EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Europaudvalget 2019-20
EUU Alm.del Bilag 516
Offentligt

EUROPEAN COMMISSION

Directorate-General for Financial Stability, Financial Services and Capital

Markets Union

CONSULTATION DOCUMENT

Digital Operational Resilience Framework for financial services: Making the EU financial

sector more secure

Disclaimer

This document is a working document of the Commission services for consultation and does not

prejudge the final decision that the Commission may take.

The views reflected on this consultation paper provide an indication on the approach the

Commission services may take but do not constitute a final policy position or a formal proposal by

the European Commission.

The responses to this consultation paper will provide important guidance to the Commission when

preparing, if considered appropriate, a formal Commission proposal.

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

https://ec.europa.eu/info/business-economy-euro_en

You are invited to reply

by 19 March 2020

at the latest to the

online questionnaire

available on

the following webpage:

https://ec.europa.eu/info/publications/finance-consultations-2019-

financial-services-digitalresilience_en

Please note that in order to ensure a fair and transparent consultation process

only responses

received through the online questionnaire will be taken into account and included in the

report summarising the responses.

This consultation follows the normal rules of the European Commission for public consultations.

Responses will be published unless respondents indicate otherwise in the online questionnaire.

Responses authorised for publication will be published on the following webpage:

https://ec.europa.eu/info/publications/finance-consultations-2019-financial-services-

digitalresilience_en

CONTENT OF THE CONSULTATION DOCUMENT

Public consultation on a potential initiative on the digital operational resilience in the area

of financial services

Introduction

Digitalisation and new technologies are significantly transforming the European financial system

and the way it provides

financial services to Europe’s businesses and citizens. Almost two years

after the Commission adopted the Fintech Action Plan in 2018, the actions set out in it have largely

been implemented.

In order to promote digital finance in Europe while adequately regulating its risks, and in light of

the mission letter of Executive Vice President Dombrovskis, the Commission services are working

towards a new Digital Finance Strategy for the EU. Key areas of reflection include deepening the

Single Market for digital financial services, promoting a data-driven financial sector in the EU

while addressing its risks and ensuring a true level playing field, making the EU financial services

regulatory framework more innovation-friendly, and enhancing the digital operational resilience

of the financial system.

This public consultation, and the public consultation on crypto assets published in parallel, are first

steps towards potential initiatives which the Commission is considering in that context. The

Commission may consult further on other issues in this area in the coming months.

The financial sector is the largest user of information and communications technology (ICT) in the

world, accounting for about a fifth of all ICT expenditure

. Its operational resilience hinges to a

large extent on ICT. This dependence will further increase with the growing use of emerging

models, concepts or technologies, as evidenced by financial services benefitting from the use of

distributed ledger and artificial intelligence. At the same time, an increased use of artificial

intelligence in financial services may generate a need for stronger operational resilience and

Without the intention to provide a definition, the concept of “digital operational resilience” is used

throughout the document to refer to the ability of a financial entity to build and maintain its operational

integrity and the full range of operational capabilities, related to any digital and data

technologydependant component, tool, process that the financial entity uses to conduct and support its

business. It encompasses ICT and security risk management.

According to Statista, financial sector combined IT spending worldwide in 2014 and 2015 amounted to

US$ 699 billion, well ahead of manufacturing and natural resources (US$ 477 bn), media (US$ 429 bn)

or governments (US$ 425 bn). Total global IT spending in 2014 and 2015 were estimated at US$ 3734

billion and US$ 3509 billion respectively, suggesting that almost 1 in every 5 US$ spent on IT

worldwide is in the financial sector.

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

accordingly for ensuring an appropriate supervision. Accordingly, whether we talk about online

banking or insurance services, mobile payment applications, digital trading platforms, high

frequency trading algorithms, digital clearing and settlement systems, financial services delivered

today rely on digital technologies and data.

Dependence on ICT and data raises new challenges in terms of operational resilience. The

increasing level of digitalisation of financial services coupled with the presence of high value assets

and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-

attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of

malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of

cyber-attacks than any other sector

. In the recent years, the frequency and impact of cyber

incidents has been increasing, with research estimating the total cost in the range of tens to

hundreds of billions of Euro for the global economy. The increasing digitalisation of finance is set

to accelerate this trend. The ever-increasing number and sophistication of cyber-threats and ICT

incidents in the financial sector illustrate the importance and urgency to tackle the incidence and

effects of these risks in a pre-emptive way. Operational resilience issues, and in particular ICT and

security risks can also be source of systemic risk for the financial sector. These issues should be

addressed as an integral part of the EU regulatory framework and single rulebook that aims to

ensure the competitiveness, integrity, security and stability of the EU financial sector.

The EU financial sector is governed by a detailed and harmonised single rulebook, ensuring proper

regulation and a level playing field across the single market, which in some areas forms the basis

for EU bodies to supervise specific financial institutions (e.g. Single Supervisory Mechanism

supervision of credit institutions). The EU financial services regulatory landscape already includes

certain ICT and security risk provisions and, more generally, operational risk provisions, but these

rules are fragmented in terms of scope, granularity and specificity. ICT and security risks are one

of the major components of operational risk, which prudential supervisors should assess and

monitor as part of their mandate. In order to preserve and build a harmonised approach and

implement international standards in the financial sector with a view to more effectively address

digital operational resilience issues and to raise trust and stimulate digital innovation, it is essential

that financial supervisors’ efforts work in a harmonised and convergent framework across Member

States and across different parts of the financial sector. Where EU bodies have direct supervisory

responsibilities over certain financial institutions, this will also ensure that they have the necessary

and appropriately framed powers.

The EU has taken steps towards a horizontal cyber security framework that provides a baseline

across sectors.

The ICT and security risks faced by the financial sector and its level of

preparedness and integration at EU level warrant specific and more advanced co-ordinated actions

that build on, but go substantially beyond the horizontal EU cyber security framework and that are

commensurate with a higher degree of digital operational resilience and cyber security maturity

expected from the financial sector.

