NIS in Finance (EG-FI)

NIS support to Financial Resilience

The Finance Sector provides a crucial backbone to the European Economy and -like many other sectors- its increasing dependency on ICT Infrastructures, Providers and their Supply Chain. The importance of ICT Security and Resilience supporting the Finance Sector grew considerably and the objective of protecting automated Inter-Banking transactions and more generally all types of Communications is altogether more critical and complex at the same time.

A stable Financial System in Europe is however the underlying foundation for Economic stability; and the reliance on IT is now life critical for the entire Sector.

EG-FITechnical Cooperation between the key actors of the Finance Sector at pan-European level becomes an urgent need as the sector faces stronger and larger scale challenges. The following effects of the current silo approach for the protection of the Banks and Finance Institutions presents many inconveniences, such as:

    • the Implementation of a multitude of security and technical standards, difficult to maintain;
    • the Loss of Interoperability;
    • Imposibility to implement Safe Harbouring, Mutual Aid Assistance;
    • Hosting of more System types, less secure;
    • General Vulnerability to Cyber Attacks.
 

The purpose of allowing the Banking Sector to work together on this matter is to build a more secure and more resilient Interbanking communications system.

Establishing the Expert Group for Finance NIS (EG-FI)

Context

The creation of the EG delivers a message that the increase of Cooperation, Ex-Post analyses sharing, Mutual-Aid Strategies, Risk Management focus on this new type of threats is the most appropriate answer, and could be altogether a better reaction than improving defences in silos.

LevelsThe purpose of this EG is therefore to:

  • Raise awareness of Finance sector to ICT risks through the engagement of the IT Security Staff and Management of Banks, Central Banks, National Supervisors etc.
  • Promote Good Practices and Control Assurance at Organisational level.
  • Develop Minimum Security Measures for both ICT Infrastructures and Messages Processors applications.
  • Develop Security Measures specific to Bank Profiles (investment, private banking, retail).

 

A typical foundation for such works would be done at Policy level. We note however a number of barriers that the EG needs to understand and address:

    • National Regulations need to be taken into account, should they establish already any kind of obligations.
    • Pan-European baselines must be applicable for X-Border transactions
    • Security of ICT for communications with branches or competitors located outside of the EU might be problematic
    • The commitment to achieve such goals must achieve impact: adherence to Industry Standards and Good Practices for implementing proper Security Governance of Finance sector ICT
 

Understanding the Finance Sector's concerns in NIS

A tender was launched in 2013 to better understand the situation in Europe:

  • An initial Stock Taking of National Regulations and/or Indirect Regulatory Obligations fixed by Regulators for FI-ICT.
  • A stock taking of private initiatives.
  • Definition of a Structure allowing the further development of Minimum Security Measures (Technical) and Security Baselines (Organisational).

NIS for Finance 2

Roadmap

In 2013, a first approach to the community was made:

  • Preparation works and presentations have been given at the European Central Banks' annual IT Sounding Board in Athens on the 22nd of May 2013;
  • ENISA participated in EBA's "Cross-Sector seminar on IT Assessment / IT Supervisory" meeting which was held on 25th October 2013 in Amsterdam.

 

The EG have now been formally launched on the 17th July 2014.

 

Expert Group for Finance ICT (EG-FI)

In order to better understand the possible areas of work for Securing Financial Networks, we can subdivide the overall objective into smaller logical units of work (LUW) which can be prioritised and addressed separately.

For more information, please contact Lionel Dupré (lionel.dupre@enisa.europa.eu).