EBA CLEARING is a financial market infrastructure that provides pan-European payment systems for the clearing and settlement of payments in euros. What we do – ensure that euro payments can happen anywhere, anytime, by anyone, in any language – would not be possible without standards. Standards are the bread and butter of our organization and the financial industry more broadly. Standards and technical interoperability allow us to talk to each other across systems with an efficient use of resources, unlocking value for users.

Compliance and reporting to regulatory authorities is another area where standardization plays an important role and can unlock considerable benefits for the different stakeholders. This is particularly true for cyber security-related compliance and reporting requirements, which have seen a substantial surge over the past five years.

While cybercrime has been around for decades, the 2016 cyber heist against Bangladesh Bank was a watershed moment for financial authorities around the world. In its aftermath, many financial regulators ramped up their focus on cybersecurity, delving far deeper into firms’ cyber readiness and maturity than they had previously.

It's Only the "How" That's Different

The content of regulatory guidance, assessments, expectations, and requirements for cybersecurity is largely the same around the world. Authorities are aligned in focusing on identification, detection, protection, recovery, awareness, and learning. The related controls and processes for handling vulnerabilities are quite similar. However, the structure, format, metrics, timeframes and in particular, reporting requirements often differ so widely that many firms must hire entire departments to slice and dice the same information to suit the specific questionnaire or assessment. Even in the European Union, EU-wide directives are adapted by national governments when transposing them into national law. For firms that operate in multiple jurisdictions, the resulting fragmentation is complex to manage and diverts cybersecurity resources from improving detection and protection capabilities to handling compliance matters.

Rules for notifications and communications are also subject to the same problem, which can be particularly challenging when dealing with a cyber incident. In addition, information sharing is also often mandated by multiple entities. However, the power of information sharing in helping the industry fight cybercrime is diluted when the sharing happens across multiple platforms.

Imagine though, that there was one secure global channel for reporting cyber incidents, which could then be disseminated to various authorities as needed and in addition, streamlined assessments so that they can be used as a common benchmark across jurisdictions. This would save cyberattack victims precious time and resources just when they need it most.

Europe has come a long way in understanding the benefits of this harmonized approach. The Digital Operational Resiliency Act (DORA), for example, proposes to streamline and upgrade rules on security of network and information systems supporting the business processes of financial entities and, in particular, digital operational resilience risk management, governance, incident reporting, digital testing, information sharing, and third-party oversight and management. FMIs such as EBA CLEARING are already subject to unified standards under the European Central Bank’s (ECB) Cyber Resilience Oversight Expectations (CROE) published in December 2018. When approved, DORA will apply to many different types of entities, including banks, stock exchanges, cloud providers, and fintechs.

When adopted, DORA will become the reference point for EU-based authorities; as DORA is updated, other regulations will also update by way of reference. This will go a long way towards harmonizing the requirements of various regulatory authorities and streamlining relations within the financial sector. We have entered a new phase of financial technology where digitization is happening at record speed. More efficient communications with the authorities will allow our industry to be more agile.

Of course, many financial institutions operate on several continents. It may take some time for regulatory harmonization to happen at a global level, but it is still a worthy goal.

A Pill for the Headache of Third-Party Risk Management

The benefits of standardization of reporting and compliance extend beyond relations with regulators. They can also be useful for providing or getting assurance to/from third parties. For example, standards like ISO 27001 on information security and ISO 23001 on business continuity allow financial institutions to easily understand the levels of readiness and maturity of their providers. Their providers can readily confirm these levels without anyone having to create their own metrics. The same would apply for DORA and other meta-standards that cover broad swathes of the industry.

The financial sector’s robust security is not only a function of regulation. Our business is built on customer trust; we invest in security to protect the assets entrusted to us. However, efficiencies in handling cyber requirements and reporting allow firms to allocate more resources to prevention, detection, response, and resilience capabilities, focusing our efforts on the ever-increasing challenge of protecting key assets of our customers against cybercrime.

The Insight

While financial regulators around the world are rightly focused on ensuring firms’ cyber readiness and assessing maturity, their methods of measurement can vary widely. Just as the industry is built on standards to maximize efficiency and interoperability around the world, regulatory harmonization would streamline cybersecurity assessment and compliance as well as third party risk management, unlocking more resources for cyber protection and defense.

September 2021

© 2021 FS-ISAC, Inc. All rights reserved.

GL-Article_Sidebar
GL

The Global Leaders awards program recognizes those members who go above and beyond to support the security and resilience of the financial sector by sharing cyber intel and best practices, helping defend the industry against cyber risks.

Learn More

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More