Shearman & Sterling LLP | FinReg | Blog | Cyber Security
Financial Regulatory Developments Focus
This links to the home page
FILTERS

The following posts provide a snapshot of the principal U.S., European and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.

  • European Commission Proposal for Pilot Distributed Ledger Technology Regime Regulation
    09/24/2020

    The European Commission has published a proposal for a new EU Regulation on a pilot regime for distributed ledger technology. The pilot regime is intended to promote legal certainty, to support innovation, to preserve market integrity and to ensure financial stability for the use of DLT in crypto-asset and e-money token markets. The Commission has simultaneously published a proposed Regulation on markets in crypto-assets and e-money tokens. The proposed Regulations follow the Commission's consultation on an EU framework for crypto-assets, which closed in January 2020.

    Read more.
  • European Commission Proposal for Crypto-asset Regulation
    09/24/2020

    The European Commission has published a proposal for a new EU Regulation on crypto-assets. The proposed Regulation is intended to improve legal certainty in the regulatory treatment of crypto-assets, to support the development of crypto-assets, to preserve consumer protection and market integrity in crypto-asset markets and to ensure financial stability. The Commission has simultaneously published a Regulation on a pilot regime for distributed ledger technology. The proposed Regulations follow the Commission's consultation on an EU framework for crypto-assets, which closed in January 2020.

    Read more.
  • European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive 
    09/24/2020

    The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.

    Read more.
  • European Banking Authority Seeks to Promote RegTech Use
    08/12/2020

    The European Banking Authority has opened a consultation on RegTech and supporting the use of RegTech across the EU. Responses may be submitted until September 30, 2020. The EBA intends to report on the use of RegTech in the first half of 2021. The survey is focused on financial institutions and ICT third party providers. The EBA is seeking to understand the extent and impact of RegTech for regulatory, compliance and reporting requirements of regulated firms. In particular, the EBA is looking at mapping and understanding existing RegTech solutions, identifying barriers and risks relating to the use of RegTech and analyzing how to facilitate the application of RegTech across the EU. The consultation covers ongoing monitoring of business relationships and transactions for anti-money laundering obligations, creditworthiness assessments, compliance with security standards, including information security, cybersecurity and payment services and supervisory reporting.

    View the EBA's survey.
  • European Commission Consults on Proposed Revisions to EU Cybersecurity Rules
    07/07/2020

    The European Commission has launched a consultation on proposed revisions to the EU Directive on the security of network and information systems across the Union (commonly known as the NIS Directive), which is designed to protect the security of EU network and information systems. The NIS Directive sets out, among other things, the parameters of national network and information security strategies to be implemented by Member States for providers of "essential services", which include credit institutions (as defined under the EU Capital Requirements Regulation) and financial market infrastructures.

    Read more.
  • UK Publishes Post-Brexit Cyber Sanctions Regulations
    06/17/2020

    The U.K. Government has published the Cyber (Sanctions) (EU Exit) Regulations 2020 and an explanatory memorandum. The Regulations are made under the Sanctions and Anti-Money Laundering Act 2018, which was introduced to enable the U.K. Government to implement international sanctions following its departure from the EU. The majority of the SAMLA provisions entered into force on November 22, 2018. The purpose of the Regulations is to ensure that the U.K. has an effective cyber sanctions regime at the end of transitional period (currently scheduled for December 31, 2020) as part of the U.K.'s exit from the EU.

    Read more.
  • European Commission Publishes Adjusted 2020 Work Program
    05/27/2020

    The European Commission has published an adjusted 2020 Work Program to reflect the unexpected challenges arising from COVID-19. The Commission still intends to deliver on the commitments made under its original Work Program, published in January 2020, but has adjusted the timing of certain actions necessary to achieve its objectives. An update on the delivery and expected timing of the objectives under the adjusted Work Program are set out in an amended version of Annex 1 on the Commission’s website.

    Read more.
  • Financial Stability Board Consults on Cyber Incident Responses
    04/20/2020

    The Financial Stability Board has launched a consultation on its proposed guidance on Effective Practices for Cyber Incident Response and Recovery. The consultation seeks input on a toolkit of cyber incident responses compiled by the FSB based on effective actions taken by organizations across the world. The consultation paper opens with a series of specific questions for respondents to consider, before setting out the draft toolkit of responses on which feedback should be given. Responses should be submitted by July 20, 2020.

