Businesses operating in the European Union are subject to the strictest cybersecurity and data protection regulations in the world. This is doubly so for financial services firms, which are subject to general laws concerning all businesses as well as specific laws concerning businesses in essential industries.
Financial services firms’ exact data protection and cybersecurity obligations may vary according to where in Europe there are based and what services they provide. The most important EU rules and regulations to be aware of are:
- General Data Protection Regulation (GDPR)
- Network and Information Security (NIS) Directive
- European Banking Authority (EBA) Guidelines on ICT and Security Risk Management
- Proposed Digital Operational Resilience Act (DORA)
General Data Protection Regulation (GDPR)
Implemented in 2018, the GDPR affects any business established in the EU, offering goods or services to anyone in the EU, or collecting/storing/transferring/using personal information about European citizens. It covers all 27 EU member states, as well as the United Kingdom (which has retained the GDPR in its domestic law despite exiting the EU), and European Free Trade Association (EFTA) states Iceland, Liechtenstein, and Norway.
The EU doesn’t recognize U.S. data protection laws. Therefore, U.S.-based businesses must get certified under the EU-U.S. Privacy Shield Framework in order to be able to transfer personal data from the European Union to the United States (or the Swiss-U.S. Privacy Shield Framework in order to transfer data from Switzerland, which is not in the EU or EFTA).
Chapter 3 of the GDPR outlines the data privacy rights that people are guaranteed under EU law. Businesses that fail to comply with these rules may suffer financial penalties. Among other things, your business must:
- Explain how you process data “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
- Communicate specific information to the user at the moment you collect their personal data
- Uphold the right of users to know the source of their personal data, the purpose of processing, and the length of time the data will be held, among other rights.
- Uphold the “right to be forgotten”, under which users have the right to request that you delete any information about them that you hold.
- Store your users’ personal data in a format that allows users to easily share the data with third parties. Moreover, if a user asks you to send their data to a third party, you must do it, even if the party is a competitor to your business.
- Uphold the right of your users to have you stop processing their data, unless you can show a “legitimate basis” for using their data.
Network and Information Security (NIS) Directive
The EU Network and Information Security Directive was implemented in 2018 and was the first EU-wide regulation to focus on cybersecurity. Under the NIS Directive, businesses identified by EU member states as operators of essential services – including financial markets and banking – will be required to take appropriate cybersecurity measures and to notify relevant national authorities of serious incidents. The UK has implemented its own version of the NIS Directive in domestic law despite leaving the European Union, just like it did with the GDPR.
The European Commission is currently examining a revised directive, known as the NIS 2 Directive or NIS 2.0. This would see the introduction of a size cap, meaning that all medium and large companies covered by the NIS would be included in the scope. At the same time, it would leave some flexibility for member states to identify smaller entities with a high security risk profile. It is also proposing a rule that would require businesses to address cybersecurity risks in supply chains and supplier relationships.
European Banking Authority (EBA) Guidelines on ICT and Security Risk Management
The EBA Guidelines on ICT and Security Risk Management entered into force in June 2020. The guidelines established requirements for credit institutions, investment firms, and payment service providers on the mitigation and management of their internal and external information and communications technology (ICT) and security risks.
Key principles outlined in the Guidelines include:
- Governance and strategy. Financial institutions should ensure they have adequate internal governance and internal control framework in place for ICT and security risks; and they should ensure that the quantity and skills of staff is adequate to support ICT operational needs and ICT and security risk management processes.
- ICT and security risk management framework. Financial institutions should identify and manage their ICT and security risk; and they should assign responsibility for managing and overseeing ICT and security risks to a control function that is appropriately segregated from ICT operations processes.
- Information security. Financial institutions should develop and document an information security policy that defines the high-level principles and rules to protect the confidentiality, integrity and availability customers’ data and information.
- ICT operations management. Financial institutions should manage their ICT operations based on documented and implemented processes and procedures. This should include logging and monitoring procedures for critical ICT operations to allow the detection, analysis, and correction of errors.
- ICT project and change management. Financial institutions should establish and implement an ICT project management policy that includes at a minimum: project objectives; roles and responsibilities; a project risk assessment; a project plan; timeframe and steps; key milestones; and change management requirements.
- Business continuity management. As part of sound business continuity management, financial institutions should conduct business impact analysis by analyzing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data.
Proposed Digital Operational Resilience Act (DORA)
In September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The objective is to implement a cohesive regulation framework for the financial services factor that incorporates new and existing rules (including those covered by the aforementioned EBA Guidelines) on managing cyber risks and building resilience against cyberattacks and cyber-threats.
DORA would apply to financial entities such as credit and payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment funds managers, management companies, insurance undertakings and intermediaries, credit rating agencies, audit firms, institutions for occupational retirement pensions, securities, trade, and securitization repositories, and crowdfunding service providers.
As global law firm Mayer Brown has noted, financial entities will be required, among other things, to:
- Implement an ICT risk management framework to ensure effective and prudent management of all ICT risks, including detection, response, and recovery.
- Use and maintain updated ICT systems which are technologically resilient.
- Design and implement ICT security strategies and policies, including an information security policy, business continuity policy, and backup policy, to ensure the resilience, continuity, and availability of ICT systems.
- Establish and implement an ICT-related incident management process to detect and manage ICT-related incidents.
- Report major ICT-related incidents to the relevant competent authority within prescribed timeframes to allow financial supervisors to better assess the frequency, nature, significance, and impact of all major ICT-related disruptions.
- Perform regular digital operational resilience testing by independent parties; and
- Manage ICT third-party risk as an integral component of its ICT risk management framework.
When it comes to upholding your financial services firm’s cybersecurity regulatory requirements, a good place to start is by getting certification for relevant risk management and risk assessment standards. Moreover, we should note that under the recent EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) is also working on an EU-wide cybersecurity certification framework for businesses.
Another way of staying compliant and protecting your business is to use the services of a managed Security Operation Center (SOC) platform. A well-managed SOC platform can provide the threat intelligence and incident response capabilities of a multi-billion dollar company at a price regular-sized financial services businesses can afford.