Under its Fintech Action Plan,

the European Commission asked the European Supervisory

Authorities (i.e. the European Banking Authority, the European Securities and Markets Authority,

and European Insurance and Occupational Pensions, hereinafter the “ESAs”) to map the existing

supervisory practices across financial sectors around ICT security and governance requirements,

to consider issuing guidelines aimed at supervisory convergence and, if necessary provide the

Commission with technical advice on the need for legislative improvements. The Commission also

invited the ESAs to evaluate the costs and benefits of developing a coherent cyber resilience testing

European Parliament report on "Fintech: the influence of technology on the future of the financial sector"

(2016/2243(INI))

http://www.europarl.europa.eu/doceo/document/A-8-2017-0176_EN.pdf

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning

measures for a high common level of security of network and information systems across the Union,

(the NIS Directive)

FinTech Action plan: For a more competitive and innovative European financial sector,

COM/2018/0109 final,

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52018DC0109

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

framework for significant market participants and infrastructures within the whole EU financial

sector.

Building on that, the focus of this public consultation is to inform the Commission on the

development of a potential EU cross-sectoral digital operational resilience framework in the area

of financial services. This consultation aims at gathering all stakeholders' views in particular on:

•

strengthening the digital operational resilience of the financial sector, in particular as

regards the aspects related to ICT and security risk;

the main features of an enhanced legal framework built on several pillars;

impacts of the potential policy options.

the

Stakeholders mapping

The following relevant stakeholder groups have been identified:

•

Public authorities: Member States governments, national competent authorities, all

relevant actors of the financial supervisory community including at EU level (EU

supervisory authorities and other relevant EU agencies or bodies).

Industry, business associations, SMEs: financial services providers (e.g. credit institutions,

(re)insurance companies, investment firms, central counterparties, central securities

depositories, trade repositories, credit rating agencies, audit firms, asset managers,

regulated markets, payment service providers etc.), ICT services providers.

Consumers, financial services and ICT services users, civil society.

Academia and public interest organisations and think tanks

•

Context of the present consultation

There is broad political agreement at international level that cyber risks in the financial sector must

be addressed by enhancing and reviewing cyber resilience. Cyber resilience as part of the broader

work on the operational resilience of financial institutions is a priority for many financial

supervisors and regulators across the globe, with several ongoing work streams in various

international fora (i.e. G7, FSB, BCBS, CPMI-IOSCO).

At EU level, the European Parliament called on the Commission “to make

cybersecurity the

number one priority” in taking the work forward in its FinTech Action Plan.

It also emphasised

the need for more supervisory oversight into cyber risks, more cooperation among competent

authorities, as well better information sharing among market participants regarding cyber threats,

and more investment into effective cyber-defences.

The Commission’s Fintech Action Plan has set out plans to develop a dedicated approach to cyber

security which is a part of the operational resilience for the EU financial sector. A dedicated

approach to enhance what can be referred to as the digital operational resilience of financial

institutions is even more relevant in the context of the increase in outsourcing arrangements and

third party dependencies (e.g. through cloud adoption). As committed in the Fintech Action Plan,

the Commission has responded with several policy actions, among which the upcoming

development of Standard Contractual Clauses for cloud arrangements with financial sector entities.

European Parliament report on "Fintech: the influence of technology on the future of the financial sector"

(2016/2243(INI)),

http://www.europarl.europa.eu/doceo/document/A-8-2017-0176_EN.pdf

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Further to that, and with an eye to future legislative improvements, the ESAs published a joint

Technical Advice in April 2019.

Their assessment demonstrated the existence of fragmentation in

the scope, granularity and specificity of ICT and security/ cyber security provisions across the EU

financial services legislation. The ESAs hence called on the Commission to propose legislative

changes in the area of ICT and cyber security for the EU financial sector, allowing the identified

gaps and inconsistencies to be addressed.

More specifically, they propose legislative changes in four main areas: (1) requirements on ICT

and security risk management in the legislative acquis applicable to the financial sector, (2)

streamlining the existing incident reporting requirements (3) setting out a cyber resilience testing

framework and (4) establishing an oversight of ICT third party providers to the financial

institutions.

More recently, in the informal ECOFIN discussion in September 2019 on the resilience of financial

institutions against cyber and “hybrid” threats, Member States also highlighted the urgent need for

having in place better testing, more information sharing and enhanced coordination between

authorities.

In this context, the Commission is launching a public consultation to explore how an enhanced

framework for digital operational resilience of the EU financial sector could be set up. This goal

could be achieved through an EU cross-sectoral initiative for the financial sector that would take

into account the strengths and specificities of existing international, EU and national frameworks

and developments on ICT security and risk management.

For more information or additional questions please contact:

[email protected]

See

https://eu2019.fi/documents/11707387/15400298/Hybrid+Threats+Informal+ECOFIN+final+Issues+

Note+2019-09-09_S2.pdf/29565728-f476-cbdd-4c5f-

7e0ec970c6c4/Hybrid+Threats+Informal+ECOFIN+final+Issues+Note+2019-09-09_S2.pdf

--------------------------------

PART I

STAKEHOLDER

IDENTIFICATION,

AND CONFIDENTIALITY

TRANSPARENCY

PART II

UILDING

LOCKS FOR A POTENTIAL

INITIATIVE

MAIN ISSUES

Although a horizontal EU cyber security framework are in place across various sectors

, ICT and

security risk in the area of financial services has so far only been partially addressed in the EU

regulatory and supervisory framework. This framework has traditionally focussed on propping up

the financial resilience of various institutions by means of additional capital and liquidity buffers

See

https://esas-joint-committee.europa.eu/Pages/News/ESAs-publish-Joint-Advice-on-Information-

andCommunication-Technology-risk-management-and-cybersecurity.aspx

NIS Directive and Regulation (EU) 2019/881 on ENISA and on information and communications technology

cybersecurity certification (The EU Cybersecurity Act).