    Read more.
  • European Systemic Risk Board to Evaluate Systemic Cyber-security Risk
    02/19/2020

    The European Systemic Risk Board has published a report on cyber-security risk, which it has identified as a source of systemic risk to the global financial system. The report notes that the increased digitalization and interconnectedness of the global financial system makes it heavily reliant on ICT infrastructure and vulnerable to cyber attacks. The report provides an overview of key regulatory and industry initiatives aimed at combatting cyber risk, which include: (i) the 2019 International Organization of Securities Commissions’ Cyber Task Force report on cyber regulation; (ii) the European Banking Authority’s Guidelines on management of information and communication technology and security risks; and (iii) the European Securities and Markets Authority’s 2020-2022 Strategic Orientation, which establishes the dangers of cyber threats as an area of focus for ESMA and the other European Supervisory Authorities.

    Read more.
  • European Commission Publishes 2020 Work Programme
    01/29/2020

    The European Commission has published its 2020 Work Programme, setting out the EU’s strategic priorities for the next 12 months.

    Read more.
  • UK Court Confirms Bitcoin Status as Property for Certain Proprietary Claims
    01/17/2020

    A U.K. court has granted an interim proprietary injunction over Bitcoin held in an account of a cryptocurrency exchange after it had been transferred there as part of a cyber attack on a Canadian insurance company. The judgment in AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm) was given on December 13, 2019, and following the lifting of reporting restrictions, was released for publication on January 17, 2020. In coming to its decision, the High Court adopted the analysis as to the proprietary status of crypto assets set out in the recent legal statement by the UK Jurisdiction Taskforce. Although each case will depend on the relevant facts and issues, the decision confirms that crypto assets are a form of property capable of being the subject of a proprietary injunction.

    Read more.
  • UK Conduct Authority Publishes Findings of Review of Risk Modelling and Other Portfolio Management Tools in the Asset Management Sector
    01/13/2020

    The U.K. Financial Conduct Authority has published a report on its review of how firms in the asset management sector selected and used risk modelling and other portfolio management tools. The review was undertaken to assess how firms identify and manage the risks as well as firms' ability to respond to system failures or service interruptions.

    Read more.
  • European Securities and Markets Authority Publishes 2020-2022 Strategic Orientation
    01/09/2020

    The European Securities and Markets Authority has published its Strategic Orientation for 2020-2022, setting out its longer-term objectives for regulating financial markets. The previous Strategic Orientation covered the period from 2016-2020 and so is coming to an end this year. Looking forward, ESMA aims to:
    • develop the EU Capital Markets Union by encouraging wider retail investor participation, which would assist with the diversification of funding sources and efficiency of capital markets;
    • promote sustainable finance and long-term oriented capital markets as part of the EU's commitment to meet the UN's Sustainable Development Goals by 2030;
    • examine the opportunities and risks of digitalization and technology for market participants and regulators;
    • guarantee the EU's voice in financial markets, aiming to maintain the openness of EU financial markets and develop EU co-operation with third-country authorities to ensure investor protection and financial stability; and
    • encourage proportionality, particularly with respect to SMEs and innovative companies, where ESMA may need to tailor its initiatives to meet its objectives.

    View ESMA 2020-2022 Strategic Orientation.
  • European Commission Launches Consultations on Digitalization in the Financial Sector
    12/19/2019

    The European Commission has launched two consultations on digitalization in the financial sector. They form part of the EU’s new Digital Finance Strategy which aims to deepen the Single Market for digital financial services, promote a data-driven EU financial sector while addressing the risks inherent in that and enhance the digital operational resilience of the financial system. 

    Read more.
  • European Banking Authority Publishes Guidelines on Technology and Security Risk Management
    11/28/2019

    The European Banking Authority has published its final guidelines on the management of information and communication technology and security risks by financial institutions in the EU. The Guidelines set out how financial institutions should comply with relevant provisions on the governance and risk management of ICT and security risks under the Fourth Capital Requirements Directive and the Second Payment Services Directive. 

