Cybersecurity and operational resilience: challenges for the financial sector

Dr. Anastasia Kotovskaia, LL.M., heads the Financial Markets & Information Technology Department at the Centre for European Policy in Berlin. As a seasoned legal expert, she provides this political think tank with comprehensive background knowledge in regard to ongoing EU policy proposals, evaluates their potential impacts, and offers feasible solutions for the greater EEC. She has published several articles in the fields of law, finance, and information technology. We recently asked her to give an opinion on the role of IT security within the financial sector.

The information revolution has dramatically contributed to the development of digital technologies throughout the financial sector. Banks now provide their business affiliates and customers with mobile applications and online banking systems that allow basic banking transactions to be conducted remotely. Unfortunately, these very same services present tempting targets for cybercriminals, due to potential security vulnerabilities. In 2021 alone, annual losses due to cybercrime amounted to over $6 trillion worldwide. Perhaps more concerning is that these threats are becoming increasingly more sophisticated. As a result, secure online banking solutions are an absolute must. Cyberattacks typically aim to gain access to, alter, or fraudulently use sensitive data, steal money from affiliated users, or disrupt everyday business operations. Implementing effective measures to protect operating systems, programs, and financial networks from cyber attacks is essential to the smooth functioning of a financial enterprise. 

In order to expedite transactions and provide targeted fiscal services, financial companies are obligated to access sensitive customer information. Typical data sets include payment data, credit reports, and similar private details. Unfortunately, these are all attractive to cybercriminals. Should a security vulnerability arise, hackers can access and use this information to their advantage. This is why it is crucial for financial firms to implement powerful storage solutions, as well as promptly identify and remedy possible security flaws. Financial firms are under intense competitive pressure. In order to gain an edge, they are often required to implement new digital products and services to meet the needs of their customers. Employing modern (and potentially less-proven) technologies can lead to profound cyber risks in the financial sector. Banks and FinTech companies often use third-party software, which can create a security bottleneck. Hackers may be able to exploit systemic weaknesses to access sensitive data and steal valuable information. Additionally, the increasing prevalence of cloud storage is associated with its own set of risks. Financial organizations need to ensure that the proper technical infrastructure is in place and securely configured to protect against malicious attacks.

Financial firms are under an increasing amount of pressure to comply with legal requirements and to ensure a high level of operational cybersecurity resilience. In recent times, a number of pioneering EU-wide regulations have been adopted. One primary directive involves Network and Information Security 2 (NIS2). The main intention is to establish a recognized horizontal framework for cybersecurity. This is followed by the Digital Operational Resilience Act (DORA), highlighting the rules and guidelines specifically intended to be used by financial service providers. Both of these regulations were adopted on November 28, 2022. Both DORA and the NIS2 Directive are expected to adopt additional regulatory and technical implementation standards in accordance with other governmental bodies, such as the EBA, ESMA, and EIOPA. These changes and the associated obligations are predicted to come into effect by late 2023 or early 2024. The main goal of these European regulatory frameworks is to augment the overall levels of security proposed by the Cyber Resilience Act (CRA), which is still in the legislative process.

The Network and Information Security Directive 2 is tasked with establishing and implementing high levels of cybersecurity throughout the European Union, particularly in regard to companies considered to be essential in maintaining a functional society. Examples include banks, central counterparties, and trading houses. All entities falling within the scope of NIS2 are obligated to take the necessary technical, operational, and organizational measures to address potential security risks and mitigate the negative consequences of a cyber attack. This directive provides comprehensive guidelines in relation to risk management. One example may include the adoption of a company-wide system designed to immediately report security incidents to supervisory authorities. The NIS2 is also associated with the development of contingency plans to be applied before and during a cyber attack. The NIS2 Directive clearly stipulates that risk mitigation procedures are the responsibility of managerial stakeholders. This essentially signifies that management will be liable for any losses resulting from a failure to comply with NIS2 provisions. Risk management is particularly focused on the following elements:

• Risk analysis
• Security concepts for information systems
• Cyber incident management and prevention mechanisms
• Backup protocols and crisis management
• Measures to ensure supply chain security
• Training of personnel on cybersecurity
• Use of multi-factor authentication and encryption techniques

NIS2 is designed to create uniform regulations when dealing with cybersecurity risks, regardless of the facility in question or the scope of its operations. However, some financial institutions may require sector-specific requirements (defined as "lex specialis"). This signifies that they could be obligated to comply with provisions associated with the Operational Stability Ordinance, as defined by the DORA framework. These may, therefore, take precedence over NIS2 regulations. Above all, the primary goal is to ensure that companies are able to effectively manage (and report) cyber threats and incidents. NIS2 guidelines must be implemented correctly by October 17, 2024. These regulations will be applicable within all EU member states.

In the financial sector, prior to the adoption of DORA, there were already various requirements covering key categories of financial risks, such as credit, general compliance, liquidity, counterparty defaults, and risks associated with the open market. These regulations were meant to deal with issues such as the allocation of capital and operational threats. However, not all concerns had been addressed, especially in relation to operational resilience. When combined with security incidents, such as a cyber attack, the stability of the entire financial system may be jeopardized. DORA is intended to circumvent such a possibility by clearly defining uniform requirements for the security of network and information systems. However, it is not only banks that fall within the scope of DORA. These regulations will apply to a wide range of financial institutions, including investment firms, crypto asset service providers, alternative investment fund managers, payment providers, e-money institutions, central securities depositories, UCITS firms, critical benchmark administrators, and crowdfunding service providers. Not only will DORA increase operational resilience within the digital domain, but it will strengthen existing cybersecurity protocols while simultaneously addressing many of the risks associated with Information and Communication Technology (ICT) across the EU. This arises from the fact that financial service companies are becoming increasingly connected to third-party firms offering dedicated ICT products and services. European legislators are specifically focused on the potential threats posed by cloud service providers. According to statistics, approximately 45% of all worldwide data breaches now occur within the cloud. DORA specifies the following requirements for financial companies:

