Among Europe’s largest banks, the long-established practice has been to keep breaches of cyber-security quiet – or as quiet as possible. But a major change is in the pipeline: European-wide legislation that will force firms to report cyber attacks to national incident teams.
The European Commission has drafted a European Network and Infrastructure directive, which is now waiting for formal approval by the European Parliament and is aimed at improving cyber security partly by improving disclosure of attacks. Countries in the EU will have 21 months to pass laws to implement it once it is approved.
The directive will require leading players in key industries – referred to in the directive as “operators of essential services” and including banks and exchanges as well power utilities, for example – to report any breaches in their networks to their relevant national body, which will be known as Computer Security Incident Response Teams (CSIRTs).
The directive is waiting for formal approval by the European Parliament. Countries in the EU will have 21 months to pass laws to implement it once it is approved.
So far banks and exchanges are reluctant to comment on the directive. Asked about its readiness to implement the proposed changes, a spokesperson at the London Stock Exchange, for example, declined to comment because, they said, the directive only exists in draft form.
Ollie Whitehouse, technical director at the NCC Group, the UK-based security specialist, says it is unlikely that reports of breaches will be publicly disclosed. International financial firms will already have experience of disclosing breaches, as Singapore and Israel have already passed legislation requiring mandatory reporting, Whitehouse adds.
“While the supervisory initiatives in Europe may be new, and the onus on detection and response has been increased, this won’t be entirely new to firms,” says Whitehouse. “Programmes such as CBEST [the Bank of England’s penetration testing project] have already helped institutions which are of critical economic importance to validate their detection and response capabilities.”
The UK has already launched its CSIRT, which is called CERT-UK (Computer Emergency Response Team), currently operating on a voluntary basis, in 2014. The EU proposal will create an Europe-wide network of CSIRTs that will cooperate and share information on emerging threats.
According to a European Commission spokesperson if an incident occurs in more than one EU state, “the notified national authority or CSIRT will need to inform the other affected Member State(s) about the incident by preserving the operator’s security and commercial interests as well as the confidentiality of the information provided by the operators.”
CBEST extension
Meanwhile, many in the banking industry expect the Bank of England will seek to further extend its CBEST cyber security penetration testing project, which up to now has been confined to some of the largest financial firms.
CBEST was launched in June 2013 as a testing project for firms considered to be core to the stability of the financial system in June 2013 following the advice of the Bank’s independent Financial Policy Committee (FPC). The FPC is charged with identifying and acting on systemic risks to protect the resilience of the UK financial system.
The CBEST testing framework includes standardised reporting formats for providers of cyber security systems, and a series of key performance Indicators used by the Bank of England to assess the performance of both providers and financial firms participating in the scheme.
The framework was designed by the Bank along with the Council for regular Ethical Security Testing (CREST) and Digital Shadows, a London and San Francisco-based consultancy that specialises, it says, in analysing risks from “an attacker’s eye view”. The British security services have also been advising on the CBEST project.
Additional information: To view the EU’s draft proposals click here. To visit the CERT-UK website, click here.