    Read more.
  • European Central Bank Publishes Paper on Stablecoins
    11/28/2019

    The European Central Bank has published a paper providing an overview of the stablecoins market and looking ahead to its future development. The paper contains no binding rules or guidance and is designed for information purposes only. It outlines how stablecoins have emerged as an alternative to highly volatile cryptoassets, such as Bitcoin, by incorporating "stabilization" mechanisms that back the value of the stablecoins by tying them to underlying assets such as fiat currencies or commodities. Facebook's unveiling of its Libra stablecoin has attracted much attention from regulators, demonstrating the ongoing challenges faced by the cryptoassets. It goes on to describe the different types of stablecoins, the current status of stablecoin initiatives and considers potential use cases for stablecoins, such as transferring money without using financial institutions or cash. The ECB determines that it remains to be seen how the more innovative types of stablecoin will develop given their greater volatility and foresees that improvements in stablecoin governance may need to be made.

    Read more.
  • Eurozone Single Resolution Board Publishes Opinions on Internal Rules for its use of Personal Data
    11/22/2019

    The Eurozone Single Resolution Board has published a series of three opinions setting out its own internal rules for the circumstances in which it may restrict the rights of data subjects under Regulation (EU) 2018/1725, data protection legislation that is commonly understood as the public sector equivalent of the General Data Protection Regulation. The Regulation governs the use of personal data by EU institutions and agencies. 

    Read more.
  • Basel Committee Publishes Report on Open Banking and Application Programming Interfaces
    11/19/2019

    The Basel Committee on Banking Supervision has published a report on “open banking” and the use of application programming interfaces. The term “open banking” refers to the sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services, including for example those that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities. Application programming interfaces are software intermediaries that enable information to be exchanged between applications. 

    Read more.
  • UK Information Commissioner’s Office Consults on Application of Powers under Proceeds of Crime Act
    11/08/2019

    The U.K. Information Commissioner’s Office, the U.K.’s independent body for the upholding of information rights in the public interest, has issued a consultation paper on proposals that it be granted investigative and other powers under the Proceeds of Crime Act 2002. The proposals are in response to the increasing number of cases in which financial gains are made by criminals involved in the theft of personal data.

    Read more.
  • Committee on Payments and Market Infrastructures Publishes Toolkit for Reducing Wholesale Payments Fraud
    10/22/2019

    The Committee on Payments and Market Infrastructures has prepared a “toolkit” to assist central banks to reduce the risk of wholesale payments fraud related to endpoint security. The Financial Stability Institute at the Bank for International Settlements has also announced that it will make tutorials on wholesale payments security freely available to central banks on request.

    Read more.
  • UK Court Grants Asset Preservation Order over Bitcoin
    08/20/2019

    A U.K. court has granted an asset preservation order over Bitcoin stolen in a "spear phishing" attack on a major crypto-currency trader. The decision confirms that proprietary claims over Bitcoin constitute serious issues that should be tried in the courts. Although the presiding judges did not make a final ruling on the legal questions surrounding the nature of Bitcoin ownership, it is believed that this is the first time the English courts have considered the nature of crypto-currencies as property.

    Read more.
  • UK Financial Conduct Authority Issues Response to EU Opinion on Strong Customer Authentication
    06/28/2019

    The U.K. Financial Conduct Authority has issued a statement confirming its intended approach to enforcing firms' compliance with EU "strong customer authentication" rules that will apply across the EU from September 14, 2019.

    Read more.
  • European Banking Authority Publishes Opinion on Strong Customer Authentication Under Payment Services Directive
    06/21/2019

    The European Banking Authority has published an Opinion on market approaches to payment authentication that will be deemed compliant with the new rules on strong customer authentication coming into force later this year.

    Read more.
  • European Commission Publishes Report on Implementation of Wire Transfer Regulation
    06/20/2019

    The European Commission has published a report detailing: (i) the extent to which Member States have implemented the sanctions and monitoring sections of the EU Wire Transfer Regulation; and (ii) the particular sanctioning activities that national regulators have adopted under the Regulation. The Commission was obliged to provide the report to the European Parliament and Council of the European Union under the Wire Transfer Regulation. Although Member States are not obliged to take specific steps in response to the report's findings, the Commission concludes the report by stating its intention to continue to support Member States in their implementation of the Wire Transfer Regulation and reserves the right to take further measures to ensure the Regulation is correctly implemented by all Member States.

    Read more.
  • Bank of England Publishes Report on the Future of the UK Financial System and the Bank's Priorities for the Future
    06/20/2019

    Huw van Steenis, the Bank of England financier appointed by the BoE in 2018 to review the future of the U.K. financial system, has published his "Future of Finance" report, setting out a vision for the medium-term future of the U.K. financial system and the BoE's role in supporting that. The report was based on consultations with entrepreneurs, financiers, tech firms, global investors, consumer groups, charities, policymakers and business leaders across the U.K. and overseas. In response, the BoE has published a document which sets out the actions it intends to take to deal with the challenges and opportunities identified in the report.