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

and regulating their conduct in order to protect their users and clients. Less focus has gone into

operational stability and in particular into building digital operational resilience. This includes risks

related to the growing digitalisation of finance, outsourcing and the consequent need for greater

cyber-vigilance. The horizontal EU cyber security framework does not fully reflect the increasingly

important role that ICT plays in the financial sector, and the risks it can pose to the operational

resilience of an institution, consumer trust and confidence, and, by extension, to financial stability.

Following up on the advice submitted by the three ESAs in April 2019, the Commission is seeking

stakeholders’ views in the areas of:

•

Targeted improvements of ICT and security risk management requirements

across

the different pieces of EU financial services legislation. Such improvements are needed to

reinforce the level of digital operational resilience across all main financial sectors subject

to the EU financial regulatory framework. They could build on existing requirements in

EU law, taking into account standards, guidelines or recommendations on operational

resilience, which have already been agreed internationally (e.g. guidelines issued by the

ESAs, G7, Basel Committee, CPMI-IOSCO).

Harmonisation of ICT incidents reporting:

rules on reporting should be clarified and

complemented with provisions facilitating a better monitoring and analysis of ICT and

security-related risks. This exercise could look into setting out what qualifies as a

reportable incident and setting materiality thresholds in this respect, setting out relevant

time frames, while also clarifying reporting lines and harmonising templates to bring

further consistence and ease of use.

The

development of a digital operational resilience testing framework

across all

financial sectors, providing for a mechanism to anticipate threats and improve the digital

operational readiness of financial actors and authorities. This assessment could look into

setting key requirements to perform digital operational resilience testing while maintaining

flexibility and proportionality to address specific needs of financial actors by virtue of their

size, complexity and scale of operations.

Specific rules enabling a

better oversight of certain critical ICT third-party providers

which regulated financial institutions rely on, and outsource functions to.

Specific arrangements

to promote

effective information sharing

on ICT and security

threats among financial market participants and b)

better cooperation

among public

authorities.

2.1.

ICT and security requirements

•

In their Joint Advice, the three ESAs point to different, sometimes inconsistent terminology across

the financial services acquis. In addition, when it comes to ICT and security risk,

the EU financial

services acquis appears fragmented in the level of detail and specificity of such provisions.

Currently, rules on ICT and security risk (sometimes implicitly considered under operational risk

requirements, other times explicitly referred to in terms of ICT-requirements) seem patchy. Some

regulated financial entities are subject to more specific requirements (e.g. under PSD2, CSDR,

For instance, EBA Guidelines on ICT and security risk management, EBA Guidelines on outsourcing

arrangements, G-7 Fundamental Elements of Cybersecurity for the Financial Sector, G-7 Fundamental

Elements for Threat-Led Penetration Testing, G-7 Fundamental Elements for Third Party Cyber Risk

Management in the Financial Sector, BCBS Cyber-resilience: range of practices, CPMI-IOSCO

Guidance on cyber resilience for financial market infrastructures, etc.

The EBA has recently published its Guidelines on ICT and security risk management (EBA/GL/2019/04)

applicable to all institutions under the EBA remit and aim to strengthen institutions’ resilience against

ICT and security risks.

https://eba.europa.eu/eba-publishes-guidelinesict-and-security-risk-management

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

EMIR, etc.)

, while for other financial entities such rules are rather general or even inexistent (e.g.

CRD/CRR, Solvency II, UCITS/AIFMD, etc.)

. Not all EU legislation addresses the full spectre

of ICT and security risk management requirements based on standards, guidelines or

recommendations on cyber risk management and operational resilience agreed internationally (e.g.

G7, Basel Committee, CPMI-IOSCO, etc.). Further, requirements are not uniformly spread out

between Level 1 (Regulations, Directives) and Level 2 (delegated and implementing acts) texts

across the different financial sectors.

The three ESAs note overall an absence of explicit provisions on ICT and security risk

management. They plead for clarity about a minimum level of ICT security and governance

requirements. On this basis, a set of improvements related to ICT-risk management requirements

may be needed to reinforce the cybersecurity readiness and resilience across all key financial

sectors.

Questions:

1. Taking into account the deep interconnectedness of the financial sector, its extensive reliance

on ICT systems and the level of trust needed among financial actors, do you agree that all

financial entities should have in place an ICT and security risk management framework based

on key common principles?



Yes

Don't know/no opinion

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The question implies a very broad scope in the term »all financial entities« but, having due

consideration to proportionality, this appears as an overarching characterization of the

requirements to regulated entities.

2. Where in the context of the risk management cycle has your organisation until now faced most

difficulties, gaps and flaws in relation to its ICT resilience and preparedness? Please rate

each proposal from 1 to 5, 1 standing for ‘not problematic’ and 5 for ‘highly problematic’).

Stage in the risk management cycle (or

1 2 3 4 5

Don’t

know/not

any other relevant related element)

applicable

Identification

Detection

Ability to protect

Respond

The Payment Services Directive 2 (PSD2) - Directive (EU) 2015/2366, the Central Securities Depositories

Regulation (CSDR) - Regulation (EU) No 909/2014, the European Market Infrastructure Regulation

(EMIR) - Regulation (EU) No 648/2012.

The Capital Requirements Directive (CRD IV) - Directive 2013/36/EU, the Capital Requirements

Regulation (CRR) - Regulation (EU) No 575/2013, Solvency II Directive - Directive 2009/138/EC, The

Undertakings for Collective Investment in Transferable Securities Directive (UCITS) - Directive

2009/65/EC, The Alternative Investment Fund Managers Directive (AIFMD) - Directive 2011/61/EU.

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Recovery

Learning and evolving

Information sharing with other financial

actors on threat intelligence

Internal coordination (within the

organisation)

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

3. What level of involvement and/or what type of support/ measure has the Board (or more

generally the senior management within your organisation) offered or put in place/provided

for, in order to allow the relevant ICT teams to effectively manage the ICT and security risk?

Please rate each proposal from 1 to 5, 1 standing for ‘no support/ no measure’ and 5 for ‘high

support/very comprehensive measures’).

