Banks: what EU regulations do they have to comply with?
Banking institutions are subject to many laws and regulations that regulate the management of cybersecurity.
A highly regulated sector
While not all companies from the financial sector are concerned by the regulations mentioned in this article, being extremely targeted by cybercriminals, their interest in cybersecurity is high. We must also note that other regulations (such as ISO Standards for example) also have significant consequences for entities in the sector.
As this article is not intended to be exhaustive, our analysis will focus on the regulations that are in force to provide a first overview of the legal framework surrounding banks. The proper application of the practices imposed/recommended by law and regulation is for us a crucial starting point to protect oneself against cyberattacks.
Banks: European Union cyber regulations
The NIS Directive
At the European level, the Network and Information System Security (NIS) Directive, adopted on July 6, 2016, aims to ensure a high level of security common to all IS and networks in the European Union member states.
Because of the negative impact that a disruption in the banks’ service could have, they must now comply with obligations regarding the security of information systems and networks. These obligations relate to four areas: security governance, protection and defense of networks and IS, and business resilience.
The General Data Protection Regulation (GDPR)
The GDPR frames the processing of personal data in the European Union. Banking data is specific and sensitive information that must be treated with particular vigilance.
To deal with the risks of loss of integrity or data leaks, the various sector players need to implement security measures such as encryption when the data are sent, when they transit or are stored.
The second Payment Services Directive (PSD2)
The second Payment Services Directive (PSD2), which has been in force in the European Union since January 13, 2018, includes a set of regulatory provisions aimed at strengthening payment security.
In particular, the PSD2 requires the use of strong authentication for the following operations: access to the online payment account, electronic payment transactions, and actions carried out via a remote communication mode that presents a high risk of fraud (e.g., the registration of a new transfer beneficiary on his online bank account).
The financial sector and cybersecurity: international regulations
The Sarbanes-Oxley Act (SOX or SARBOX)
Internationally, the Sarbanes-Oxley Act, passed in 2002 by the U.S. Congress, aims to protect shareholders and the general public against accounting errors fraudulent practices, but also to improve the accuracy of information provided by companies. The SOX Act is extra-territorial. It applies to all European subsidiaries of American groups, to companies operating in the United States and to companies listed on a U.S. capital market, regardless of their nationality, as well as to their foreign subsidiaries.
The SOX Act (also known as SARBOX) deals with computer security from financial information’s accuracy and integrity. In its article 302, the SOX law requires quarterly audits to be carried out, including an IT security component.
The Basel Accords
The Basel Accords are banking regulation agreements. Drawn up by the Basel Committee and signed in the city of Basel (Switzerland), they require banks to guarantee a minimum level of equity capital to ensure their financial soundness.
The Basel Accords’ IT security section requires both regular reporting and crisis management exercises to simulate all risk situations and test the solidity of banks.
Cybersecurity of banking data: best practices
In addition to these laws and regulations, good security practices are stemming from the ISO 27000 standards, from the French National Agency for the Security of Information Systems (ANSSI), and the Cybersecurity and Infrastructure Security Agency (CISA) in the USA. Among those that we consider the most important, we can mention in particular:
- regular staff awareness campaigns;
- regular review of access rights;
- regular IS risk mapping;
- the implementation of detection and monitoring systems;
- logging and analysis of logs;
- automatic update of threat detection cases related to new vulnerabilities.
An analysis by Ibrahima Sene, a cybersecurity consultant at Orange Cyberdefense France.