    Read more.
  • Basel Committee on Banking Supervision Discusses Supervisory Initiatives and Approves Implementation Reports
    06/20/2019

    Central bankers and banking supervisors of the Basel Committee on Banking Supervision met this week to discuss a range of policy and supervisory initiatives. 

    Read more.
  • International Cyber Task Force Reports on Cyber Regulation
    06/18/2019

    The International Organization of Securities Commissions has published the final report of its Cyber Task Force on cyber regulation. The report sets out how IOSCO member jurisdictions apply three recognized cyber frameworks - the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity; and the International Organization for Standardization 27000 series standards. The Cyber Task Force does not propose that IOSCO issues any further guidance on this topic, as this could lead to duplication. The report is instead intended to be a resource for financial market regulators and firms, to raise awareness of existing cyber guidance and to encourage the adoption of good practices. The Cyber Task Force recommends that IOSCO's member jurisdictions use these standards to close any gaps in their existing cyber frameworks and that further work is undertaken to establish where those gaps are.

    View the report.
  • Financial Stability Board Publishes Progress Report on Cyber Incident Response
    05/28/2019

    The Financial Stability Board has published a progress report on the activities and work plan of its Cyber Incident Response and Recovery working group. The working group was established in 2018 with a mandate to develop a toolkit of practices for financial institutions and authorities in preparing for and dealing with cyber incidents.

    Read more.
  • UK Secondary Legislation Published to Combat Cyber-Attacks
    05/21/2019

    The Cyber-Attacks (Asset-Freezing) Regulations 2019 have been made and will come into force on June 11, 2019.

    The U.K. Regulations put in place measures applicable to U.K. nationals, U.K. incorporated entities and certain regulated institutions that will help enforce the financial sanctions provisions of the EU's new Cyber-Attacks Regulation, which came into force on May 18, 2019. The Cyber-Attacks Regulation is designed to combat cyber-attacks emanating from outside the EU against EU institutions and Member States. Its provisions include granting the Council of the European Union the ability to freeze assets of persons or entities suspected of involvement in such attacks. In order to enforce the sanctions regime throughout the EU, Member States are required to put in place legislation specifying the penalties that will be imposed upon those found to be implicated in a breach of the EU Cyber-Attacks Regulation.

    Read more.
  • EU Council Regulation to Combat Cyber-Attacks Published
    05/17/2019

    The EU Council Regulation concerning restrictive measures against cyber-attacks threatening the European Union or its Member States came into force on May 17, 2019 and will apply directly across the EU from May 18, 2019.

    Read more.
  • UK Financial Conduct Authority Reports on Cyber Security Resilience in Financial Services
    11/27/2018

    The Financial Conduct Authority has published a report entitled "Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018." The FCA compiled the report by requesting 296 firms during 2017 and 2018 to provide a self-assessment of their cyber and technological capabilities, focusing on governance, delivery of change management, managing third-party risks and the effectiveness of cyber defenses. The FCA analyzed the responses and considered data from firm's responses to recent operational incidents to produce the report.

    Read more.
  • UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector
    11/23/2018

    The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.

    The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.

    Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.

    View the announcement.
  • Financial Stability Board Publishes Cyber Lexicon
    11/12/2018

    The Financial Stability Board has published the final Cyber Lexicon of terms related to cyber security and cyber resilience. The Lexicon is intended to assist the FSB, other international standard setting bodies (such as the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions), authorities and the private sector to address threats to cyber security and adopt cyber resilience measures. The FSB has also published an overview of responses to the public consultation, summarizing the main issues that emerged during the FSB's consultation on a draft lexicon and the changes adopted to address them.

    Read more.
  • European Parliament Adopts Resolution on Distributed Ledger Technologies
    10/03/2018

    The European Parliament has adopted a non-legislative resolution entitled "distributed ledger technologies and blockchains: building trust with disintermediation." Of particular relevance to the financial services sector, the European Parliament is requesting that the European Commission and other EU authorities take various steps to maximize the potential of this technology in the EU.

