Publication Date02 Jul 2019
AuthorRichard Parlour
SubjectFinancial risk/company failure,Financial crime
EU cybersecurity policy in the nancial sector
With the inexorable rise of e-commerce comes the inexorable rise of the e-criminal.
Cybercrime is now the worlds fastest growing crime. It has leapt to number two of the top
ten business risks worldwide, fromnot even appearing in that list ve years ago. For certain
countries, cyberattack is now the risk of greatest concern. Gone are the days of concern
about a low-level hack of a website by a script kiddie. Todays attackers are multi-faceted
and increasing in sophistication, ranging from advanced persistent threats, corporate
espionage, organised crime and hactiviststo cyberterrorists, ever more competent, and
ever better funded. Cybersecurity hasmoved from being a technical issue to a political and
boardroom issue. Financial markets are particularly important as they oil the wheels of all
member state economies.
So what should the prioritiesof cybersecurity be? There are three core themes to address:
(1) governance (at all of organisational, international and national levels);
(2) risk management (both contextually and intelligence driven); and
(3) capability (cybersecurity by design and by default, using a standard framework
applied to context).
Amid several large cyberattacksin 2017, the European Commission adopted its multi-sector
cybersecurity package. Nonetheless, a multitude of issues remain that the nancial sector
needs to address to bolsterits resilience against current and future threats.
The EU Task Force on cybersecurity policy for the nancialsector has recently released
its report (www.ceps.eu/system/les/TFRCybersecurityFinance.pdf) on the main issues at
play across the European nancial sector, and they have come up with nine policy
recommendations to advance the effectiveness of cybersecurity. First, convergence in the
taxonomies of cyber-incidentsis needed, we clearly need to know what each other is talking
about, although this can be a challengewith tech speak. Second, the framework for incident
reporting needs to be signicantly improved to contribute fully to nancial institution
cyber-resilience. Third, cybersecurity data need to be shared and authorities should assess
how and to what extent data held by the centralised hub should be shared, and withwhom.
Fourth, ambitious policies are needed to develop consistent, reliable and exploitable
statistics on cyber-trends. Fifth, companies can do a lot themselves but best practices for
cyber-hygiene should be continuously enhanced. Sixth, the European Cybersecurity
Certication Scheme needs to be strengthened to contribute better to cybersecurity, cyber-
risk management and capability. Seventh, cybercrime is largely cross border, and the
reinforcement of cross-border cooperation and legal convergence remains a priority, both
within the EU and more widely. Eighth, best practices in remedies in case of cyberattacks
need to be further encouraged. Finally, policymakers should further assess the pros, cons
and feasibility of creating an emergency fund in case of large cyberattacks. Lets look at
these in more detail.
A common taxonomy for cyber-incidents
A common taxonomy across regulations, jurisdictions and sectors should ease the
understanding of multi-country and multi-sector cyberattacks, and eventually strengthen
the quality of responses. Given the ever-changing nature of cyberspace, the reference
Journalof Financial Crime
Vol.26 No. 3, 2019
pp. 666-668
© Emerald Publishing Limited
DOI 10.1108/JFC-07-2018-0073

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT