Out-Law News 1 min. read

Financial institutions and cyber risk: incidents, breaches and confusion as to what to report and when


John Salmon’s Financial Services blog

Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.

The European Parliament's policy department for economic and scientific policy (let's call them the ESP Department just for fun) made a very good recommendation this week – the EU should "strive for transparency in the EU policy framework for cyber security." I would go further and suggest that they should strive first for coherency.

For 2013, cyber risk is the most highly talked about operational risk according to the Bank of England's annual systemic risk survey. The ESP Department's paper 'Data and Security Breaches and Cybersecurity strategies in the EU and its international counterparts' (172-page / 4.7MB PDF)  illustrates that there is good reason to be talking about cyber risk. It suggests that:

  • no-one knows the difference between what constitutes a 'security incident', a 'security breach' and a 'data breach' and how the differences are relevant or why they are important;
  • no-one understands the EU cyber governance and security body framework;
  • there is significant overlap between reporting obligations under various legal instruments and not just in terms of telecommunications and proposed data protection laws reporting regimes;
  • the proposed Directive does not address its potentially negative impact on the uptake of cloud and other innovative services;
  • only India has decided to go ahead with a comparative regime in respect of security incident reporting; and
  • the Directive focuses too heavily on public cyber security and not enough attention is given to how private organisations should respond to cyber attacks.

Worryingly, the ESP Department also suggests that 10% of financial institutions do not have adequate cyber response regimes in place.   

A key concern is obviously the mounting administrative burdens that the Commission is proposing be imposed on businesses in terms of reporting. If the proposals were adopted in their current forms, financial institutions potentially could be placed in the situation where they are required to report a security incident to one authority, a data breach to another, and perhaps both to the Financial Conduct Authority. Without clear direction as to what to report to whom and when, financial institutions could be left in a state of confusion. 

Will the introduction of both an 'incident reporting regime' and a 'data breach reporting regime' really bring any benefits to the economy, the business of financial institutions or the interests of consumers? The ball is now in the Commission's court to provide clear evidence indicating that benefits exist beyond simply the suggestion that the dual regime will incentivise good behaviour. Otherwise, combine the two or scrap one.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.