Periodo: 2014
URL: Network and Information Security in the Finance Sector – Regulatory landscape and Industry priorities
Descrizione:
Securing cyberspace and e-communications has become both a governmental and an Industry priority worldwide. The growing relevance of information and communication technologies in the essential functions of the economy has reinforced the necessity of prevention and protection measures in all sectors, naturally including the finance sector. This research aimed at understanding and comparing the obligations relevant to Information Security within the finance sector in most of the EU28 Member States, to compare them with the Industry’s prospects, and to draw a clear vision of important priorities for the future. In order to understand the differences between the regulatory approaches and the priorities of the Industry, a combined data stock taking approach was elaborated, including: – A Desktop research, that was used to discover national requirements related to ICT security; – – Interviews of national financial supervisory authorities (NFSA) and information security related obligations and standards; An online questionnaire, was used for collecting information from Industry representatives. The analysis performed revealed the following key aspects: – Convergence of regulations appear to be a desirable objective in order to reduce both the heterogeneity of security levels as well as the overlapping of prescriptions in the field; Compliance costs for Companies established in several countries can be cumbersome; The definition of operative standards would be more effective for enhancing security levels than issuing new high level prescriptions; International cooperation on security issues in the field might be the most feasible solution in order to define common and appropriate guidelines. Based on information collected, further research will be required to comparatively assess costs and benefits of different potential scenarios for the improvement of information security baselines in the finance sector. This report issues four main recommendations: EBA and ENISA should consolidate scattered NIS obligations in supervisory guidelines; ENISA should establish guidelines on how NIS supervision practices in the Finance-sector apply by extension to their supply chain, including Cloud providers that operate financial services; ENISA should establish guidelines which summarise the key conditions for the adoption of Cloud-based applications or services in the Finance sector; ENISA should support the ECB and the ESFS (EBA, ESMA, EIOPA) to organise regular and voluntary NIS stress tests in the Finance sector: the purpose is to identify where possible black swan risks and uncover to the greatest extent possible “unknown unknowns”.