Featured Product

    Governor of Bank of Italy on Addressing Cyber Risk in Financial Sector

    June 06, 2019

    At the G7 Conference in Paris, Mr. Ignazio Visco, the Governor of the Bank of Italy, discussed the ongoing evolution of cyber risk in the financial sector and the ways to address this risk. Mr. Visco highlighted that in cyberspace externalities are not contained within national borders and that the increasing reliance on third-party suppliers who fall outside the jurisdiction of financial authorities is one important source of cyber risk for supervised entities. He outlined cross-industry and cross-border cooperation, issuance of common security standards for hardware and software, and the use of artificial intelligence by supervisory authorities as the means to deal with the increasing cyber-security issues.

  • The information to be provided by a third party seeking authorization to assess the compliance of securitizations with the STS criteria provided for in Securitization Regulation should enable a competent authority to evaluate whether and, to what extent, the applicant meets the conditions of Article 28(1) of the Securitization Regulation. An authorized third party will be able to provide STS assessment services across EU. The application for authorization should, therefore, comprehensively identify that third party, any group to which this third party belongs, and the scope of its activities. With regard to the STS assessment services to be provided, the application should include the envisaged scope of the services to be provided as well as their geographical scope, particularly the following:

    • To facilitate effective use of the authorization resources of a competent authority, each application for authorization should include a table clearly identifying each submitted document and its relevance to the conditions that must be met for authorization.
    • To enable the competent authority to assess whether the fees charged by the third party are non-discriminatory and are sufficient and appropriate to cover the costs for the provision of the STS assessment services, as required by Article 28(1)(a) of Securitization Regulation, the third party should provide comprehensive information on pricing policies, pricing criteria, fee structures, and fee schedules.
    • To enable the competent authority to assess whether the third party is able to ensure the integrity and independence of the STS assessment process, that third party should provide information on the structure of those internal controls. Furthermore, the third party should provide comprehensive information on the composition of the management body and on the qualifications and repute of each of its members.
    • To enable the competent authority to assess whether the third party has sufficient operational safeguards and internal processes to assess STS compliance, the third party should provide information on its procedures relating to the required qualification of its staff. The third party should also demonstrate that its STS assessment methodology is sensitive to the type of securitization and that specifies separate procedures and safeguards for asset-backed commercial paper (ABCP) transactions/programs and non-ABCP securitizations.

    The use of outsourcing arrangements and a reliance on the use of external experts can raise concerns about the robustness of operational safeguards and internal processes. The application should, therefore, contain specific information about the nature and scope of any such outsourcing arrangements or use of external experts as well as the third party's governance over those arrangements. Regulation (EU) 2019/885 is based on the draft regulatory technical standards submitted by ESMA to EC.

     

    Related Links

    Effective Date: June 18, 2019

    Press Release
  • Proposed Rule 1
  • Proposed Rule 2
  • Proposed Rule 3
  • Presentation on Regulatory Framework (PDF)
  • Presentation on Resolution Plan Rules (PDF)
  • In the past, attackers have leveraged vulnerabilities in the IT systems of third parties to strike financial institutions. In the G7 Fundamental Elements For Third Party Cyber Risk Management in the Financial Sector, which was published last year, tenets on the appropriate management of third-party risk were introduced. Work on implementation of these tenets must now be accelerated, said Mr. Visco. When it comes to third parties that operate in regulated sectors, such as energy and telecoms, the different authorities must step up their coordination and cooperation efforts. Within each country there needs to be a cohesive national system of cyber defense that allows different authorities to work together effectively. In this context, governments have a natural role as coordinators. 

    The financial sector remains a prime target and such risks cannot be effectively mitigated by simply mandating supervised entities to follow good practices. Complex attacks can be deployed via obscure tools. Even large financial institutions with excellent (and expensive) defense systems can be lost in the face of cutting-edge threats; they can, of course, work out some of the technical details, but they might miss some of the broader, systemic elements, simply because they ignore relevant information such as precedents that affected other sectors, attacker tactics, and effective defenses adopted elsewhere. This kind of information is generally available only to intelligence agencies and the military. Cross-sector, nationwide as well as international cooperation is, therefore, essential. There needs to be a mechanism in each country that allows appropriate public bodies to coordinate and jointly support, each within its own mandate, the victims of a cyber campaign. In EU, the Network and Information Security (NIS) Directive takes this course.

