Additional Information
Book Details
Abstract
In the midst of several large cyberattacks in 2017, the European Commission adopted its multi-sector cybersecurity package in September of that same year. Whereas this initiative can be expected to contribute to strengthening the cyber-resilience and response of EU financial firms, several policy issues and unanswered questions remain. In order to analyse the issues that are considered to be relevant to financial fields (retail banking, corporate banking, capital markets, financial infrastructure and insurance), CEPS-ECRI organised a Task Force between September 2017 and May 2018 with a group of experts from the financial industry, tech industry, national supervisors and European institutions, as well from a consumer association and a law firm.
In this book, based on the Final Report, the Task Force members identify nine policy issues that need to be further addressed in order to bolster the financial industry’s cyber-resilience against current and future threats.
Sylvain Bouyon is a Research Fellow and Head of Fintech and Retail Finance at CEPS and ECRI.
Simon Krause is a Visiting Researcher at CEPS.
Table of Contents
| Section Title | Page | Action | Price |
|---|---|---|---|
| Cybersecurity In Finance | Cover | ||
| CONTENTS | v | ||
| Abbreviations | vii | ||
| Foreword | viii | ||
| Executive Summary | 1 | ||
| 1. Characterisation of cyber-incidents | 7 | ||
| 1.1 Definitions | 7 | ||
| 1.2 Types of cyberattacks in financial services | 8 | ||
| 2. Need for convergence in incident reporting schemes | 14 | ||
| 2.1 Increase in legislation with incident reporting\rrequirements | 14 | ||
| 2.2 Need to develop a common taxonomy for incidents\rreporting | 20 | ||
| 2.3 Need to develop an efficient legislative and institutional\rframework for incident reporting | 21 | ||
| 3. Optimising information sharing | 26 | ||
| 3.1 Different models of information sharing | 26 | ||
| 3.2 Sharing of relevant information with different types of\rstakeholders | 28 | ||
| 3.2.1 With other regulators and supervisors | 28 | ||
| 3.2.2 With other financial firms | 28 | ||
| 3.2.3 With potential clients of financial firms | 29 | ||
| 3.3 Need for a high level of protection of data held by\rthe EU hub | 31 | ||
| 4. Need for benchmark statistics on cyber-trends | 33 | ||
| 4.1 Statistics on the number of incidents | 33 | ||
| 4.1.1 Other policy areas have their benchmarks | 33 | ||
| 4.1.2 Cyber-criminality does not have such statistics at\rthe moment | 34 | ||
| 4.1.3 Incident reporting: Statistical parallel with offline\rcriminality | 35 | ||
| 4.1.4 Conditions for compiling robust macro statistics | 35 | ||
| 4.2 Encouraging best practices for financial impact statistics | 36 | ||
| 5. Complementary policies to reinforce prevention | 38 | ||
| 5.1 Promoting cyber-hygiene | 38 | ||
| 5.1.1 What is cyber-hygiene? | 38 | ||
| 5.1.2 Core principles | 38 | ||
| 5.2 Use of certifications: A must-do? | 40 | ||
| 6. Complementary policies to strengthen responses in case of cyberattacks | 45 | ||
| 6.1 Attribution and criminalisation: Reinforcing cross-border cooperation and legal convergence | 45 | ||
| 6.2 Best practices in remedies in case of cyberattacks | 47 | ||
| 6.3 Is an emergency fund needed in case of large cyberattacks? | 51 | ||
| Conclusions | 57 | ||
| Annex - Task Force Members, Observers and Speakers | 59 |