Out-Law News 3 min. read
20 Jun 2013, 2:53 pm
Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
As reported a few weeks ago the UK Government put out a call for views and evidence on the proposed EU Directive on Network and Information Security with submissions required before 21 June 2013.
The proposed Directive which the European Commission published earlier this year as part of its wider cyber security strategy sets up a regime which would require private entities within some sectors and public administrative bodies to:
The Commission has described the Directive as "the main action" of its strategy and intends for it to bring about a high level of commonality of network and information security across the European Union.
As the proposed Directive mandates security processes and controls which would be significant for most organisations in terms of both cost and administration, financial institutions need to be clear on whether or not potentially they will be subject to the provisions of the proposed Directive.
For those organisations to whom the provisions may potentially apply, the Government's consultation provides a good opportunity to influence the EU's legislative agenda at an early stage.
Who is this aimed at?
The proposed Directive will apply to 'market operators' which are defined to include "providers of information society services which enable the provision of other information society services”. ‘E-commerce platforms’ are specifically listed as an example of such providers, but are not defined further.
An ‘information society service’ is defined by the E-Commerce Directive (98/34/EC) to include "Any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service". The term has been given an expansive interpretation at EU level on a number of occasions and it is now very difficult to argue that the operator of any online service does not provide an ‘information society service.’
The proposed Directive is not intended to apply to all 'information society services'. Only those that enable other information society services are included within its scope. But the Commission’s concept of an ‘enabler of an information society service’ is a new one and from the text of the proposed Directive it is not clear exactly what is meant here.
The recitals to the Directive give some indication as to the Commission's thinking. They state that the Directive is intended to apply to 'key information society services' and that "Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs". So this casts the net broadly and could be construed to cover any platform that enables the delivery of products or services online. Without a statement to the contrary from the Commission, there seems to be no reason to suggest that a more restricted definition would apply.
Every financial institution which operates any type of e-commerce platform therefore should consider responding to the Government's call for views and evidence on the proposed Directive.
'Market operators' & critical infrastructure
An "operator of critical infrastructure that is essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health..." will also fall within the scope of the proposed Directive. The Directive specifically lists credit institutions, stock exchanges and central counterparty clearing houses as examples of such operators. The list is non-exhaustive.
Like the concept of an 'enabler of information society services', the concept of 'an operator of critical infrastructure for the maintenance of vital economic activities in the field of banking' is a new one and will need to be either tightened or explained in more detail by the Commission.
The consultation
The consultation presents financial institutions with an opportunity to help define the UK's position as to the circumstances in which a security breach should be considered to have a significant impact on the security of the core services they provide.
The Government will be considering whether the reporting threshold which currently applies to the telecommunications sector for security breaches should equally apply to other sectors, including the financial services sector. Financial institutions therefore will want to consider internally whether it is fair for the thresholds that apply to the telecommunications sector to apply equally to the financial services sector. They should also consider which circumstances they currently classify as 'incidents' and the point at which they consider an incident to have a 'significant impact'.
Of course, the scale of disruption, the number of customers affected and the duration of a loss of service will be key factors to consider and ones of which the Government is well aware. Hopefully those who respond to the consultation will provide needed insight based on practical experiences as to other factors which should be taken into account in assessing the significance of a security breach.