The Cybersecurity Challenge for Regulators

This past Monday shortly after 9 a.m., Coindash investors were told on Twitter that the company’s website had been hacked. In almost half an hour, $7 million was stolen. When Coindash launched its Initial Coin Offering  (ICO),  a way for cryptocurrency start-ups to raise money, the company was aiming to raise about $12 million.  Using the digital currency, ethereum, the firm informed prospective investors to send their “money” to another address in order to participate in the ICO. However, people who followed those instructions had their money stolen. Unfortunately, the SEC has little enforcement power in the new market; this means that investors would have little legal relief if their money got stolen.

Important Issues for Financial Institutions

Cybersecurity and regulatory compliance are the two main issues in tech innovation at financial institutions. As the recent events have shown, cybersecurity is the number one risk arising from cooperation with fintech firms, and these attacks can represent potential systemic risks. The number of cyberattacks is growing; losses incurred annually through hacking are well documented and range between tens and hundreds of billions of dollars. The deep concern about cyberattacks has led to a more sensitive approach by regulators. For instance, the EU regulations including the second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR), as well as Europe's first cyber law, the Network and Information Security (NIS) Directive (“the Directive”), partially explain these firms’ concerns.

The Problem

Preparing an incident response readiness program that will comply with breach reporting requirements in a timely manner is crucial nowadays. This seems essential so that fintech companies may completely understand the full range of threats, which can derive from these attacks; at the same time these firms can figure out the vulnerabilities of their systems in advance. A preventive evaluation of these risks appears to be the only way to protect fintech companies from these attacks. However, these financial institutions don’t appear ready to establish a cybersecurity department, which would be costly, and unaffordable. Therefore, they should outsource the job, often best done by an experienced third-party as it likely to have a much clearer perspective of the risk landscape. 

The EU Response

Regulators across the world have used different approaches when facing cybersecurity issues. However, the European Union has taken a concrete initiative to build a cybersecurity framework, which would be implemented among all European countries. The EU has focused on three landmark isssues: 

1. increasing cybersecurity capabilities and cooperation; 
2. making the EU a strong player in cybersecurity; 
3. mainstreaming cybersecurity in EU Policies. 

Moreover, one of the EU policy’s essential achievements was the approval of a directive, which promotes network and ICT security among member states, which has led to the the NIS Directive (“the Directive”).

The Directive on the security of network and information systems was adopted by the European Parliament on July 6, 2016.  EU countries must integrate the Directive into national law by May 9, 2018 and this will then need to be applied as of May 10, 2018. Member states have 21 months to transpose the Directive into their national laws, and they must identify operators of essential services by November 9, 2018. 

Novel Initiative

This is the first attempt to regulate cybersecurity, in contrast with the US and UK approaches, which offer a voluntary approach. Actually, EU member states are required to create a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority. The EU has also enhanced cooperation among all member states, by setting up a cooperative group.  The function of this group is "to discuss the process, substance and type of national measures allowing for the identification of operators of essential services within a specific sector in accordance with the criteria set out in the Directive".  It also provides the exchange of information, and hopes to develop trust and confidence among member states. States will also need to set up a CSIRT Network in order to enhance effective operational cooperation on specific cybersecurity incidents and share information about risks and problems. In this way, this may represent the launch of the first European public private partnership on cybersecurity, a part of the European investment plan named Horizon 2020. The EU will invest €450 million in this partnership whose aim is to boost cooperation of the research and innovation process and to provide cybersecurity solutions for various sectors, such as finance.

The Directive also stipulates that operators of essential services, such as financial or health, should provide appropriate and proportionate technical and organizational measures to manage the risks created by network security measures and the information systems which they use in their operations. These suppliers also must promote appropriate methods for minimizing the impact of incidents affecting the security of the network and information systems used for such essential services.

Moreover, the NIS Directive introduces a new notification system, which requires that operators without undue delay report incidents having a significant impact on the continuity of the essential services they provide. Notification will have to be made to "competent authorities" or to the Computer Security Incident Response Teams that each EU country will have already established.

In determining the relevance of security incidents services, suppliers should consider factors, such as how many users have been affected by disruptions to service; the geographic spread of the incident’s occurrence; how long the incident lasted; the extent of the disruption of the functioning of the service; and the extent of the impact on economic and societal activities. The cooperative group may develop guidelines about the circumstances when operators must report incidents, including parameters for determining the “significance” of an incident’s impact.