Type of involvement, support or measure

Don’t

know/not

applicable

Appropriate allocation of human and

financial resources

Appropriate investment policy in relation to

the ICT and security risks

Approval by the Board of an ICT strategy

(that also deals with ICT security aspects)

Active role of the Board (or the senior

management) when your organisation

faces major cyber incidents or, as the case

may be, role of the Board in the ICT

business continuity policy

Top leadership and guidance received in

relation to ICT security and ICT risks

Other (please specify)

To the extent you deem it necessary, please explain your reasoning and emphasize in addition

any type of support and measure that you consider that you consider the Board and senior

management should provide. [Insert text box]

4. How is the ICT risk management function implemented in your organisation?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

5. Which main arrangements, policies or measures you have in place to identify and detect ICT

risks?

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Type of arrangement, policy, measure

Yes

Don’t

know/not

applicable

Do you establish and maintain updated a mapping of your

organisation’s business functions, roles and supporting

processes?

Do you have an up-to-date registry/inventory of supporting

ICT assets (e.g. ICT systems, staff, contractors, third parties

and dependencies on other internal and external systems

and processes)?

Do you classify the identified business functions, supporting

processes and information assets based on their criticality?

Do you map all access rights and credentials and do you use

a strict role-based access policy?

Do you conduct a risk assessment before deploying new ICT

technologies / models?

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

6. Have you experienced cyber-attacks with serious repercussions for your clients or

counterparties?

Yes



Don't know/Not applicable

To the extent you deem it necessary, please explain and illustrate in particular the nature of

the attack and the impacts on the clients/counterparts. [Insert text box]

7. How many cyber-attacks does your organisation face on average every year? How many of

these have/are likely to create disruptions of the critical operations or services of your

organisation?

Please explain your reasoning. [Insert text box]

8. Do you consider that your ICT systems and tools are appropriate, regularly updated, tested

and reviewed to withstand cyber-attacks or ICT disruptions and to assure their operational

resilience? Which difference do you observe in this regard between in-house and outsourced

ICT systems and tools?

Yes



Don't know/Not applicable

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

9. Has your organisation developed and established a cloud strategy?

Yes



Don't know/no opinion

10. If the answer to the previous question (no. 9) is yes, please explain which of the following

aspects are covered and how.

Yes

Don’t

know/not

applicable

Do you use on-premise cloud technology?

Do you use off-premise cloud technology

Does this strategy contribute to managing and

mitigating ICT risks?

Do you use multiple cloud service infrastructure

providers? How many?

Did your Board and senior management

establish a competence center for cloud in your

organisation?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

11. Do you have legacy ICT systems that you would need to reconsider for enhanced ICT security

requirements? What would be the level of investments needed (in relative or absolute terms)?

Yes



Don't know/Not applicable

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

12. What in your view are possible causes of difficulties you experienced in a cyber-attack/ ICT

operational resilience incident? Please rate each answer from 1 to 5, 1 standing for ‘not

problematic’ and 5 for ‘highly problematic’).

Causes of difficulties

2 3

Don’t know/not

applicable

ICT environmental complexity

Issues with legacy systems

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Lack of analysis tools

Lack of skilled staff

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

13. Do you consider that your organisation has implemented high standards of encryption?

Yes



Don't know/Not Applicable

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

14. Do you have a structured policy for ICT change management and regular patching and a

detailed backup policy?

Yes



Don't know/not Applicable

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

15. Do you consider that your organisation has established and implemented security measures

to manage and mitigate ICT and security risks (e.g. organisation and governance, logical

security, physical security, ICT operations security, security monitoring, information security

reviews, assessment and testing, and/or information security training and awareness

measures)?

Yes



Don't know/Not applicable

To the extent you deem it necessary, please explain your reasoning and for which measures

legal clarity and simplification would be needed. [Insert text box]

16. On average, how quickly do you restore systems after ICT incidents, in particular after a

serious/major cyber-attack? Are there any differences in that respect based on where the

impact was (impact on the availability, confidentiality or rather the integrity of data)?

To the extent you deem it necessary, please specify and explain. [Insert text box]

17. Which issues you struggle most with, when trying to ensure a quick restoration of systems and

the need to maintain continuity in the delivery of your (critical) business functions?

Issues

Yes No

Don’t

know/not

applicable

Lack of comprehensive business continuity policy and/or

recovery plans

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Difficulties to keep critical/ core business operations

running and avoid shutting down completely

Internal coordination issues (i.e. within your organisation)

in the effective deployment of business

continuity and recovery measures

Lack

common

contingency,

response, resumption/recovery plans for

cyber security scenarios - when more financial actors in

your particular ecosystem are impacted

No ex-ante determination of the precise required capacities

allowing the continuous availability of the system

Difficulties of the response teams to effectively engage with

all relevant (i.e. business lines) teams in your organization

to perform any needed mitigation and recovery actions

Difficulty to isolate and disable affected information

systems

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Note as regulator: It occurs, that the time needed to ensure data integrity post incident

before resuming operations has not been taken into account in recovery plans. This

may lead to justifiable breaches of RTO’s.

18. What are your views on having in the legislation a specific duration for the Recovery Time

Objective (RTO) and having references to a Recovery Point Objective (RPO)?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Answering as a regulator: RTO’s can be useful to convey the target net risk

of a given

institution to be assessed by the regulator. It is important to stress though, that breach

of the RTO in any given incident in an institution shall not constitute a breach of the

regulatory requirements.

19. Through which activities or measures do you incorporate lessons post-incidents and how do

you enhance the cyber security awareness within your organisation?

Yes No

Don’t

know/not

applicable

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Do you promote staff education on ICT and security risk

through regular information sessions and/or trainings for

employees?

Do you regularly organize dedicated trainings for the Board

members and senior management?

Do you receive from the Board all the support you need for

implementing effective cyber incident response and recovery

improvement programs?

Do you make sure that the root causes are identified and

eliminated to prevent the occurrence of repeated incidents?

Do you conduct ex post root cause analysis of cybersecurity

incidents?

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

2.2.

