European Union (EU) financial supervisory authorities have published an update on plans to bolster their coordination during ‘systemic’ cyber incidents.
The European Banking Authority (EBA), European Insurance & Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) – collectively known as the three European Supervisory Authorities (ESAs) – are working together to establish the ‘EU systemic cyber incident coordination framework’ (abbreviated to ‘EU-SCICF’).
The framework – which has been in the works for more than two-and-a-half years – aims to ‘facilitate an effective financial sector response to a cyber incident that poses a risk to financial stability, by strengthening the coordination among financial authorities and other relevant bodies in the EU, as well as with key actors at international level’.
According to an EU-SCICF update (17 June), the ESAs will ‘kickstart implementation’ of the framework during the ‘coming months’. This will involve the establishment of: an EU-SCICF secretariat; an ‘EU-SCICF Forum’, which will ‘work on testing and maturing the functioning’; and ‘EU-SCICF Crisis Coordination’, which will ‘facilitate during a crisis the coordination of actions by the participating authorities’.
The ESAs will ‘identify legal and other operational hurdles encountered during the initial set-up’ and report these to the European Commission, the announcement states, adding that ‘further development of the framework will be subject to the availability of resources and other measures taken by the Commission’.
*** RECEIVE GLOBAL GOVERNMENT FINTECH’S FREE EDITORIAL NEWSLETTER ***
‘Risk needs to be addressed’
EU-SCICF is being created following a European Systemic Risk Board (ESRB) recommendation, published in December 2021, and a (related) 46-page ‘Mitigating systemic cyber risk’ report, published by the ESRB in January 2022. The ESRB is responsible for the macroprudential oversight of the financial system within the 27-member EU bloc.
‘The risk of a coordination failure by authorities exists and needs to be addressed,’ the ESRB recommendation warned. ‘Relevant authorities in the Union will need to coordinate among themselves and with other authorities such as ENISA [the European Union Agency for Cybersecurity] with which they might not usually interact,’ it continued, adding that ‘as a significant number of Union financial institutions operate globally, a major cyber incident will likely not be limited to the Union or might be triggered outside the Union and might require global response coordination’.
EU-SCICF also sits against the backdrop of the EU’s Digital Operational Resilience Act (DORA). DORA, which entered into force in January 2023 and will apply from 17 January 2025, establishes technical standards that financial entities and their critical third-party technology providers need to implement.
The ESRB recommendation stated that ‘given the risk to financial stability in the Union stemming from cyber risk, preparatory work for the gradual establishment of the EU-SCICF should, to the extent feasible, start even before the required legal and policy framework for its establishment is fully applicable’. It added that ‘this legal and policy framework would be completed fully and finalised once the relevant provisions of DORA and of its delegated acts become applicable.’
The ESAs, European Central Bank (ECB) and relevant national authorities in EU member states designated a main point-of-contact for the EU-SCICF las year.
*** JOIN GLOBAL GOVERNMENT FINTECH ON LINKEDIN ***
Amplification dangers
The December 2021 recommendation warned that ‘major cyber incidents may pose a systemic risk to the financial system given their potential to disrupt critical financial services and operations’.
‘The amplification of an initial shock can either occur through operational or financial contagion or through an erosion of confidence in the financial system,’ the ESRB stated, adding that ‘if the financial system is unable to absorb these shocks, financial stability will be at risk and this situation can result in a systemic cyber crisis.’
The ESAs’ EU-SCICF update was published a couple of days before a global IT outage was triggered by a cybersecurity firm’s faulty security update.
CrowdStrike inadvertently caused Microsoft Windows-based systems to crash around the world, with banks, airlines and hospitals among the organisations affected.
The company’s chief executive said, in a statement (19 July) apologising for the situation, that the outage was caused by ‘a defect found in a Falcon content update for Windows hosts’ and that it was ‘not a cyberattack’.
