General Information & Client Service
  • Americas: +1.212.553.1653
  • Asia: +852.3551.3077
  • China: +86.10.6319.6580
  • EMEA: +44.20.7772.5454
  • Japan: +81.3.5408.4100
Media Relations
  • New York: +1.212.553.0376
  • London: +44.20.7772.5456
  • Hong Kong: +852.3758.1350
  • Tokyo: +813.5408.4110
  • Sydney: +61.2.9270.8141
  • Mexico City: +001.888.779.5833
  • Buenos Aires: +0800.666.3506
  • São Paulo: +0800.891.2518
April 10, 2019

ESAs published two pieces of Joint Advice in response to the requests of EC in its March 2018 FinTech Action Plan. One Joint Advice pertains to the need for legislative improvements related to Information and Communication Technology (ICT) risk management requirements in the EU financial sector. The second Joint Advice pertains to the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU financial sector.

Regarding the need for legislative improvements, in developing the Joint Advice, ESAs' objective was that every relevant entity should be subject to clear general requirements on governance of ICT, including cybersecurity, to ensure the safe provision of regulated services. Guided by this objective, the proposals presented in the Advice aim to promote stronger operational resilience and harmonization in the EU financial sector by applying changes to their respective sectoral legislation. Incident reporting is highly relevant to ICT risk management and allows relevant entities and authorities to log, monitor, analyze, and respond to ICT operational, ICT security, and fraud incidents. Therefore, ESAs call for streamlining aspects of the incident reporting frameworks across the financial sector. Furthermore, ESAs suggest that a legislative solution for an appropriate oversight framework to monitor the activities of critical third-party service providers should be considered.

Regarding the costs and benefits of a coherent cyber resilience testing framework, ESAs see clear benefits of such a framework. However, there are significant differences on the maturity level of cybersecurity, across and within financial sectors. In the short-term, ESAs advise to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, ESAs propose to establish, on a voluntary basis, an EU-wide coherent testing framework, with other relevant authorities (taking into account the existing initiatives) and with a focus on Threat Lead Penetration Testing. In the long-term, ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities.

To implement the proposed actions, ESAs highlight the required legal basis and explicit mandate, which is necessary for development and implementation of a coherent resilience testing framework across all financial sectors by ESAs in cooperation with other relevant authorities. EC, in the March 2018 FinTech Action Plan, had specifically requested ESAs to map, by the first quarter of 2019, the existing supervisory practices across financial sectors around ICT security and governance requirements and, where appropriate, to consider issuing guidelines aimed at supervisory convergence and enforcement of ICT risk management and mitigation requirements in the EU financial sector and, if necessary, to provide EC with technical advice on the need for legislative improvements. EC had also requested ESAs to evaluate, by the fourth quarter of 2018 (now Q1 2019), the costs and benefits of developing a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU financial sector.


Related Links

Keywords: Europe, EU, Banking, Insurance, Securities, Fintech, Cyber Risk, ICT Risk, Operational Risk, Fintech Action Plan, Cyber Resilience, ESAs

Related Articles

EP Resolution on Proposal for Sovereign Bond Backed Securities

The European Parliament (EP) published adopted text on the proposal for a regulation of the European Parliament and of the Council on sovereign bond-backed securities (SBBS).

April 16, 2019 WebPage Regulatory News

FDIC Consults on Approach to Resolution Planning for IDIs

FDIC approved an Advance Notice of Proposed Rulemaking (ANPR) and is seeking comment on ways to tailor and improve its rule requiring certain insured depository institutions (IDIs) to submit resolution plans.

April 16, 2019 WebPage Regulatory News

HKMA Decides to Maintain Countercyclical Capital Buffer at 2.5%

HKMA announced that, in accordance with the Banking (Capital) Rules, the countercyclical capital buffer (CCyB) ratio for Hong Kong remains at 2.5%.

April 16, 2019 WebPage Regulatory News

EP Approves Agreement on Package of CRD 5, CRR 2, BRRD 2, and SRMR 2

The European Parliament (EP) approved the final agreement on a package of reforms proposed by EC to strengthen the resilience and resolvability of European banks.

April 16, 2019 WebPage Regulatory News

PRA Seeks Input and Issues Specifications for Insurance Stress Tests

PRA announced that it will conduct an insurance stress test for the largest regulated life and general insurers from July to September 2019.

April 15, 2019 WebPage Regulatory News

PRA Finalizes Policy on Approach to Managing Climate Change Risks

PRA published the policy statement PS11/19, which contains final supervisory statement (SS3/19) on enhancing banks’ and insurers’ approaches to managing the financial risks from climate change (Appendix).

April 15, 2019 WebPage Regulatory News

EC Launches Pilot Phase on Implementation of Ethical Guidelines for AI

EC launched a pilot phase to ensure that ethical guidelines for the development and use of artificial intelligence, or AI, can be implemented in practice.

April 15, 2019 WebPage Regulatory News

EBA Single Rulebook Q&A: First Update for April 2019

EBA published answers to nine questions under the Single Rulebook question and answer (Q&A) updates for this week.

April 12, 2019 WebPage Regulatory News

EIOPA Statement on Application of Proportionality in SCR Supervision

EIOPA published a supervisory statement on the application of proportionality principle in the supervision of the Solvency Capital Requirement (SCR) calculated in accordance with the standard formula.

April 11, 2019 WebPage Regulatory News

FED Updates Form and Supplemental Instructions for FR Y-9C Reporting

FED updated the form and supplemental instructions for FR Y-9C reporting. FR Y-9C is used to collect data from domestic bank holding companies, savings and loan holding companies, U.S intermediate holding companies, and securities holding companies with total consolidated assets of USD 3 billion or more.

April 11, 2019 WebPage Regulatory News
RESULTS 1 - 10 OF 2920