion. Interestingly the paper also suggests that they can be used in ‘regulatory examinations’ - begging the question as to whether certain regulators, in absence of their own prescriptive regulations, will look to the G-7FE as a

benchmark for assessment. Looking forward, the CEG has announced that it will develop a set of fundamental elements for threat led penetration testing and cross border crisis simulation exercises for the G-7 financial regulators. It remains to be seen whether strategically important financial institutions will be invited to participate in war gaming exercises.

The ‘Fundamental Elements’ are non-binding - they carry no weight in international law, and do not carry any sanctions or penalties for non-compliance. Rather the guidelines are designed to assist financial sector entities, as well as their supervisory bodies, in navigating safely through the ever-changing cyber threat storm. But, while the guidance seeks to better harmonise and represent convergence around core principles and best practices, the global regulatory environment remains complex and disparate.

The interplay of international legislationTo navigate the patchwork of global cyber security regulations, international banks and FIs have to constantly assess the applicable legislation and regulation and make a decision about their level of compliance and how to manage apparently overlapping or conflicting requirements. FIs have a choice to make: take a minimum compliance stance, doing only what is required to satisfy the regulation in each jurisdiction, or take a ‘high water mark’ approach, adopting the standards which reflect not only best practice, but also the requirements of the most stringent regulator.

Save in more restrictive regimes, in an era where banks and other FIs rely on globally integrated platforms and infrastructure, it is generally more efficient to apply global policies and procedures than those which are adapted to individual local requirements.

Comparative overview of lawsRegulators have tended to adopt

FINANCIAL INSTITUTIONS

G-7 guidance on cyber security in the financial sectorThe G-7 countries’ Cyber Expert Group has published guidance dealing with cyber security in the financial sector, namely the ‘Fundamental Elements of Cybersecurity for the Financial Sector’ and in October 2017, the ‘G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector.’ Craig Rogers and Michael Bahar of Eversheds Sutherland discuss these guidelines before assessing the shape of cyber security requirements for the financial sector in each of the G-7 countries.

A Cecile Park Media Publication | December 2017 5

a technology-neutral approach to regulation, relying on systems and controls rules, criminal law or privacy legislation. But as the perceived risk has moved cyber security out from behind the curtain of a broader controls matrix (and as distributed ledger technology and cryptocurrencies move the dial3) legislators and regulators are increasingly seeking to impose (and test) minimum standards for information security and operational resilience.

In Europe, the European Banking Authority issued Guidelines on ICT Risk Assessments4. As the title suggests, the EBA Guidelines are non-binding, but being issued under Article 107(3) of CRD IV5, provide a clear insight into the central banks’ view on the management by FIs of technology and operational risks. Meanwhile MiFID II will apply on 3 January 2018 and the General Data Protection Regulation (‘GDPR’)6 on 25 May 2018. The GDPR will apply in addition to existing FS regulations, raising the spectre of a double hit7 for FIs who fail to maintain minimum security standards for their customers’ personal data. The GDPR also has extraterritorial reach which may cause compliance conflicts for banks or other FIs who operate globally.

In the UK, firms have to navigate the intertwined strands of legislation, regulation, supervisory statements and guidance, primarily derived from EU law. This includes the requirements of the FCA Handbook and PRA Rulebook, MiFID I/II8, the UK Data Protection Act (and in 2018 the GDPR), the Privacy and Electronic Communications Regulations (‘PECRs’9), Solvency II10, the Payment Services Regulations 2009 (later the forthcoming PSD211), the Electronic Money Regulations 2011, the NIS Directive12 - the list goes on.

In its 2017/2018 Business Plan, the FCA recognised the opportunities of technological innovation, but also acknowledged risk of

insufficient investment in legacy systems, greater reliance on digital platforms, and outsourcing. It also identified the potential impact on the stability and integrity of markets of sophisticated, market-wide or simultaneous cyber attacks13.

