EU Proposes a Joint Cyber Incident Coordination FrameworkAim Is to Achieve Quick Response to Cyber Incidents Affecting Financial Sector
The European Systemic Risk Board has proposed a new systemic cyber incident coordination framework called EU-SCICF. This framework will be specifically designed to counter any major cross-border cyber incident in the financial sector space with a coordinated response from all EU state members.
The European supervisory authorities - which include the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Markets and Securities Authority - have issued a public statement welcoming this proposal.
The framework is based on a recommendation in the European Commission's proposed Digital Operational Resilience Act, which was issued in December 2021. The recommendation calls the coordination roles of the ESAs "essential" and directs them to jointly carry out the relevant preparatory work required for the framework.
Implementation of the EU-SCICF is dependent on the DORA directive going into effect, which is expected later this year.
The timeline for the ESAs to deliver the recommendations to the European Parliament, the Council, the EU Commission and the ESRB is next year, after which they will deliver an interim report, a final report, a report on implementation and then - by Dec. 31, 2025 - the commission will deliver its report on the implementation of the recommendations to the European Parliament, the Council and the ESRB to approve.
A spokesperson for the European Central Bank tells Information Security Media Group: "Given the risk to financial stability in the Union stemming from cyber risk, preparatory work for the gradual establishment of the EU-SCICF should, to the extent feasible, start even before the required legal and policy framework for its establishment is fully applicable. This legal and policy framework would be completed fully and finalized once the relevant provisions of DORA and of its delegated acts become applicable."
The Need for the Framework
The ECB spokesperson tells ISMG: "The objective of the framework is to circumvent the risk of a coordination failure by authorities. Financial authorities in the Union will need to coordinate among themselves and with other authorities, such as the European Union Agency for Network and Information Security (ENISA). As such, the framework is mainly intended for financial institutions and (financial) authorities, cooperation with cyber authorities such as ENISA, NIS and the Joint Cyber Unit are envisaged. The ESRB did not make any recommendation on the cooperation between financial and cyber authorities and leaves this decision open for the recommendation addressees."
"Cyber incidents could pose a systemic risk to the financial system given their potential to disrupt critical financial services and operations and thereby impair the provision of key economic functions," the ESRB says in a report published last week and shared with Information Security Media Group.
"A cyber incident could cause operational disruption, inflict reputational damage on the financial system and result in financial loss. Amplification of the initial shock could occur either through operational or financial contagion or through an erosion of confidence in the financial system. If the amplification mechanism is triggered, the original shock is likely to be transmitted through the financial system and may even entangle financial institutions that were unaffected by the initial cyber incident," the report says.
The report also says that while several initiatives on cyber risk exist at the EU level, none of them cover all financial authorities in the EU. That is why the ESRB says there is a need to establish a pan-European systemic cyber incident coordination framework. "The objective behind such a mechanism is to increase the level of preparedness of financial authorities in the EU and to define a coherent and thus more effective response to a cyber incident. The EU-SCICF should help bridge any coordination and communication gaps between financial authorities themselves, with other sector authorities and with other key actors at international level [such as ENISA, NIS, various international CERTs etc.]," the ESRB says.
To not upset or impact the current provisions in place in the financial sector, the ESRB says, the framework should complement existing coordination and communication protocols.
Greg Day, vice president and global field CSO at Cybereason, tells ISMG that the adoption of a framework of this scale is the next natural step in evolution for the financial sector. "Having a framework that would help standardize how organizations cooperate is very important. It is now more critical as we see threats increasingly span across ever more complex supply chains as all businesses, including those in the financial space, become more digitally complex," Day says.
"When it comes to cybersecurity, greater collaboration is needed at all levels of society, and this development is very welcome," says Jamie Akhtar, CEO and co-founder of CyberSmart. "Cybercrime poses a systemic risk to the financial sector - and by association- economies across Europe. So this is a positive step toward mitigating that risk," he says.
Some experts say that the recent cyberattacks on the European Banking Authority, in which a Microsoft Exchange Server was hacked, is a prime example of the need for the framework (see: European Banking Authority Sustains Exchange Server Hack).
Apart from coordination among the ESAs, ESRB and the Joint Cyber Unit that is required to build the framework, the recommendation of the DORA and ESRB also asks each ESA to include the following:
- An assessment of its resource requirements while developing the framework;
- Mapping and subsequent analysis of current impediments, including legal and other operational barriers;
- A designated point of contact in the ESAs, ECB and each EU member state from among their relevant national authorities, who would be responsible for all the communication related to the development of the framework and in the future would be informed in case of a major cyber incident once the EU-SCICF is established;
- A proper communication channel with the public and media;
- Proper testing and development before the framework becomes functional;
- Consideration of interfaces, channels and confidentiality for cross-sectoral and global coordination.
Will the Framework Be Useful?
"The EU making an international and united commitment to cybersecurity is a positive step that could help with both prevention and damage control in the future," says John Vestberg, CEO of Swedish network security company Clavister, "It's important to remember that cybercriminals are not limited by national borders, and therefore it is crucial that those trying to counter cyberattacks have the same borderless approach.
"The more we prepare for cyberattacks and become familiar with how to act in crisis situations, the smaller the overall damage will be because there are well-trained people on the ground from the get-go," he says.
This framework is expected to be more of a regulation for the financial sector rather than just a guideline. "The first iterations of GDPR and NIS were very much focused on embedding security into business processes and having the right response processes," according to Cybereason's Day. He adds that NIS volume 2 and DORA "move the needle on how to do this better - adapt to the digital and changing threat landscapes - but they also both focus on the broader systemic needs, such as the supply chain and how cyberthreats impact better collaboration and coordination around cyber incidents. All of this shows how regulation is moving from a tactical to strategic posture and thus will be most useful in coming days."