    Read more.
  • UK Conduct Regulator Fines Retail Bank for Failures During a Cyber Attack
    10/01/2018

    The U.K. Financial Conduct Authority has published a final notice issued to a U.K. Retail Bank for breaches of Principle 2 of the FCA's Principles for Businesses. Principle 2 requires authorized firms to conduct their business with due skill, care and diligence. The Bank was subjected to a cyber-attack in November 2016, when attackers deployed an algorithm to generate authentic debit card numbers that were then used to make unauthorized transactions. While the attack did not involve loss or theft of customers' personal data, the FCA found that the attack left the Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours.

    Read more
  • UK Financial Conduct Authority Updates Guidance on its Approach to Payment Services and Electronic Money
    07/06/2018

    The U.K. Financial Conduct Authority has updated its Approach Document on payment services and electronic money, to reflect final guidelines issued in December 2017 by the European Banking Authority on security measures for mitigating operational and security risks under the revised Payment Services Directive. The changes will affect all payment service providers. The FCA has also updated its webpage on reporting requirements for payment services providers and e-money issuers to reflect these changes. The webpage includes a link to the revised version of the FCA's REP018 (operational and security risk) reporting form.

    The FCA will expect payment services providers to comply with the EBA guidelines, which cover issues such as operational and security risk management framework governance, the use of models, outsourcing and how functions, processes and assets should be identified, classified and risk-assessed. The EBA guidelines also cover security of data integrity, systems and confidentiality as well as physical security and asset control and communication of the security measures to payment service users. PSPs will be expected to report at least annually to the FCA on their operational and security risk management frameworks.

    Read more.
  • UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures
    07/05/2018

    The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

    While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

    Read more.
  • UK Financial Policy Committee Outlines Steps to Reduce Risks to the UK's Financial Stability
    07/03/2018

    The Bank of England has published a Financial Stability Report, dated June 2018, and a record of the Financial Policy Committee Meeting held on June 19, 2018. The Report sets out the FPC's view of the U.K.'s financial stability, the resilience of the U.K.'s financial system and the risks posed to each of those. Where applicable, the Report also notes the steps that the FPC is taking to address the risks. The record of the meeting provides a summary of issues discussed by the FPC in June.

    Read more
  • Financial Stability Board Issues Consultation on Developing a Cyber Lexicon
    07/02/2018

    As part of its work on the protection of financial stability against the malicious use of information and communication technologies, the Financial Stability Board has published a draft cyber lexicon for consultation.

    In March 2017, the FSB was asked by the G20 Finance Ministers to review and produce a stock-take report on the existing regulation, supervisory practices and guidance on cyber security in the financial sectors of G20 jurisdictions. The G20 welcomed the FSB's stock-take report in October 2017 and asked the FSB to continue its work and to develop a common lexicon of cyber terms.

    The FSB stresses that the lexicon is not intended for use in the legal interpretation of any international arrangement or agreement or any private contract. The use of the cyber lexicon will not be mandatory. Its purpose is to support the work of the FSB, standard-setting bodies, national authorities and private sector participants to address, and develop guidance on, cyber security and cyber resilience in the financial sector. In particular, the aim of the cyber lexicon is to create a cross-sector common understanding of relevant cyber security and cyber resilience terminology and to facilitate assessment and monitoring of financial stability risks in cyber risk scenarios.

    Read more.
  • UK Prudential Regulator Sets out Expectations on Firms' Exposures to Crypto-Assets
    06/28/2018

    The U.K. Prudential Regulation Authority has published a "Dear CEO" letter, addressed to the Chief Executive Officers of banks, insurance companies and designated investment firms. The purpose of the letter is to remind firms of their relevant obligations under the PRA rules and to communicate the PRA's expectations regarding firms' exposures to crypto-assets.

    Crypto-assets have exhibited high price volatility and relative illiquidity and may also be vulnerable to fraud and manipulation, which raises concerns about potential misconduct and poses issues for market integrity. The PRA's letter does not define crypto-assets, but the Financial Conduct Authority uses this term to refer to any publicly available electronic medium of exchange that features a distributed ledger and a decentralized system for exchange. The FCA recently published a "Dear CEO" letter outlining best practice for firms in handling the financial crime risks that crypto-assets can pose.

