That cybersecurity is a top concern for the financial sector requires little argument. Hardly a week goes by without incident; according to Cybersecurity company Websense Security Labs, 300% more attacks occur in the financial sector than in other areas. Financial services offer an unrivalled wealth of information that can be exploited for commercial gain.  Here, Peter Kerstens, adviser on financial sector cybersecurity at the European Commission, examines some of the policy questions around cyber resilience.

Greater damages

First, let us compare a cyberattack with a conventional robbery. The largest robbery on record is perhaps the 2007 €250 million Dar El Salaam Bank robbery in Bagdad. Cyber statistics are harder to obtain but the reported damage is often valued in at least hundreds of millions of euro. 

However, cyberattacks should not only be measured in euros, because they target more than money. Personal, commercially sensitive or transaction data can be stolen for espionage or illicit trading. Data may be altered and essential infrastructure compromised for hactivist or geopolitical motives. Whatever the motive, cyberattacks undermine confidence, destroying trust and reputation. They are costly to defend against and the resulting damages can dwarf the original incident.

Cyber-security is arguably the business management risk of our age. Information security can therefore no longer fall only to the IT department or Chief Information Officer. Cybersecurity has a considerable impact on core business processes, from customer perception and trust, to resilience, stability and shareholder value. IT security increasingly determines companies' ability to compete. CEOs and senior management must be on board.

From a regulatory perspective, IT security forms part of the management of operational risk. The sector is often seen as sophisticated compared to others. This is no reason for complacency however, given the compromises still routinely faced and the fact that it is arguably taking the threat from cyber to trigger the coming of age of operational risk management.

Coordinated approach  

There is little doubt that the potential consequences of a cyberattack on a systemic institution or critical infrastructure is focusing policymakers' minds, both in the EU and among our main trading partners. A coordinated approach is therefore also necessary, as cyber risks have little regard for national borders. Firms themselves operate in multiple jurisdictions too and must be able to manage their risks coherently. Individual or uncoordinated approaches increase costs, can be ineffective or incompatible, and risk simultaneously segmenting markets and undermining the very security they seek to ensure.

For policymakers, the first step is to understand the true threat posed by cyberattacks. We need to understand the issues and the potential responses open to us, and we should talk to partners in other parts of the world. Do we need a more enabling framework to support industry's and supervisors' defences? Should we adopt a quantitative approach to absorb the financial consequences of an attack or a qualitative approach focused on cyber-prevention, detection, recovery and repair? What role could insurance play? What is the link between the location of data and infrastructures and security? Should firms' vulnerabilities be tested systematically?  These are just some questions that policy-makers are studying. Careful analysis is important to ensure the best policy response in the interest of cybersecurity and within the context of our combined ambitions for the Single Financial Services market, the Digital Single Market and Capital Markets Union.

Read more on cybersecurity