Broadly the FCA requirements are set out in the Principles for Business (‘PRIN’), which specify the fundamental obligations of firms under the regulatory system, and under the Senior Management Arrangements, Systems and Controls (‘SYSC’), which are designed to encourage effective governance and management, oversight and delegation and create a common platform of organisational systems and controls - including for cyber risks. The SYSC also sets out requirements for business continuity14 and outsourcing15, whilst SYSC 13.9 and Solvency II (and the delegated legislation) sets out the rules applicable to insurers.

With the increased adoption of cloud services, the FCA responded to industry-wide uncertainty by ultimately publishing guidance for regulated firms16. The paper was designed to supplement or clarify (but not replace) existing FCA and PRA requirements on the outsourcing of ‘critical or important’ operational functions. In relation to info security, the regulator set out its expectations for firms using cloud based applications or hosting workloads in the cloud, including the requirement to carry out a detailed security risk assessment, agree a data residency policy, consider how data will be segregated, stored and encrypted, and understand the provider’s data loss and breach notification processes. Whilst the FCA acknowledged that firms may not have the same audit and access requirements as for a dedicated environment, it made it clear that this does not excuse them from the obligation to conduct detailed due diligence and they cannot simply rely on public statements for cloud vendors in relation to adequacy

of info security or BC/DR plans. The Senior Managers and Certification Regime (‘SM&CR’)17 imposes individual and collective accountability on senior management of banks, building societies, credit unions, insurers and dual-regulated firms systems. It imposes governance, conduct and certification requirements on senior managers and extends to operational resilience, technology risk and cyber security and requires that responsibility is clearly allocated between board members.

Under the NIS Directive, FIs are required to implement appropriate security measures and to notify incidents to the relevant national authority. The Directive also recognises the benefits of intelligence sharing between EU Member States and requires that each of them appoints a national competent authority and CSIRT to handle and coordinate the response to nationwide incidents in each of the key sectors.

Firms who engage in targeted marketing activities or use ‘cookies’ must comply with both the PECRs18 and the GDPR; both require that firms apply ‘appropriate technical and organisational measures’ to protect personal data against accidental loss whilst the GDPR mandates minimum security requirements (proportionate to the risk) including pseudonymisation and encryption, as well as the requirement to regularly test the effectiveness of controls. The GDPR also requires that FIs - when building systems, applications and platforms which will process, handle or store their customers’ and clients’ personal data - include, by design and by default, security measures which ensure the security of that data.

In France, the French Monetary and Financial Code imposes the obligation on FIs to implement risk assessment processes, IS controls and to secure clients’ personal data. The Regulation of 3 November 2014 requires that entities falling under the control of the

The authors would also like to thank the following individuals from Eversheds Sutherland’s offices and network firms for their contributions to this article:Rosie Wallace, Kit Bottomley & Simon Collins (Eversheds Sutherland, London)Kristen Bertch (Eversheds Sutherland, New York)Alessandro Engst and Carlotta Riggi (Eversheds Sutherland, Milan)Marion Seranne, Sophie Scemla and Eric Knai (Eversheds Sutherland, Paris) Atsutoshi Maeda and Takashi Nakazaki (Anderson Mori & Tomotsune, Tokyo) Alexander Niethammer and Steffen Morawietz (Eversheds Sutherland, Munich)Elisa Henry (McMillan LLP, Canada)

Craig Rogers Partner craigrogers@eversheds-sutherland.comMichael Bahar Partner and Co-Lead of Cyber-Security Practicemichaelbahar@eversheds-sutherland.comEversheds Sutherland, London and Washington DC

CYBER SECURITY PRACTITIONER6

FINANCIAL INSTITUTIONS

French Financial Regulator (the ACPR) must secure their information systems (including the development and testing of internal security procedures and business continuity plans). The General Regulation of the Autorité des Marchés Financiers mandates requirements for information and operational risk assessments, systemic controls and internal policies. As with other Member States, French FIs are subject to the NIS Directive, MiFID, and soon - PSD2 and the GDPR.