• Regarding the management of ICT risks: DORA requires all financial firms to have a comprehensive ICT risk management plan in place. This includes specific ICT strategies, as well as dedicated in-house tools and processes that enable them to identify risks at an early stage. Furthermore, such approaches can help downplay the severity of a cybersecurity incident. Firms will also need to implement backup plans in order to recover from incidents as soon as possible. It is also necessary to evaluate the potential threats associated with third-party services and ensure that only reputable providers are used.
• Testing operational resilience: Firms must test and evaluate their operational resilience on a regular basis. This process should embrace a risk-based approach and go well beyond a one-size-fits-all solution. The intention is to guarantee that tailor-made strategies can satisfy the needs of specific business models.
• Reporting serious ICT-related incidents to financial regulators: Companies are obligated to record any type of cyber attack or similar security incident and report it to the proper regulatory authority. This procedure is similar to reporting data breaches to the competent data protection authority under the General Data Protection Regulation. The deadlines for reporting incidents will be outlined in the upcoming regulatory standards recommendations.

In addition, DORA will determine the contractual requirements between financial companies and third-party ICT firms. This regulation requires financial institutions to include provisions within their contracts when dealing with third-party providers. Note that some of these rules may overlap existing outsourcing guidelines stipulated by the EBA. However, certain regulations are not coherent, and DORA provides a handful of new requirements. Therefore, companies should compare their current contracts with DORA guidelines. This is the best way to ensure that the appropriate actions are taken before the end of the initial implementation period. Due to ongoing cybersecurity threats and the importance of IT risk management, new regulatory requirements are necessary. Thus, DORA will impact the entire financial industry, including banks, insurance brokers, and IT service providers. Management is ultimately responsible for reviewing, improving, implementing, and updating their risk management framework. This is also assuming that management is inherently familiar with ICT protocols and the risk profile of their financial institution. DORA will come into effect on January 17, 2025. However, it is imperative that the entire financial sector immediately begins preparing in order to avert any future compliance issues. Experts recommend conducting a gap analysis or similar assessment and establishing a roadmap for full regulatory compliance. This is necessary to determine the efficacy of the firm's existing security measures and to avoid unpleasant surprises in the future. Furthermore, companies may be penalized if they are found to be in violation of DORA standards. In severe cases, financial regulators can force financial firms to suspend contracts with third-party ICT service providers if they fail to comply with the legal requirements.

The European Commission presented an initial draft of the Cyber Resilience ACT (CRA) on September 15, 2022. These regulations provide legal provisions for software and hardware products related to cybersecurity and remote data processing solutions. The CRA will have far-reaching effects on manufacturers, distributors, and importers of products who are required to validate their digital services. This act does not impose regulations on financial entities unless they offer the services mentioned above. However, the CRA is still likely to have an immediate and significant impact on the financial market. The requirements set out in the CRA will address the security gaps in products with digital elements that financial firms use to provide their services. 

Strengthening operational resilience and cybersecurity measures is not merely a legislative concern. Implementing the proper solutions is in the best interests of the firms themselves. There are several reasons for this. First, security vulnerabilities will negatively impact the reputation of any company. Customers must be confident that their money is protected at all times. Secondly, successful cyber attacks can impact the liquidity of customers as well as the financial firm. Research indicates that the annual cost related to operational security incidents in the financial sector is between €2 billion and €27 billion in the EU alone. Additionally, these very same security incidents pose a threat to financial stability. This arises from the fact that financial companies have become increasingly interconnected, enabling a single incident to spread quickly throughout the financial sector and cause significant economic damage. Finally, implementing effective tools to address security protocols will help reduce long-term operational costs for financial firms.

Considering how much is at stake, it would be foolish not to take security risks seriously. This is why continually strengthening the integrity of cybersecurity systems is crucial to improve operational stability, regardless of legislation and legal obligations. Vulnerability assessments should be regularly performed in order to assess ongoing ICT protocols, detect any suspicious activity, and adopt the latest strategies. The ability to link cybersecurity concerns with operational and digital stability will help take the guesswork out of the equation, especially when we consider how closely these systems are related. Therefore, it is critical that financial institutions develop an approach that takes the latest regulatory requirements into account. When developing systems to mitigate and prevent cyber threats, the entire sector is fighting a common enemy. Therefore, financial firms should be proactive and advocate for greater security through means that go above and beyond benchmark regulatory requirements. This will help guarantee a greater degree of safety. Effective methods include sharing best practices learned from personal experience and voluntarily disclosing anti-fraud measures. Furthermore, companies must conscientiously train employees so that responsible behavior becomes standard practice. This form of education should be used in tandem with effective customer communications in order to protect against cybercrime. N26 explicitly agrees with all of the above points and employs state-of-the-art security mechanisms, such as biometric authentication and 3D Secure, to ensure secure online transactions. N26 security teams operate on a 24/7 basis to analyze potential threats and test technical product security. The N26 blog also informs customers of new threats and how to prevent them, such as bank transfer scams, debit card fraud, voice phishing, and other online scams. 

The financial sector suffers an average of 1,130 cyber attacks each week. This number has doubled compared to the previous year. Without a doubt, financial institutions will continue to be affected by all types of cyberattacks in the future. At the same time, cybercriminals are becoming more resourceful every year. Financial institutions must, therefore, keep abreast of the latest developments and regularly develop new approaches to effectively combat these ongoing threats.