    Next, he added that cooperation must extend beyond borders, given the nature of many of the attacks and the interconnectedness of the financial system. This will always be a challenge because disclosing vulnerabilities to entities from another jurisdiction might endanger national security. Nonetheless, feasible solutions need to be found for this problem, since this kind of information-sharing might prove crucial for responding to some attacks. He said that the G7 remains the most favorable context for international cooperation—the many achievements of the G7 Cyber Expert Group (CEG) provide a good example of what can be done. The CEG was established in 2015 under the German presidency and it went on to deliver results during the presidencies of four other countries—Japan, Italy, Canada, and France. "We need to persevere on this route," said Mr. Visco.

    According to Mr. Visco, one area that is ripe for more cooperation is the establishment of common security standards for hardware and software, which also covers the growing market for financial technology apps. In EU, a new regulation (which is currently under approval) will introduce a mechanism of cybersecurity certification for many products. This is an important step, but it would be more effective if G7 countries could converge at least on a subset of requirements. "If a service is not safe according to our own laws, it should not be on the market—and there should be a reasonable degree of convergence between laws in like-minded jurisdictions." Finally, he highlighted that artificial intelligence introduces new possibilities in cyber-security. It facilitates the detection and the exploitation of vulnerabilities, which the attackers know; therefore, the attackers are starting to deploy machine learning to analyze and penetrate target systems. Cyber-security companies use the same artificial intelligence analytic tools, with the goal of fixing the weak spots. By the same token, authorities could employ artificial intelligence to ascertain whether supervised entities are meeting mandated security standards on a continuous basis, added Mr. Visco.

     

    Related Link: Speech

     

    Keywords: Europe, EU, Italy, Banking, Cyber Risk, Cyber Security, Artificial Intelligence, Suptech, G7, Cross Border Cooperation, Systemic Risk, Operational Risk, Bank of Italy, BIS

    Featured Experts
    Related Articles
    News

    BSP Tackles Aspects of Lending and Islamic, Open & Sustainable Finance

    The Central Bank of the Philippines (BSP) issued communications covering developments related to online lending platforms, open finance framework and roadmap, and on the expected regulations in the area sustainable finance.

    January 16, 2022 WebPage Regulatory News
    News

    US Agencies Issue Regulatory Updates, FDIC Launches Tech Sprint

    The Board of Governors of the Federal Reserve System (FED) published the final rule that amends Regulation I to reduce the quarterly reporting burden for member banks by automating the application process for adjusting their subscriptions to the Federal Reserve Bank capital stock, except in the context of mergers.

    January 13, 2022 WebPage Regulatory News
    News

    EBA Issues Guide on Bank Resolvability, Consults on Transferability

    The European Banking Authority (EBA) published its assessment of risks through the quarterly Risk Dashboard and the results of the Autumn edition of the Risk Assessment Questionnaire (RAQ).

    January 13, 2022 WebPage Regulatory News
    News

    MFSA Publishes CRD5 Updates and Supervisory Priorities for 2022

    The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0.

    January 13, 2022 WebPage Regulatory News
    News

    HKMA Extends Repayment for Trade Facilities, Consults on Crypto-Assets

    The Hong Kong Monetary Authority (HKMA) published a circular, along with the reporting form and instructions, for self-assessment, by authorized institutions, of compliance with the Code of Banking Practice 2021.

    January 12, 2022 WebPage Regulatory News
    News

    FCA Registers Securitization Repositories; PRA Issues 2022 Priorities

    The Financial Conduct Authority (FCA) decided to register European DataWarehouse Ltd and SecRep Limited as securitization repositories under the UK Securitization Regulation, with effect from January 17, 2022.

    January 12, 2022 WebPage Regulatory News
    News

    EC Regulation Sets Out Methods for Measuring K-Factors Under IFR

    The European Commission (EC) published the Delegated Regulation 2022/25, which supplements the Investment Firms Regulation (IFR or Regulation 2019/2033) with respect to the regulatory technical standards specifying the methods for measuring the K-factors referred to in Article 15 of the IFR.

    January 11, 2022 WebPage Regulatory News
    News

    BIS Studies How Platform Models Impact Financial Stability & Inclusion

    The Bank of International Settlements (BIS) published a paper that assesses the ways in which platform-based business models can affect financial inclusion, competition, financial stability and consumer protection.

    January 10, 2022 WebPage Regulatory News
    News

    CBE Issues Additional Measures to Ease Disruptions from Pandemic

    The Central Bank of Egypt (CBE) published a circular with instructions on emergency liquidity assistance to banks that are unable to meet their liquidity requirements.

    January 10, 2022 WebPage Regulatory News
    News

    ESAs Publish List of Financial Conglomerates for 2021

    The European Supervisory Authorities (ESAs) published the list of identified financial conglomerates for 2021.

    January 07, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 7868