Out-Law News 1 min. read
19 Sep 2013, 1:11 pm
Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
The European Parliament's policy department for economic and scientific policy (let's call them the ESP Department just for fun) made a very good recommendation this week – the EU should "strive for transparency in the EU policy framework for cyber security." I would go further and suggest that they should strive first for coherency.
For 2013, cyber risk is the most highly talked about operational risk according to the Bank of England's annual systemic risk survey. The ESP Department's paper 'Data and Security Breaches and Cybersecurity strategies in the EU and its international counterparts' (172-page / 4.7MB PDF) illustrates that there is good reason to be talking about cyber risk. It suggests that:
Worryingly, the ESP Department also suggests that 10% of financial institutions do not have adequate cyber response regimes in place.
A key concern is obviously the mounting administrative burdens that the Commission is proposing be imposed on businesses in terms of reporting. If the proposals were adopted in their current forms, financial institutions potentially could be placed in the situation where they are required to report a security incident to one authority, a data breach to another, and perhaps both to the Financial Conduct Authority. Without clear direction as to what to report to whom and when, financial institutions could be left in a state of confusion.
Will the introduction of both an 'incident reporting regime' and a 'data breach reporting regime' really bring any benefits to the economy, the business of financial institutions or the interests of consumers? The ball is now in the Commission's court to provide clear evidence indicating that benefits exist beyond simply the suggestion that the dual regime will incentivise good behaviour. Otherwise, combine the two or scrap one.