Banks supervised by the European Central Bank (ECB) will be required to report all major cyber incidents from this summer, ECB board member Sabine Lautenschlaeger has said.20 Jun 2017
A cyber incident reporting framework will be set up based on a successful pilot run last year.
"This will help us to assess more objectively how many incidents there are and how cyber threats evolve. It will also help us to identify vulnerabilities and common pitfalls," Lautenschlaeger said during a speech in Frankfurt.
"Although the damage has been limited so far, we banking supervisors take cyber risk very seriously. And we insist on banks doing the same," she said.
The ECB also performs reviews to assess the risks facing each bank and the sector as a whole, and to raise awareness of risk, Lautenschlaeger said. Insights from reviews in 2015 and 2016 helped to develop a methodology for on-site inspections, analytical tools for off-site supervisors, and a cyber risk profile of each bank.
Technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com said: "This comes alongside the fraud and risk reporting requirements under PSD2 [the revised Payment Services Directive] related to third party operators. With all of this data comes the responsibility to use it in a way that helps to combat cyber risks. It’ll be fascinating to see how the ECB’s role develops around that and how it can form part of the ecosystem that exists with industry bodies like FFA (Financial Fraud Action) and commercial security organisations."