Plans to harmonise the EU regulatory framework for digital operational resilience in financial services have now been published.
Let's look at the potential impact on EU firms and the new measures they'll need to put in place to prevent or limit the impact of ICT-related incidents.
The proposal and scope of application
On 24 September 2020 the European Commission published its Proposal for a Regulation on Digital Operational Resilience for the Financial Sector. The proposed regulation would introduce a detailed and comprehensive framework on digital operational resilience and management of ICT-risk across EU financial services firms.
It aims to consolidate and update the ICT risk requirements currently addressed across various pieces of EU sectoral legislation. Instead, all provisions addressing digital risk in finance in the EU would be brought together in a consistent manner in a single legislative act for the first time.
The requirements would apply across the EU banking, insurance and securities sectors (which we'll refer to here as "Financial Entities) to ensure consistency around ICT risk management in financial services.
Focus on ICT risk
The requirements focus specifically on the management of "ICT risks", which is broadly defined. To date, financial services legislation has tended to focus on operational risks generally or those associated with outsourcing specifically (the EBA's recent guidelines on ICT and Security Risk Management are one exception to this).
By contrast, the proposals take a holistic approach to ICT risks specifically, seeking to provide supervisors with tools to prevent ICT risks from materialising and causing wider financial stability concerns.
What would Financial Entities be required to do?
The proposals seek to enshrine targeted rules on ICT risk management capability, reporting and testing, in a way which enables firms to withstand, respond to and recover from ICT incidents. The proposals include requirements relating to:
- Governance and responsibility of the management body: The management body would need to maintain (and be accountable for) a crucial, active role in the ICT risk management framework and ensuring strict cyber hygiene. Financial Entities would need to develop their own 'digital resilience strategy' to implement their risk management framework in accordance with the relevant objectives, dependencies and ICT arrangements.
- ICT risk management: To keep pace with a quickly evolving cyber threat landscape, Financial Entities would need to maintain resilient ICT systems, revolving around specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, learning, and evolving and communication).
- ICT-related incident reporting: The proposals aim to create a consistent incident reporting mechanism, including a management process to monitor, log, and classify all ICT-related incidents. Incidents deemed “major” would need to be reported to competent authorities within strict timeframes, including initial notifications "without delay" on the same day or next day. In some cases, communication to service users or customers may be required.
- Testing: Periodic testing would be required to enable Financial Entities to identify any weaknesses and deficiencies in the ICT risk management framework and implement corrective measures. Some firms will need to carry out threat led penetration testing every three years.
- ICT Business Continuity Policy (BCP): Comprehensive ICT BCPs and ICT Disaster Recovery Plans would be required alongside the Financial Entity's wider business continuity planning.
- Managing and monitoring ICT third-party risk: Management of third-party ICT risk takes the form of a set of general principles, requirements for pre-contractual risk assessments, and monitoring in accordance with principles-based rules.
- Third-party contractual requirements: The proposals would put many of the contractual requirements under the EBA Outsourcing Guidelines onto a legislative footing. They also refer to the potential use of standard contractual clauses (although these are expected to be voluntary).
- Information sharing: The proposals would allow firms to set up arrangements to exchange cyber threat intelligence and information among themselves.
Proportionality and risk-based application is embedded in the proposals, including through the use of qualitative and quantitative assessment criteria. This is intended to enable Financial Entities to tailor the requirements to their specific risks and needs, depending upon their size, business profiles, and technology risks.
Oversight of "critical ICT third-party service providers"
The proposed regulation would also establish a framework for the oversight of ICT third-party service providers which the European Supervisory Authorities (acting through their Joint Committee) designate as “critical” for Financial Entities. This would be based on specified criteria including their systemic importance to the EU financial system.
Brexit and the UK approach to operational resilience
Technology risks have no borders. Unsurprisingly, some of the proposed requirements share similarities with the FCA's and PRA's proposals on operational resilience, although the EU proposals focus more specifically on ICT risk.
The FCA and PRA proposals focus more expressly upon setting impact tolerances for important business services and implementing measures to ensure the firm can remain within those tolerance levels in severe but plausible scenarios (including but not limited to ICT/cyber incidents).
By contrast, the European Commission's proposals would still require Financial Entities to establish risk tolerance levels for ICT risk, but this is part of the wider ICT risk management framework, rather than a key tenet of the requirements.
The FCA has also announced its intention to keep its guidance for firms outsourcing to the cloud and other third-party IT services under review and ensure this remains consistent with relevant international standards "where appropriate". It will be interesting to see how (if at all) the approach of the FCA and PRA develop in response to the EU proposals.
Digital finance package
The European Commission's proposal makes up part of a broader digital finance package published by the Commission, including:
Find out more
If you're an ICT service provider, don't miss our separate article which looks at the proposals to establish a framework for the oversight of ICT third-party service providers designated as "critical" to the EU financial services system. If you have any questions about what we've covered in this article, please contact a member of our Financial Services Regulatory team.