ICT and security incident reporting requirements

The ESAs advise the Commission to consider a comprehensive, harmonised system of ICT incident

reporting requirements for the financial sector. This should be designed to enable financial entities

to report accurate and timely information to competent authorities, in order to allow firms and

authorities to properly log, monitor, analyse and adequately respond to ICT and security risks and

mitigate fraud. The ESAs propose that templates, taxonomy and timeframes should be standardised

where possible. Finally, the relationship with existing incident reporting requirements, e.g. under

the Payment Services Directive (PSD2) or Central Securities Depositories Regulation (CSDR), as

well as under the NIS Directive and GDPR, should be clarified.

Questions:

20. Is your organisation currently subject to ICT and security incident reporting requirements?

Yes



Don't know/Not applicable

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

21. Do you agree that a comprehensive and harmonised EU-wide system of ICT and security

incident reporting should be designed for all financial entities?

Yes



Don't know

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The utility of an EU-wide (or EEA-wide) system of ICT and security incident reporting is wholly

dependent upon the way such a system is designed and implemented. Due consideration should

be given to the cost of a system for stakeholders when assessing the expected benefits.

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

22. If the answer to the previous question (no. 21) is yes, please explain which of the following

elements should be harmonised?

Elements to be harmonised in the EU-wide system

Yes No

Don’t

know/not

of ICT incident reporting

applicable

Taxonomy of reportable incidents

Reporting templates

Reporting timeframe

Materiality thresholds

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

In this context »reporting templates« are needed strictly in the sense of data standards for

reporting in accordance with the relevant taxonomies and report types.

23. What level of detail would be required for the ICT and security incident reporting? Please

elaborate on the information you find useful to report on, and what may be considered as

unnecessary.

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Only material incidents with actual or potential effect on the entity and/or its customers in

accordance with a suitable materiality threshold, as well as significant new potential threats

should be reported. The threshold for reporting in accordance with the NIS setup is too high

if the purpose of the reporting is information gathering. The threshold should be set according

to the purpose of the reporting, e.g. information gathering, threat intelligence, sector - or

supervisory response.

24. Should all incidents be within the scope of reporting, or should materiality thresholds be

considered, whereby minor incidents would have to be logged and addressed by the entity but

still remain unreported to the competent authority?

Yes



No ;.

Don't know

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Not all incidents should be within the scope. Materiality thresholds could be considered

provided the benefits of the system as such exceeds the costs. The vast majority of

incidents are of a kind not needed nor suitable for regulatory reporting.

25. Which governance elements around ICT and security incident reporting would be needed? To

which national competent authorities should ICT and security incidents be reported or should

there be one single authority acting as an EU central hub/database?

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Security incident reporting is part of the microprudential operational risk management. At national

level, the present set up in Denmark is composed of a financial sector forum for operational

resilience and a Nordic financial CERT, coordinated in Denmark by the Danish central bank,

which also coordinate the ongoing Danish implementation of TIBER-EU. The financial sector role

in the national cybersecurity strategy is coordinated bu the Danish FSA.

26. Should a standing mechanism to exchange incident reports among national competent

authorities be set up?

Yes



Don't know

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

A standing mechanism might be useful in the context of European cooperation in the field

of cyber threat intelligence, but a cost/benefit analysis may be necessary in order to

determine whether an appropriate scope for such a mechanism can be identified.

27. What factors or requirements may currently hinder cross-border cooperation and information

exchange on ICT and security incidents?

To the extent you deem it necessary, please explain your reasoning and provide concrete

examples. [Insert text box]

In some areas,

NCA’s have

national confidentiality requirements impeding the exchange

of information between authorities.

2.3.

Digital operational resilience testing framework

Financial institutions must regularly assess the effectiveness of their preventive, detection and

response capabilities to uncover and address potential vulnerabilities. The ESAs advice identifies

several tools to achieve this objective and recommends implementing a

multi-stage gradual

approach

that sets a common denominator amongst all financial entities and raises the bar of the

digital operational resilience across the EU financial sector. In the short term, ESAs recommend to

focus on prevention, ensuring that entities perform the basic assessment of their cyber

vulnerabilities. In the medium-longer term, the ESAs suggest developing a coherent

cyber

resilience testing framework

across the EU financial sectors, together with setting-up of a common

set of guidance that could lead to the mutual acceptance/recognition of the test results across the

EU supervisory community.

In general, a digital resilience testing

can be a highly effective tool to uncover aspects of ICT and

security policy that are lacking, to provide real-life feedback on some routes most at risk into the

Without the intention to provide a definition,

the concept of “digital operational resilience testing” refers

throughout the document to techniques, tools and measures to assess the effectiveness of a financial

entity’s preventive, detection, response and recovery capabilities to uncover and

address potential

vulnerabilities. It includes both a baseline testing/assessment (e.g. gap analysis, vulnerability scans, etc.)

and more advanced testing (e.g. threat led penetration testing, TLPT).

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

entity's systems and networks, as well as to raise awareness on ICT security and resilience within

the financial entity. It can also facilitate the creation of a single market for intelligence and test

providers.

If different EU regulatory driven testing frameworks emerge across Member States, financial

entities are potentially faced with increased costs and duplication of work. Facilitation,

synchronisation and EU-wide cooperation would thus be advisable.

Questions:

28. Is your organisation currently subject to any ICT and security testing requirements?

Yes



Don't know/not applicable

If the answer is yes:

Yes

Don’t

know/

not applicable

Do you face any issues with overlapping

or diverging obligations?

Do you practice ICT and security testing

on a voluntary basis?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

29. Should all financial entities be required to perform a baseline testing/assessment of their ICT

systems and tools? What could its different elements be?

Yes

not

Don’t

know/

Different elements of a baseline

testing/assessment framework

applicable

Gap analyses?

Compliance reviews?

Vulnerability scans?

Physical security reviews?

Source code reviews?

Others (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The listed elements could all be potential elements of a baseline test, subject to

proportionality. The employment of baseline test should be determined by a risk based

approach.

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

30. For the purpose of being subject to more advanced testing (e.g. threat led penetration testing,

TLPT), should financial entities be identified at EU level (or should they be designated by

competent authorities) as “significant” on the basis of a combination of criteria such as:

Criteria

Yes

Don’t know/ not

applicable

Proportionality–related factors (i.e. size, type,

profile, business model)?