In Germany, the German IT Security Act of 25 July 2015 is the key piece of legislation. The banking and finance system is considered a ‘sector of critical infrastructure19’ under the Act which imposes specific requirements in relation to cyber security. In case of a breach of critical infrastructure the affected entity must notify the Federal Office for Information Security of any significant disruption to the availability, integrity and confidentiality of their information technology systems, components or processes which might lead to a breakdown or malfunction of the affected infrastructure. Furthermore, the German Banking Act requires that providers of certain financial products are obliged to develop an IT specific risk management policy, internal control mechanisms, back-up and fail-over procedures and incident response plans (Sec. 25a). The Securities Trading Act extends the above-named obligations to the division of securities trading. There is a general obligation to notify breaches or disclosures of personal data to the competent data protection authority (under the German Federal Data Protection Act).

In Italy, whilst there is no specific cyber security legislation or regulation in force for Italian banks and financial institutions, in its ‘Strategic Plan 2017-2019,’ the Bank of Italy has included initiatives to improve the security and operational continuity of the financial sector by implementing a cyber resilience strategy for Italy’s financial market infrastructure. To meet the Plan’s demands, the Bank of Italy and the Italian Banking Association established the Italian Financial Cyber Security Unit, to coordinate information sharing and cyber threat intelligence between participating institutions.

In general terms, the Circular of the Bank of Italy No. 285 of 17 December 2013 concerning banking supervision, sets out organisational provisions applicable to banks in relation to IT security whilst

the Bank of Italy and CONSOB20 Joint Regulation of 29 October 2007 (issued under MiFID and applicable in respect of the provision of investment services) provides general obligations to set up procedures and measures suitable to ensure the security of data and systems.

Like other Member States, Italy will need to transpose into local law the requirements of the NIS Directive, PSD2 and MiFID II and address, respectively, systemic infrastructure risks, security requirements throughout the payment ecosystem, and the resilience of systems deployed by financial service market participants.

Within the US, there is an emerging patchwork of regulation as almost all 50 states have breach notification requirements with varying timelines and thresholds, and some like New York have implemented more detailed cyber security regulations applicable to the financial sector21. The federal Government exercises regulatory powers via the Securities and Exchange Commission, which recently formed a Cyber Unit within its enforcement arm, and others. In addition to the Cybersecurity Act of 201522, which afforded limited liability protection for the sharing of cyber threat indicators among the private sector or with the federal Government, there is also pending legislation to add a federal breach notification requirement with criminal non-disclosure penalties23. While all this legislation and regulation reflects a convergence around best practices, including having proactive, holistic, risk based, and well practised written policies and plans that are endorsed at the top of the organisation, compliance with one set of rules does not necessarily mean compliance with the others.

Other federal and state laws apply specifically to banks and other laws exist that may apply to banks depending on the types of data they collect and store. Financial institutions must protect consumers’ non-public personal information and have safeguards to protect against threats to consumer information under the Gramm-Leach-Bliley Act24. Banks may be subject to the Fair Credit Reporting Act25, the Health Insurance Portability and Accountability Act26, and the Children’s Online Privacy Protection Act27; each has privacy and security requirements that apply to organisations that fall within their scope.

Finally, each US state has varying privacy and cyber security requirements for consumer data. 2018 could witness more state laws applicable to the insurance sector given the 24 October 2017 passage of the National Association of Insurance Commissioners Insurance Data Security Model Law28.