    Read more.
  • European Supervisory Authorities Make Recommendations to Address Risks in EU Securities, Banking and Insurance Sectors
    04/12/2018

    The Joint Committee of the European Supervisory Authorities has published a report on risks and vulnerabilities in the EU financial system. The ESAs are the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority. The ESAs make recommendations for policy actions by the ESAs, national regulators and financial institutions. A summary of the risks and recommendations contained in the report is set out below.
    • To combat cyber risks, the ESAs recommend that financial institutions should continue to improve IT systems, explore risks in the context of information security and take steps to resolve risks surrounding connectivity and outsourcing to third-party providers. The ESAs will continue to keep these risks under review. ESMA is launching a supervisory project on cloud computing outsourcing and will continue work to address supervisory convergence. The EBA is developing guidelines on the management of information and communication technology risks. EIOPA is conducting a qualitative exercise on cyber risk with national regulators and the industry.
    Read more
  • US Federal Financial Institutions Examination Council Issues Joint Statement Regarding Cyber Insurance
    04/11/2018

    The U.S. Federal Financial Institutions Examination Council members released a joint statement with respect to cyber insurance and its role in risk management.  FFIEC members include the U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency and the U.S. Federal Deposit Insurance Corporation. The statement and corresponding press release note that the frequency, sophistication and severity of cybersecurity incidents are increasing. As a result, general insurance policies may not provide adequate coverage in the event of a cybersecurity event and cyber insurance options are increasing and evolving in response to these factors.  The statement highlights that cyber insurance options vary greatly, and can be in the form of either a standalone policy or an endorsement to an existing insurance policy.  The statement cautions, however, that cyber insurance should be viewed as a risk mitigation tool and not as an alternative to sound internal controls, policies and procedures to guard against cybersecurity events.  The statement notes that institutions, in considering cyber insurance, should assess their existing cybersecurity risk framework to determine the potential impact and magnitude of residual risk.  In weighing cost and benefits of cyber insurance, the statement suggests that institutions should consider involving multiple stakeholders in the decision-making process, perform adequate due diligence to fully understand available policies and coverage options and incorporate cyber insurance into their annual budgeting processes.

    View full text of the FFIEC statement.
  • European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures
    04/10/2018

    The European Central Bank has launched a consultation on draft "cyber resilience oversight expectations" for financial market infrastructures.

    The CROE use, as a basis, the Guidance on Cyber Resilience for Financial Market Infrastructures that was published jointly in June 2016 by the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions. FMIs were required to implement immediately that Guidance, which was supplemental to the Principles for Financial Market Infrastructures published in 2012 by IOSCO and the Committee on Payment and Settlement Systems. The PFMIs were adopted by the Governing Council of the ECB in June 2013. In developing the CROE, the ECB also took into account existing international guidance documents, in particular the Cyber Security Framework published by the U.S. National Institute of Standards and Technology, the ISO/IEC 27002 good practice standard for information security, the COBIT 5 framework for the governance and management of enterprise IT, the Information Security Forum's Standard of Good Practice for Information Security and the U.S. Federal Financial Institutions Examination Council's Cybersecurity Assessment Tools.

    Read more.
  • UK Financial Conduct Authority Publishes its 2018/19 Business Plan
    04/09/2018

    The Financial Conduct Authority has published its Business Plan for 2018/19 which sets out its key priorities for the coming year. The FCA confirms that it will continue to focus on issues relating to the U.K.'s withdrawal from the EU by working with the Government, ensuring appropriate transition measures for EEA firms, working towards operational readiness and cooperating at international level.

    The FCA divides the remainder of its priorities into cross-sector priorities and sector priorities. There are seven cross-sector priorities: firms' culture and governance; financial crime and anti-money laundering; data security, resilience and outsourcing; innovation, big data, technology and competition; treatment of existing customers; long-term savings, pensions and intergenerational differences; and high-cost credit. There are seven sector priority areas: wholesale financial markets; investment management; retail lending; pensions and retirement income; retail investments; retail banking; and general insurance and protection. The FCA also published Sector Views for each of these sectors which provide an FCA view of how each sector was performing as of mid-2017.

    Read more
  • Financial Stability Board Publishes Progress Update on its Work to Develop a Cyber Lexicon
    03/20/2018

    The Financial Stability Board has published a Progress Update on its work on the creation of a common lexicon of terms to support the work of the FSB, standard-setting bodies, authorities and private sector participants to address cyber-security and cyber-resilience in the financial sector.

