On 10 April 2019, the European Supervisory Authorities (‘ESAs’) published a Joint Advice on the need for legislative improvements relating to Information and Communication Technology (‘ICT’) risk management in the EU financial sector (‘Joint Advice’). The three ESAs are the European Banking Authority (‘EBA’), the European Securities and Markets Authority (‘ESMA’) and the European Insurance and Occupational Pensions Authority (‘EIOPA’). The Joint Advice includes, among other things, a recommendation addressed to the EU Commission to establish a framework for the oversight and monitoring of ‘critical’ cloud services providers.
The Joint Advice
The Joint Advice makes several proposals to the Commission for legislative improvements, focusing on incident reporting and third party cloud services providers. The Joint Advice also includes a useful mapping of the current framework relating to operational resilience across different sectors in the financial system.
According to the Joint Advice, all firms should establish and maintain effective risk-management procedures to address ICT and cybersecurity risks. To this end, they must put in place the appropriate governance, operational and control measures. At the same time the ESAs recognise that the current legislative framework could benefit from clarification and standardisation.
More specifically, in the area of banking and payments the Joint Advice recommends the amendment of the Capital Requirements Directive and the second Payment Services Directive to include specific provisions on operational resilience. These will be part of firms’ wider obligations relating to governance and internal controls. Similar changes should be made to Solvency II Directive for the insurance and re-insurance sector. Moreover, the Commission should consider closing gaps in the securities markets legislation, by making explicit references to cybersecurity and introducing incident reporting requirements, where there are currently none.
More interestingly, the cross-sectoral proposals are the following:
- Streamlining requirements on incident reporting: Presently, there are multiple frameworks for incident reporting. This adds significant complexity, especially when a single breach triggers several incident reporting obligations. The Joint Advice does not propose to remove the existing requirements, but rather to clarify overlapping provisions and to standardise reporting templates and timeframes, with a view to making incident reporting a more streamlined process across sectors.
- Establishing framework for the oversight of cloud service providers: There is increasing reliance on third parties for the provision of critical services in the financial sector. The relevant interconnections and concentration risks raise system risk concerns. This is particularly the case with cloud services, where a handful of large providers service the majority of the EU financial sector. The Joint Advice concludes that there is a need to establish an effective oversight framework for monitoring ‘critical’ service providers when their activities may affect financial firms. In particular, the relevant framework should clarify the conditions for qualifying as a ‘critical’ service provider and specify which activities would fall into scope. The Joint Advice further notes that international coordination will be key in this regard, considering that cloud services providers operate on a cross-border basis both within, but also outside the EU.