In the modern digital world, where there is cybermoney, there are also cyberattackers. According to IBM, the finance and insurance sector has now been the single most attacked industry for four years in a row (with 17 per cent of all attacks in the top 10 attacked industries in 2019). This is hardly surprising, given that ‘digital’ is the de facto trend in finance, where digital financial services are seen as one of the key drivers of greater financial inclusion. The World Bank reports that between 2014 and 2017 the number of adults using digital payments increased from 41 to 52 per cent and the share of adults with an account has grown from 62 to 69 per cent. This translates into half a billion new users connected to the digital financial infrastructure as well as a half a billion new targets for cyberattackers.
Even if cybersecurity risk is but one form of operational risk, until recently, rules relating to cyber-resilience rarely took the form of dedicated cybersecurity instruments and, instead, were generally included in other regulations (for example, on data protection).
Over the past several years, the cybersecurity regulatory landscape has undergone substantial changes. New laws and regulatory instruments focusing exclusively on cyber-resilience in the financial sector have been adopted in a number of jurisdictions, including the EU, Hong Kong, Russia, the USA, and Singapore. Cybersecurity has also become the focus of international rules and recommendations adopted by numerous organisations, including the BCBS, CPMI, FSB, G7, IAIS, IMF, IOSCO, OECD, and the World Bank Group. Nonetheless, the apparently high international interest in possible harmonisation of cybersecurity regulatory regimes has not yet translated into hard international law.
In the absence of an agreed international approach, the new cybersecurity rules vary significantly across jurisdictions. My recent article (‘Cybersecurity Regulation in the Financial Sector: Prospects of Legal Harmonization in the European Union and Beyond’) published in the Uniform Law Review critically analyses and compares these emerging legal frameworks in Europe, Asia, North America, and Australia.
The two major regulatory trends include (i) decoupling of cybersecurity rules from general operational risk management provisions and (ii) increasing sophistication of the regulatory regime. They stem from acknowledging the unique characteristics of cyberthreats, which are persistent, dynamic, intelligent, and adaptive. Nonetheless, the same unique characteristics require regulators to take a different approach by encouraging flexibility and continuous improvement of cybersecurity measures to avoid playing catch up with the development of technology (a game regulators are not always good at, to say the least).
The article analyses how the new legal frameworks in selected jurisdictions struggle to cope with five recurring challenges in designing cybersecurity rules for the financial sector. First, bespoke cybersecurity rules are often obscure, and the expected degree of compliance remains uncertain. Second, the general focus on cyber governance can conceal practical deficiencies (such as lack of resources or poor understanding of the relevant risks) behind the curtain of measures meant to remain on paper. Third, in relation to cyber defences (such as encryption), the main underlying challenge lies in achieving an adequate level of specificity, without being overly prescriptive in relation to the technology used, or providers engaged. Fourth, the recovery measures required by the law (such as back-up systems) often fail to account for the special characteristics of cyber threats (which can nullify the benefits of such measures). Fifth, enforcement of cybersecurity rules is fraught with difficulties like inefficiency of establishing strict liability offences, overlapping regulations and lack of specificity in principles-based provisions.
I argue that disjointed legal frameworks governing cybersecurity in finance call for international harmonisation, for three main reasons. First, harmonisation is necessary to deal with numerous regulatory overlaps, such as different reporting requirements for the same incidents. Second, an international response is needed to address the cross-border nature of cyber threats. Third, harmonisation can provide useful guidance for those legislatures and regulators which currently lack cybersecurity expertise and may look for an internationally accepted set of rules.
The article concludes with practical recommendations concerning the scope of future harmonisation of cybersecurity rules in finance at two levels: (i) de minimis requirements (such as unified reporting obligations) and (ii) requirements extending beyond the baseline (including threat-based penetration testing, licensing and certification of cybersecurity services, cyber intelligence sharing and regulation of third party service providers).
Yet, regardless of the scope and type of any upcoming harmonisation, the future of cybersecurity regulation in finance is fraught with certain challenges that are unlikely to be easily resolved. These include, but are not limited to, the need to keep the regulatory requirements up-to-date and the ever-relevant question, ‘Quis custodiet ipsos custodes?’ (‘Who will watch the watchers?’). After all, past events have made it very clear that even financial regulators are not immune to cyberthreats: over a dozen central banks have become victims of successful cyberattacks in recent years.
Anton Didenko is a Research Fellow at the Faculty of Law, UNSW Sydney, Australia.