    The FSB explains in the Progress Update that the cyber lexicon is not intended as a comprehensive lexicon of all cyber-security and cyber-resilience related terms. Its scope will be limited and focused on the core terms necessary to support the objective of the lexicon, which is to support the work of the above bodies, in particular by creating a cross-sector common understanding of relevant cyber security and cyber resilience terminology and by facilitating assessment and monitoring of financial stability risks in cyber-risk scenarios. It is expected that the lexicon will assist in the work of the FSB and standard-setting bodies to provide guidance related to cyber-security and cyber resilience.

    Read more.
  • European Supervisory Authorities Issue Final Report on Financial Institutions' Use of Big Data
    03/15/2018

    The Joint Committee of the European Supervisory Authorities has published a final report on the use of Big Data by financial institutions. The Final Report has been prepared following feedback to a discussion paper published in December 2016 by the Joint Committee’s sub-Committee on Consumer Protection and Financial Innovation. “Big Data” is the term used to refer to situations where high volumes of different types of data, produced with high velocity from a wide variety of data sets and sources, is processed (often in real time) by IT tools, such as powerful processors, software and algorithms. Big Data tools have been in use for several years in some sectors, but less so in others. Nevertheless most respondents to the ESAs’ discussion paper agreed that Big Data may have an impact on almost all financial institutions and on their products and services. The use of Big Data techniques can help financial institutions to improve their understanding of customers’ preferences and their interactions with customers and clients. This can enable them to tailor products to their target markets and support effective product governance. However, the use of Big Data also entails risk.

    Read more.

  • US Federal Reserve Board Vice Chairman for Supervision Discusses Financial Regulation and Cybersecurity
    02/26/2018

    Randal Quarles, U.S. Board of Governors of the Federal Reserve System Vice Chairman for Supervision, provided brief remarks at the Financial Services Roundtable 2018 Spring Conference.  Vice Chairman Quarles noted the importance of reviewing the post-crisis regulatory regime to determine which regulations may not be functioning effectively or as intended, and make changes, as necessary.  He noted the importance of evaluating the costs and benefits of regulatory initiatives as well as evaluating their effect on both the resiliency of the financial system and on credit availability and growth.  He focused in particular on the topic of cybersecurity, which he remarked is a high priority for the Federal Reserve Board.  Given the dynamic and highly sophisticated nature of cyber attacks, Vice Chairman Quarles emphasized the need for collaboration in this area, both among private sector stakeholders and between the private sector and federal financial regulators.  He noted that the Federal Reserve Board is continuing to work with other financial regulatory agencies to harmonize cyber risk-management standards and supervisory expectations to align them with existing best practices such as the National Institution of Standards and Technology’s Cybersecurity Framework.

    View full text of Vice Chairman Quarles's remarks.
  • New York State Department of Financial Services Reminds Institutions of Upcoming Deadline for Cybersecurity Certification
    01/22/2018

    New York State Department of Financial Services Superintendent Maria Vullo issued a press release reminding regulated entities and licensed persons of the NYDFS’s upcoming February 15, 2018 compliance certification deadline under New York’s cybersecurity regulation that was implemented in March of 2017.  New York’s cybersecurity regulation generally requires (i) that regulated entities establish, review and assess cybersecurity policies and procedures designed to protect consumer data, (ii) that regulated entities have a Chief Information Security Officer, and (iii) that the policies and procedures are approved by an entity’s board of directors or a senior officer.  Covered entities and individuals will be required to submit the certification, which attests to compliance with New York’s cybersecurity regulation for 2017, through the NYDFS’s cybersecurity portal.  The press release also provides a link to a series of frequently asked questions regarding the cybersecurity regulation generally, and the upcoming filing deadline, including which subparts of the regulation are applicable to this year’s certification, and those that will be applicable to the 2019 certification.  Superintendent Vullo also announced that the cybersecurity evaluation will be incorporated into all NYDFS examinations of regulated entities.

    View full text of the press release.
  • European Banking Authority Issues Guidelines for Assessing and Managing Security and Operational Risks in Payment Services
    12/12/2017

    The European Banking Authority has published finalized guidelines to assist payment services providers to conduct appropriate risk assessment and risk management of operational and security risks. The finalized guidelines contain some changes from the draft guidelines on which the EBA launched a consultation in May 2017.

    Read more.
  • Financial Stability Board Meeting to Discuss Ongoing 2017-2018 Workplan
    10/06/2017

    The Financial Stability Board has published a press release summarizing the outcome of its plenary meeting in Berlin on October 6, 2017, at which it considered potential vulnerabilities in the financial system and discussed a number of areas from its workplan.

    Read more.

View All (500+)