Impact

–

related factor (criticality of services

provided)?

Financial stability concerns

importance for the EU)?

(Systemic

Other appropriate qualitative or quantitative

criteria and thresholds (please specify)?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The identification should be done at NCA level and all criteria should be applied with a risk

based approach.

31. In case of more advanced testing (e.g. TLPT), should the following apply?

Yes

Don’t

know/

not applicable

Should it be run on all functions?

Should it be focused on live production systems?

To deal with the issue of concentration of expertise in

case of testing experts, should financial entities employ

their own (internal) experts that are operationally

independent in respect of the tested functions?

Should testers be certified, based on recognised

international standards?

Should tests run outside the Union be recognised as X

equivalent if using the same parameters (and thus be held

valid for EU regulatory purposes)?

Should there be one testing framework applicable across

the Union? Would TIBER-EU be a good model?

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Should the ESAs be directly involved in developing a

harmonised testing framework (e.g. by issuing guidelines,

ensuring coordination)? Do you see a role for other EU

bodies such as the ECB/SSM, ENISA or ESRB?

Should more advanced testing (e.g. threat led penetration

testing) be compulsory?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

* TLPT should always be adequately comprehensive, but in order to determine which

functions should be subject to TLPT a risk based approach should be applied.

32. What would be the most efficient frequency of running such more advanced testing given their

time and resource implications?

Every six months



Every year

Once every three years

Other [Insert text box]

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The appropriate frequency of penetration testing depends on a number of factors, such

as the volume and character of the regulated activities in question, the maturity of cyber

resilience of the entities in question and their capabilities to react to the findings of the

TLPT. For important entities, depending on their type, in an ideal scenario, a frequency

of one year may be appropriate for SIFI’s and comparable entities.

33. The updates that financial entities make based on the results of the digital operational testing

can act as a catalyst for more cyber resilience and thus contribute to overall financial stability.

Which of the following elements could have a prudential impact?

Yes

Don’t know/ not applicable

The baseline testing/assessment tools (see X

question 29)?

More advanced testing (e.g. TLPT)?

Other (please specify)

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The baseline testing will arguably have a prudential impact due to maturity levels being

determined for entities previously having an inadequate level, for the management bodies as

well as supervisors. The prudential impact of TLPT is already evident for entities subject to

TLPT in the TIBER-DK framework.

2.4.

Addressing third party risk: Oversight of third party providers (including

outsourcing)

Financial entities use third party ICT service providers to outsource a large number of their

activities. While this brings significant opportunities, it may also create new risks for financial

entities and specifically may relocate existing operational, ICT, security, governance and

reputational risks to third party technology providers. Furthermore, it can lead to legal and

compliance issues, to name just a few, that can originate at the third party or derive from ICT and

security vulnerabilities within the third party.

A set of general principles should be available in the legal framework to orient different financial

institutions in their set-up and management of contractual arrangements with third party providers,

also enabling a better overview of risks stemming from third parties and any subsequent chain of

outsourcing.

The widespread use of ICT third party providers can also lead to concentration risk in the

availability of ICT third party providers, their substitutability and in the portability of data between

them. This can impair financial stability. Some ICT third party providers are globally active, so

concentration risks - together with other risks such as location of data - further increase. That is

even more so in the current context of regulatory fragmentation.

The ESAs recommend establishing an appropriate third party oversight framework to address the

need of a better monitoring of such risks posed by ICT third party providers. The framework should

set out criteria for identifying the critical nature of the ICT third party providers, define the extent

of the activities that are subject to the framework and designate the authority responsible to carry

out the oversight.

Questions:

34. What are the most prominent categories of ICT third party providers which your organisation

uses?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

Responding as a regulator: the main third party providers for financial institutions are

regulated and specialised financial sector IT-providers, traditional third party providers

and, to an increasing extent, cloud service providers.

35. Have you experienced difficulties during contractual negotiations between your organisation

and any ICT third party providers, specifically with regard to establishing arrangements

reflecting the outsourcing requirements of supervisory/regulatory authorities?

Yes



Don't know/not applicable

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please explain your reasoning, elaborating on which

specific outsourcing requirements were difficult to get reflected in the contract(s). [Insert text

box]

Responding as a regulator: the experience from regulated entities application of the current

regulatory requirements to outsourcing, specifically to cloud service providers, is that contracts

often need mutually binding amendments to achieve the level of outsourcing governance

required of the regulated entities.

36.

As part of the Commission’s work on Standard Contractual Clauses for cloud arrangements

with financial sector entities, which outsourcing requirements best lend themselves for

standardisation in voluntary contract clauses between financial entities and ICT third party

service providers (e.g. cloud)?

To the extent you deem it necessary, please explain your reasoning [Insert text box]

The regulatory requirements could potentially all be met by standard clauses. When drafting

standard clauses, it is critical to avoid ambiguities.

37. What is your view on the possibility to introduce an oversight framework for ICT third party

providers?

Yes

Don’t

know/not

applicable

Should an oversight framework be established?

Should it focus on critical ICT third party

providers?

Should “criticality” be based on a set of both

qualitative and quantitative thresholds (e.g.

concentration, number of customers, size,

interconnectedness, substitutability, complexity,

etc.)?

Should proportionality play a role in the

identification of critical ICT third party

providers?

Should other related aspects (e.g. data

portability, exit strategies and related market

practices,

fair

contractual

practices,

environmental performance, etc.) be included in

the oversight framework?

Should EU and national competent authorities

responsible for the prudential or organisational

supervision of financial entities carry out the

oversight?

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

Should a collaboration mechanism be established

(e.g. within colleges of supervisors where one

national competent authority assumes the lead in

overseeing a relevant ICT service provider to an

entity under its supervision - see e.g. CRD

model)?

Should the oversight tools be limited to

nonbinding tools (e.g. recommendations,

crossborder cooperation via joint inspections and

exchanges of information, onsite reviews, etc.)?

