Gottfried Leibbrandt said he backed efforts being undertaken in the EU over the creation of a new cyber security framework but said that such a framework must be compatible with rules and regulations in place elsewhere in the world. SWIFT is a Belgium-based business that co-ordinates payments between financial institutions located across the world. The European Commission published its cyber security strategy in February 2013 alongside proposals for a new Directive on network and information security (NIS).
"Directly conflicting regulation is a critical challenge, and we would urge [the responsible EU] Directorate, and indeed all legislators and regulators, to ensure that rules and regulations do nothing to limit digital companies’ abilities to operate across borders," Leibbrandt said in a recent speech at the European Commission's high level conference on cyber security in Brussels. "We need legal certainty; we can’t be caught in the middle."
"We agree that an EU cyber security framework is needed and that the bar must be set high. But the framework must work internationally, and the bar must be accepted internationally. If the Commission can achieve this, it will be able to ensure that Europe’s citizens are protected the way they should be, – that European players like SWIFT can operate globally and that competition inside and outside Europe flourishes," he said.
"Subjecting digital operators to a patchwork of rules and or to conflicting demands will neither protect citizens, nor will it foster EU champions nor will it allow for a competitive marketplace," Leibbrandt added.
The SWIFT chief executive also called for the creation of "globally accepted standards" on cyber security, in particular around personnel vetting, supplier certifications, readiness levels and penetration testing, as well as associated "best practice definitions".
"Developing and agreeing standards will be a challenge internationally, and we will need to change and adapt the standards to keep up with technological developments and rising threat levels – but we should be bold and set out to do this," Leibbrandt said. "Sooner rather than later. This will also make it much easier to reach agreement on oversight of global infrastructures like ourselves, making it for example easier for others to rely on ‘home-country cyber supervision’ both within Europe and globally."
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that international businesses face a "real challenge" in meeting differing local legal requirements. He said Leibbrand was right in identifying data protection and security standards as the examples of how "the same issues are handled differently around the world".
"As technology in payments grows, and the focus increasingly moves from the domestic to the international market to achieve economies of scale, operators will be confronted with this issue and so it’s key to achieve compliance by design, rather than as an afterthought," McFadyen said.
"The PCI security standards are a good example of truly international rules, which require equivalent levels of compliance around the world. Whilst the PCI security standards can be criticised for, amongst other things, being open to differing interpretation, what they achieve is admirable as organisations know that wherever they operate and whatever system they build, they will need to follow them as a single set of rules," he added.
As the EU moves towards more rules and regulation on cyber security, the UK government has separately outlined its plans for a new organisational standard on cyber security that businesses can adhere to. In addition, a new cyber security framework has been developed in the US.
In October last year, leading Chinese technology company Huawei called for "a standard or set of standards for cyber security in the telecommunications context" to be developed. The development and implementation of global cyber security standards could improve businesses' ability to fend off hackers' attacks on their systems, it said.