EU Seeks Authority to Cut Off Banks’ Tech Suppliers if Found Wanting on Cybersecurity
Proposed legislation would stop banks and financial firms from using IT services that present risks, and would standardize cyber regulation across Europe
Banks and other financial institutions could be forced to cut ties with cloud providers and other technology suppliers under a draft European Union regulation that aims to limit cybersecurity risks to the sector.
National regulators in EU countries could require banks to stop using external technology services if their providers fail to fix cybersecurity problems identified in government inspections. The bill goes beyond existing European legislation mandating cybersecurity rules for the finance sector by requiring technology suppliers to also undergo regulatory scrutiny.
Under the proposed rules, authorities can recommend cybersecurity changes to technology providers, which must respond within 30 days on whether they plan to follow the recommendations. Regulators would then monitor whether financial firms have taken those risks into consideration, and can require them to suspend or stop using a company’s services.
“It could be a massive, massive headache,” said Richard Parlour, chief executive of law firm Financial Markets Law International.
The draft legislation aims to close gaps in the different ways European countries regulate cybersecurity in the financial sector. Inconsistencies in the way financial firms report cybersecurity incidents to authorities and do security tests can be particularly harmful for the finance sector because of its dependence on technology, it says.
Existing European laws already require financial firms to ensure their suppliers respect data privacy and security requirements, including the General Data Protection Regulation, regulations affecting the financial sector and legislation requiring critical infrastructure operators to report cyber incidents to regulators. The new proposal would be the first law giving regulators the power to stop banks’ contractual agreements with technology providers, experts say.
The European Commission, the EU’s executive body, proposed the legal changes last month. They would take effect after negotiations between EU national governments and the European Parliament, which haven’t started yet and can take several months or even years. Details of the regulation could change during that process.
Regulators’ decisions to stop banks from using certain suppliers will depend on several factors, including how serious their cybersecurity problems are and whether they have enabled financial crime, the proposal says.
The rules could give financial companies more leverage in negotiations with technology providers, said Ahmed Baladi, a partner in the Paris office of law firm Gibson, Dunn & Crutcher LLP.
To prepare for the legislation, financial firms should review their contracts with cloud or other technology suppliers, Mr. Baladi said. “You don’t want to wait to the last minute to be forced to terminate your contract,” he said.
The proposed legislation also encourages financial firms to exchange information about cyberattacks targeting the sector, for example by participating in groups created for that purpose.
Legal and compliance officials at financial institutions are often wary about providing information on cybersecurity risks to companies in other countries, said Ray Irving, managing director of global business at the Financial Services Information Sharing and Analysis Center, a nonprofit group. Companies in Europe have lacked clear legal rules about whether they can send certain kinds of information to other countries, he added.
“Legislation like this encouraging sharing is helpful because it’s basically saying, ‘This is OK, legal teams, for your IT security folks to collaborate’,” he said.
By Catherine Stupp, October 6, 2020, Published on The Wall Street Journal