Should it also include binding tools (such as

sanctions or other enforcement actions)?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

38. What solutions do you consider most appropriate and effective to address concentration risk

among ICT third party service providers?

Yes

Don’t

know/not

applicable

Diversification strategies, including a potential

mandatory or voluntary rotation mechanism

with associated rules to ensure portability (e.g.

auditing model)

Mandatory multi-provider approach

Should limits be set by the legislator or

supervisors to tackle the excessive exposure of

a financial institution to one or more ICT third

party providers?

Other (please specify)

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

2.5.

Other areas where EU Action may be needed

Information sharing:

This part tackles information sharing needs of different financial entities -

something distinct from either reporting (which takes place between the financial entities and the

competent authorities) or cooperation (among competent authorities).

Information sharing contributes to the prevention of cyber-attacks and the spreading of ICT threats.

Exchanges of information between the financial institutions - such as exchange on tactics,

techniques and procedures (TTPs) and indicators of compromise (IOCs) - help ensure a safe and

reliable ICT environment which is paramount for the functioning of the integrated and

interconnected financial sector.

Questions:

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

39. Do you agree that the EU should have a role in supporting and promoting the voluntary

exchanges of such information between financial institutions?



Yes

Don't know/no opinion

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

The EU has a potential role in facilitating efficient cross-border and cross-sectoral

cooperation in the field of threat intelligence.

In order to fulfill this role, voluntary information sharing by institutions is vital and should

be facilitated and incentivized by EU.

40. Is your organisation currently part of such information-sharing arrangements?



Yes

Don't know/no opinion

To the extent you deem it necessary, please explain your reasoning. If you have answered yes

to the question, please explain how these arrangements are organised and with which

financial counterparts you exchange this information. Please specify the type of information

exchanged and the frequency of exchange. [Insert text box]

The response is given in the capacity of regulator. The Danish FSA has a role as facilitator

of the financial sector implementation of the national cybersecurity strategy. This role is

distinct from the role as a regulator. Information sharing is an integral part of the

cybersecurity strategy.

41. Do you see any particular challenges associated with the sharing of information on cyber

threats and incidents with your peer financial institutions?

Yes



Don't know/no opinion

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please explain your reasoning. If you answered yes,

please explain which are the challenges and why, by giving concrete examples. [Insert text

box]

The response is given in the capacity of regulator. The challenges of information sharing

for regulators are somewhat different from the challenges faced by financial institutions.

Whereas there are common challenges in the different aspects of confidentiality

requirements, the institutions have a number of additional commercial considerations and

regulators have varying considerations about the legal mandate to share information. These

challenges should be addressed in the proposed level 1 legislation.

42. Do you consider you need more information sharing across different jurisdictions within the

EU?

Yes



Don't know/no opinion

To the extent you deem it necessary, please explain your reasoning and clarify which type of

information is needed and why its sharing is beneficial. [Insert text box]

Information sharing of the kind contemplated in the questions above would imply that

information sharing take place between different jurisdictions.

Apart from threat intelligence, information sharing is beneficial in areas such as best practices

in compliance, risk management, detection, response and recovery.

Promotion of cyber insurance and other risk transfer schemes:

In an increasingly digitalized

financial sector facing an important number of cyber incidents, there is a need for financial

institutions and their supervisors to better understand the role that insurance coverage for cyber

risks can play. Both the demand and supply sides of the market in Europe for cyber insurance and

for other risk transfer instruments should be further analysed.

Questions:

43. Does your organisation currently have a form of cyber insurance or risk transfer policy?

Yes



Don't know/no opinion

If you answered yes, please specify which form of cyber insurance and whether it comes as a

stand-alone cyber risk insurance policy or is offered bundled with other more traditional

insurance products. [Insert text box]

The question is being construed as non-applicable to regulators.

44. What types of cyber insurance or risk transfer products would your organisation buy or see a

need for?

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

To the extent you deem it necessary, please specify and explain whether they should cover

rather first or third-party liability or a combination of both? [Insert text box]

The question is being construed as non-applicable to regulators.

45. Where do you see challenges in the development of an EU cyber insurance/risk transfer

market, if any?

Issues

Yes

Don’t

know/not

applicable

Lack of a common taxonomy on cyber incidents

Lack of available data on cyber incidents

Lack of awareness on the importance of

cyber/ICT security

Difficulties in estimating pricing or risk

exposures

Legal uncertainties around the contractual

terms and coverage

Other (please specify)

To the extent you deem it necessary, please explain your reasoning, by also specifying to the

extent possible how such issues or lacks could be addressed. [Insert text box]

The challenges mentioned above have been identified by EIOPA. The challenges are

addressed in EIOPA’s recently adopted Cyber Underwriting Strategy mentioned in the

following comment.

46. Should the EU provide any kind of support to develop EU or national initiatives to promote

developments in this area? If so, please provide examples.

Yes



Don't know/no opinion

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

EIOPA has recently adopted a Cyber Underwriting Strategy, following the European

Commission Fintech Action Plan. The strategy addresses the challenges mentioned above, as

well as risk management practices i.e. in relation to non-affirmative cyber exposures,

supervisory practices, contractual clauses, mitigation of systemic cyber risk and other relevant

areas. The strategy is aimed at the insurance sector, but strengthening the practices of cyber

underwriting also has an important effect on the management of cyber risk in the financial

sector in general, and in other sectors.

2.6.

Interaction with the NIS Directive

The NIS Directive is the first internal market instrument aimed at improving the resilience of the

EU against cybersecurity risks. Although it has a broad scope (covering different economic areas),

as far as the financial services are concerned, only entities belonging to three financial services

sectors (credit institutions, operators of trading venues, central counterparties) are covered. Entities

from other financial sectors services (for instance insurance and reinsurance undertakings, trade

repositories, central securities depositories, data reporting services providers, asset managers,

investment firms, credit rating agencies etc.) are not in the scope of NIS. Their relevant ICT and

security risk requirements remain covered by their specific pieces of legislation. Even for the three

abovementioned financial sectors which the NIS Directive covers, the

lex specialis

clause allows

the Directive not to be applied whenever EU sector specific legislation has at least equivalent

requirements

Even when the NIS Directive applies to three types of financial services entities this does not mean

that all entities active in those sectors are necessarily covered. The co-legislators have delegated

the precise scope of application of the NIS Directive to the Member States which need to a) identify

operators of essential services and b) establish a list of services

–

which are essential for the

maintenance of critical societal and /or economic activities (one criteria in the process of

identification of operators of essential services). Member States may identify additional services

which they deem to be essential. The identification of ‘operators providing essential services’ is

based on three criteria spelled out in the NIS. The NIS Directive is also a minimum harmonization

directive.