In Canada, the only piece of legislation specifically applicable to the cyber security of FIs is the federal Personal Information Protection and Electronic Documents Act (‘PIPEDA’). Guidance for federally regulated FIs has been issued by the Office of the Superintendant of Financial Institutions (‘OSFI’) and a national taskforce was created under the auspices of the Federal Department of Public Safety29; however none of these operate under specific regulation or legislation. The OSFI regulates all Canadian federally incorporated FIs, including banks, insurance companies, trust and loan companies, and credit unions, whilst payment card network operators fall under the supervision of the Financial Consumer Agency of Canada. All FIs incorporated at the provincial level (which currently excludes banks) are also subject to provincial regulation. Most provinces have relinquished jurisdiction to the OSFI, but not all.

In Japan, the Basic Act on Cybersecurity30 provides the comprehensive cooperation scheme between national and local government entities, private entities and the general public to maintain and promote cyber security in Japan. Critical information infrastructure operators (including FIs) are required to have formal cyber security programs and policies in place, implement proactive cyber security controls, and cooperate with national and local government agencies. General legislation under the Japanese Banking Act stipulates31 that banks are required to appropriately handle customer information, apply adequate control measures in relation to third party service providers, and ensure appropriate management and control of operational functions. These are further built out in the ‘FSA Banking Supervisory Guidelines32,’ which set out more comprehensive guidelines for banks and include managing, testing and evaluating information system risk, minimum standards for information security management, outsourcing and subcontracting, and implementing and testing contingency

continued

A Cecile Park Media Publication | December 2017 7

and incident response plans. Finally, under Japan’s Companies Act33, directors and board members are required to establish internal control systems for operational continuity, resilience and compliance with relevant regulations.

Is further regulation needed?While industry has recognised the importance of robust information security systems and controls, legislators and regulators are increasingly active. The 2016 G-7FE Guidelines and Effective Assessment Guidelines are, in comparison, very broad and non-binding guidance which may limit their effect. Industry standards, such as PCI-DSS34, enjoy a level of global adherence which financial services regulators can only aspire to. The issue is not so much an absence of regulation, but rather a lack of consistency, marked by the inability of regulators and legislators to adopt a uniform, global compliance model.

Is the sector adequately stepping up?Surveys of financial institutions35 invariably reveal that they have suffered some form of cyber incident in the past 12 months and that the level of

investment does not always match the level of risk and evolving threats. Larger firms may have larger budgets than smaller rivals but struggle to manage the complex architectures, ageing legacy infrastructure and multiple attack surfaces associated with large customer bases, diverse and dispersed employee communities, and a constantly evolving range of products and channels.

Challengers and FinTechs tend to be more agile, and quicker to adopt cloud services for mission critical infrastructure and applications (along with guarantees of ‘best-in-breed’ security); it remains to be seen whether relying on cloud platforms could expose these firms to systemic risks from targeted attacks. At the same time, we expect to see increased regulatory activity and oversight, as well as fines for non-compliance. If we take as an example the £56 million fine imposed by the FCA36 and PRA37 following IT failures at UK banks in 2012, we can expect to see similar levels of sanctions and enforcement action, particularly where failures to implement minimum security standards put consumers (or personal data38) at risk or threaten the stability of financial

markets. Based upon the G-7 guidance and regulatory input from each nation, we anticipate that regulatory frameworks will become increasingly prescriptive and require that, as a minimum, firms:

• develop proportionate, risk-based defence and response strategies;

• increase investment in security infrastructure and tools;

• increase focus on vendor management;• manage and refresh IT assets; • maintain ongoing training and

awareness programs for staff at all levels (not just in IT functions);

• appoint senior managers with specific experience of and accountability for cyber security;

• clearly define, test and update procedures and plans; and

• develop CISO functions with independence from the CIO, reporting directly to the board.

As challenging as the cyber risk environment is for FIs, so too is the rapidly emerging patchwork of global regulations. The aim of recent G-7 guidance may be harmonisation but the practical reality remains one of piecemeal - and at times even conflicting - direction.

