This post looks at the legal landscape for financial institutions in the wake of the Equifax cyber-attack.
The scale and sophistication of cyber-attacks on financial institutions is growing at an unprecedented rate. This was illustrated recently by the Equifax data breach in which lead to Equifax’s Chairman resigning a couple of weeks ago. In stepping down, the Chairman admitted “mistakes were made” in the response of Equifax, which now faces a series of regulatory investigations and legal claims. While Equifax has faced public criticism, there is still much debate in the industry over best way to respond to a cyber-attacks and what the regulatory authorities should be doing to help mitigate the threat.
Cyber disturbances bring a variety of novel challenges, including operational, legal and reputational risks. They can lead to breaches of commercial contracts, and customers or counterparties are now far more likely to experience disruptions in ‘real time’ owing to the instant nature of digitalised financial services. So what is the legal and regulatory landscape for firms right now?
The landscape in Europe
The legal and regulatory landscape is a mosaic of overlapping national and supra-national laws, rules and guidance. At the EU level, three pieces of legislation are dominating the horizon:
1. The Network and Information Security Directive will be implemented in the UK before May 2018. It is the first ever legislation devised specifically to improve the cyber-security of EU “essential service providers” (which includes banks, insurance firms and financial markets infrastructures). It aims to establish a high common level of network and information security across member states.
2. The Payment Services Directive II is expected to be transposed into UK law before the end of 2017. The new PSD2 regime will regulate, for the first time, services: (i) where consumers initiate payments directly from their bank accounts (rather than using a card); and (ii) which collect and consolidate information regarding a consumer’s different bank accounts in a single place. Payment service providers will be formally required to carry out an assessment of relevant operational and security risks on an annual basis.
3. The General Data Protection Regulation is due to come into effect in May 2018. Breaches of the GDPR, which has a notable extraterritorial reach, will result in fines of up to 4% of a firm’s annual worldwide turnover and it will apply extra-territorially.
The landscape in the UK
Within the UK, the regulatory framework for cyber-security flows broadly from three institutions. The first is the Bank of England, which has recently announced its intention to team with the National Cyber Security Centre (the cyber-security organisation within GCHQ) to produce advice for the financial sector. The Bank of England has also launched CBEST, a programme of work to improve and test resilience to cyber-attack within those firms considered core to the UK financial system.
The second institution is the PRA. Last year, the PRA published the results of its thematic work in relation to insurance underwriting cyber risks, concluding that most firms lack clear strategies and risk appetites for managing cyber risk.
The third institution is the FCA. Of particular concern, according to its Business Plan for 2017/18, is the rise in cybercrime and money laundering. These threaten the integrity of the financial markets and the availability of financial services which, together, can result in material harm to consumers.
One common theme to the regulators’ approaches is the need for firms to focus on developing a firm-wide cultural awareness of cyber risks; implementing effective governance structures to underpin that culture and ensure the business is properly focussed on managing the risks; and maintaining robust cyber-incident response plans, which enable business continuity and minimise market and customer disruption.
In many ways, this shift in objectives reflects a growing awareness that all firms will be successfully attacked, and that it is how a firm mitigates against the impact that really matters.
The FCA continues to treat enforcement action as a means of creating ‘credible deterrence’ for firms. Both the PRA and FCA have been under increasing pressure from the Treasury Committee, with the Chair of the Treasury Committee stressing:
“These concerns remain, along with a strong desire to see vigorous action from regulators and banks to remedy these weaknesses.”
Managing the shifting landscape
The manner in which a firm responds to a material breach of its cyber-defences could prove critical in its defence of any subsequent regulatory investigation.
Preparation is absolutely key to the successful management of a cyber-attack or IT systems failure. Firstly, it is important that those on the front line (usually the relevant business line, together with the IT department) understand which cyber-attacks or systems failures are business critical and need to be escalated to a legal/compliance response team, and which cyber-attacks are ‘business as usual’ and so can be escalated simply through periodic reporting processes. If IT staff are wary of being ‘blamed’ for a weakness in cyber-defences, they may be hesitant to escalate attacks and this can impede an organisation’s ability to respond to an attack effectively.
Board engagement is critical, not just because culture starts at the top, but also because good governance demands that a board tests whether the risks are fully understood; whether the steps necessary to mitigate those risks have been taken; and whether the institution is ready to address the risks if they crystallise. All financial institutions should also have a detailed cyber-incident response plan. Practice makes perfect, so response plans should be role-played and reviewed regularly.
The number of cyber-attacks against financial services groups that were reported to the FCA soared by more than 1,700% between 2014 to 2016. The legal and regulatory framework within which institutions operate is changing at a similar pace, which is evident by the fact that most of the legislation and initiatives discussed above are either just a few months old or a few months away. It will be fascinating to see how the regulators react to mounting pressure to ensure that institutions are not just cyber-resilient, but demonstrably engaged with cyber-risk at all levels, but most importantly, in the board room.
Rhodri Thomas & Raphaella Pitt