Questions:

47. Does your organisation fall under the scope of application of the NIS Directive as transposed

in your Member State?

Yes



Don't know/no opinion

To the extent you deem it necessary, please explain your situation in this respect. If you

answered yes to the question, please specify the requirements you are subject to, indicating

the financial sector you are operating in. [Insert text box]

48. How would you asses the effects of the NIS Directive for your specific financial organisation?

How would you assess the impact of the NIS Directive on your financial sector - taking into

Article 1(7) of the NIS Directive (“Where sector-specific … requirements are at least equivalent in effect

to the obligations laid down in this Directive, those provisions of that sector-specific Union legal act

shall apply”.)

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

account the 3 specific financial sectors in its scope (credit institutions, trading venues and

central clearing parties), the designation of operators of essential services and the lex

specialis clause?

To the extent you deem it necessary, please explain your reasoning. [Insert text box]

49. Are you covered by more specific requirements as compared to the NIS Directive requirements

and if so, do they originate from EU level financial services legislation or do they come from

national law?

To the extent you deem it necessary, please explain your reasoning and provide details. [Insert

text box]

The questions are being construed as non-applicable to regulators.

[For

financial institutions

established in a Member State that has designated as NIS competent

authority a national authority that is not a financial supervisor]:

50. Did you encounter difficulties based on the fact that in the Member State where you are

established the NIS competent authority is not the same as your own financial supervisory

authority?

Please provide details on your experience. [Insert text box]

51. How do you cooperate with the NIS competent authority in the Member State where you are

established? Do you have agreements for cooperation/MoUs?

Please provide details on your experience. [Insert text box]

The above questions are being construed as non-applicable to regulators.

[For

financial supervisors, designated NIS competent authorities, single points of contact]

The Danish FSA is NCA for OES in the area of banking and financial market infrastructures.

At present, only very few reports in accordance with NIS has been received.

52. Do you receive NIS relevant information in relation to a financial entity under your remit?

Please detail your experience, specifying how this information is shared (e.g. ad hoc, upon

request, regularly) and providing any information that may be disclosed and you consider to

be relevant. [Insert text box]

Reports are received after each incident (ad hoc).

53. Would you see merit in establishing at EU level a rule confirming that the supervision of

relevant ICT and security risk requirements - which a regulated financial institution needs to

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

comply with - should be entrusted with the relevant European and national financial

supervisor (i.e. prudential, market conduct, other etc.)?

Please explain your reasoning [Insert text box]

The very limited practical experiences at present doesn’t warrant any conclusion as to the merit of

such a new rule.

54. Did you encounter any issue in getting access to relevant information, the reporting of which

originates from the NIS requirements (i.e. incident reporting by a financial entity under your

remit/supervision)?

Yes



Don't know/no opinion

If you answered yes, please explain those particular issues. [Insert text box]

55. Have you encountered any issues in matters involving cross-border coordination?

Yes



Don't know/no opinion

If you answered yes, please explain which issues. [Insert text box]

56. What is your experience with the concrete application of the lex specialis clause in NIS?

Please explain by providing, whenever possible, concrete cases where you either found the

application of the lex specialis helpful, or otherwise where you encountered difficulties or

faced doubts with the application or interpretation of specific requirements and the triggering

of the lex specialis. [Insert text box]

The Danish FSA have no cases of application of the

lex specialis

rule in actual decisions.

OTENTIAL IMPACTS

The initiative is likely to create a more secure digital environment in the operation and use of

complex ICT tools and processes underpinning the provision of financial services. It is expected

that such increase in the overall digital operational resilience of the financial institutions (which

encompasses ICT and security risk) would not only benefit the overall financial stability but also

result in higher level of consumer protection and enable innovative data driven business models in

finance.

Questions:

EUU, Alm.del - 2019-20 - Bilag 516: Notat samt høringssvar vedr. Kommissionens høring om modstandsdygtighed overfor cyberangreb i den finansielle sektor

57. To the extent possible and based on the information provided for in the different building

blocks above, which possible impacts and effects (i.e. economic, social, corporate, business

development perspective etc.) could you foresee, both in the short and the long term?

Please provide details. [Insert text box]

58. Which of the specific measures set out in the building blocks (as detailed above) would bring

most benefit and value for your specific organisation and your financial sector? Do you also

have an estimation of benefits and the one-off and/or recurring costs of these specific

measures?

Please provide details. [Insert text box]

59. Which of these specific measures would be completely new for your organisation and

potentially require more steps/gradual approach in their implementation?

Please provide details. [Insert text box]

60. Where exactly do you expect your company to put most efforts in order to comply with future

enhanced ICT risk management measures and with increased safeguards in the digital

environment? For instance, in respect to your current ICT security baseline, do you foresee a

focus on investing more in upgrading technologies, introducing a corporate discipline,

ensuring compliance with new provisions such as testing requirements, etc.?

Please provide details. [Insert text box]

61. Which administrative formalities or requirements in respect to the ICT risks are today the

most burdensome, human-resource intensive or cost-inefficient from an economic

perspective? And how would you suggest they should be addressed?

Please provide details. [Insert text box]

62. Do you have an estimation of the costs (immediate and subsequent) that your company

incurred because of ICT incidents and in particular cyber-attacks? If yes, to the extent

possible, please provide any useful information (in relative or absolute) terms that you may

disclose.

Please provide details. [Insert text box]

The above questions are being construed as non-applicable to regulators.