1. https://obamawhitehouse.archives.gov/the-press-office/2016/05/27/g7-ise-shima-leaders-declaration

2. https://www.treasury.gov/press-center/press-releases/Documents/(PRA)_(BCV)_4728453_v_1_G7%20Fundamental%20Elements%20for%20Effective%20Assessment.pdf

3. https://www.sec.gov/news/press-release/2017-131

4. http://www.eba.europa.eu/documents/10180/1841624/Final+Guidelines+on+ICT+Risk+Assessment+under+SREP+%28EBA-GL-2017-05%29.pdf

5. Directive 2013/36/EU.6. Regulation (EU) 2016/679.7. Fines up to 4% of total global annual

revenue or €20 million.8. Directive 2014/65/EU and amending

Directive 2002/92/EC and Directive 2011/61/EU, [2014] OJ L173/349 and Regulation (EU) 600/2014 on markets in financial instruments an amending Regulation (EU) 648/2012 [2014] OJ L173/84 (collectively MiFID II).

9. The Privacy and Electronic Communications (EC Directive) Regulations 2003, implementing European Directive 2002/58/EC.

10. Directive 2009/138/EC.11. Directive (EU) 2015/2366.12. Directive (EU) 2016/1148.13. FCA Business Plan 2017/18.14. SYSC 4.1.8, 7.1.2 and SYSC 8.1.8(11).15. SYSC 8.16. UK FCA - FG16/5: Guidance for firms outsourcing

to the ‘cloud’ and other third party IT services.

17. Bank of England Supervisory Statement 28/15 (as updated), as well as Supervisory Statement 5/16 applying to Corporate Governance: Board responsibilities.

18. Implementing Directive 2002/58/EC of 12 July 2002 (‘e-Privacy Directive’).

19. As defined in the German Act on the Federal Office for Information Security.

20. Commissione Nazionale per le Società e la Borsa Directive (EU) 2016/1148, concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L194/1.

21. http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

22. Division N of the Consolidated Appropriations Act of 2016, Public Law 114-113.

23. Data Security and Breach Notification Act, H.R., 115th Cong., 37 (2017).

24. The Gramm-Leach-Bliley Act includes the Financial Privacy Rule, Safeguards Rule, and Pretexting Protection. Each of these protections are in the Code of Federal Regulations respectively at 17 C.F.R. § 248, 16 C.F.R. § 314, and 16 C.F.R. § 313.

25. The FCRA includes provisions on the protection of consumer information. The Protection of Consumer Information Under the Fair Credit Reporting Act is found in the Code of Federal Regulations at 17 C.F.R. § 162.3.

26. HIPAA includes provisions on the security and privacy of protected health information. These protections are in the Code of Federal Regulations at 45 C.F.R. § 164.

27. COPPA prohibits unfair or deceptive acts or practices in connection with the

collection, use, and/or disclosure of personal information from and about children on the internet. It is implemented in the Code of Federal Regulations at 16 C.F.R. § 312.

28. http://www.naic.org/Releases/2017_docs/naic_passes_data_security_model_law.htm

29. https://www.securitepublique.gc.ca/cnt/ntnl-scrt/cbr-scrt/index-en.aspx

30. The Basic Act on Cybersecurity (Act No. 104 of 12 November 2014) and the Act to amend the Cybersecurity Basic Act and Act on the Promotion of Information Processing (Act No 31 of 2016).

31. Banking Act Article 12-2.

32. http://www.fsa.go.jp/en/laws_regulations/

33. Companies Act (Act No. 86 of 26 July 2005).

34. https://www.pcisecuritystandards.org

35. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf (accessed on 07/12/2017) and https://www.ibm.com/security/data-breach/threat-intelligence (accessed on 7 December 2017).

36. https://www.fca.org.uk/news/press-releases/fca-fines-rbs-natwest-and-ulster-bank-ltd-%C2%A342-million-it-failures

37. https://www.bankofengland.co.uk/news/2014/november/pra-fines-rbs-natwest-and-ulster-bank

38. See footnote 9.