Down to the wire
How financial institutions must
manage cybersecurity threats
Financial services regulators are getting serious about cybersecurity
as systemic threats come to the fore. What do financial institutions
need to do now? And what’s next?
We’re in the midst of a global storm of activity by financial regulators on cybersecurity. For
years there have been some generally applicable cybersecurity laws, but only a few directed
specifically at financial institutions. The few laws focused on financial services were patchy –
applicable to some businesses but not others, governing this activity but not that one. Then, in
just the past few months, all that has changed.
The most dramatic activity is happening in the United States and the United Kingdom. In
September, New York’s banking regulator proposed across-the-board cybersecurity standards for
financial institutions. Meanwhile, in the UK, the Treasury, the Financial Conduct Authority
(FCA), and Parliament have been hastily exchanging letters about ensuring the cyber safety of
banks. Also in September, the FCA’s Director of Specialist Supervision outlined the UK
regulator’s approach to cybersecurity. Then in October, the council of US federal banking
regulators, the FFIEC, proposed new cyber security rules for systemically important financial
institutions. Finally, the United States’ money laundering watchdog, FinCEN, advised financial
institutions on the need to report cyber incidents as part of their antimoney laundering
It’s not just the United States and the United Kingdom. In October, the G7 issued its
Fundamental Elements of Cybersecurity for the Financial Sector – ostensibly a guide for
financial regulators but in reality a set of expectations for financial institutions. The guide was
prepared by an international group of experts, and chances are good that countries worldwide
will take the G7’s Elements seriously and implement them, at least in some form. The G7’s
Elements followed guidance on cyber resilience for financial market infrastructures produced
jointly by the Committee on Payments and Market Infrastructures (CPMI) and the Board of the
International Organization of Securities Commissions (IOSCO). That self-styled “landmark
report,” released in June, was the first internationally agreed-upon guidance on cybersecurity
for the financial markets industry.
We’re also seeing cybersecurity developments that, although not specific to the financial sector,
will pose special challenges for the sector. In August, the EU enacted the Network Information
Security Directive, which will force member countries to enact their own cybersecurity laws.
Some countries, like Germany, had already enacted cybersecurity requirements of their own
and continue to enact new requirements. In addition, the German government just published
November 21, 2016
T +1 202 777 4551
T +44 20 7785 5757
T +44 20 7716 4665
T +49 221 20 50 71 45
T +852 2846 3312
Freshfields Bruckhaus Deringer LLP Down to the wire
its revised cybersecurity strategy and is pushing to specify the scope of the IT Security Act for,
among other things, the financial sector. (Indeed, Germany’s revised cybersecurity strategy
mentions the current risk for financial institutions as one of its key drivers.) China’s new
cybersecurity law imposes detailed requirements for operators of “critical information
infrastructure,” which includes financial systems. And the Chinese banking and insurance
regulators are expected to announce further requirements soon. In Singapore, a cybersecurity
bill is expected to be introduced into Parliament next year, which is likely to have profound
effects on Asia’s financial sector. In the meantime, the Monetary Authority of Singapore is
driving strict standards.
It’s time for financial institutions to take stock. What should financial institutions do today to
prepare for these proposed and anticipated requirements? And where does this newest round of
regulation fit into the overall trajectory of cybersecurity law? What’s next?
What to do today?
These newest cybersecurity regulations represent a convergence of approach across regulators
and even across jurisdictions. This approach reflects the recognition that a good cybersecurity
system is a system that constantly reassesses what kinds of information and computer systems
a business relies on, who might mount attacks against those systems, what kinds of
vulnerabilities the systems have to those attacks, and how best to prevent and respond to
attacks. So financial regulators are quite rightly not attempting to micromanage the technical
aspects of cybersecurity. As the Bank of England has emphasized, cyber risk is “not just for
technology specialists.” China’s security standards released to date have, on the other hand,
been more prescriptive. (More on this later.) What’s more, although different regulators use
different names and groupings to describe the important elements of cybersecurity, they
broadly agree on what those elements are. We use the G7’s taxonomy for simplicity:
Cybersecurity strategy and framework
At the most general level, regulators want financial institutions to create cybersecurity
strategies and frameworks that reflect the specific cyber risks that financial institutions face.
That means written policies adopted after a thorough analysis of the company’s information
needs and assets, the threats to them, their vulnerabilities, internal dependencies, external
dependences . . . in short, a full picture of what could go wrong and how. Critically, these
strategies also need to reflect the company’s judgments about how much cybersecurity risk it is
willing to take. And if one FFIEC proposal is adopted, then financial institutions regulated in the
United States will need to state these risk tolerances quantitatively. (We’ll return to this later.)
All of these proposed regulations envision a major role for the Board of Directors. The Board of
Directors is ultimately responsible and needs to be involved in adopting the institution’s
cybersecurity strategy. Nor can its involvement be a rubber stamp. Increasingly, there are
proposals to require Boards of Directors to have members with cybersecurity expertise, or at
least to have staff or advisers with such expertise. As the FFIEC would have it, directors must
have the “ability to provide credible challenge to management in matters related to
cybersecurity and the evaluation of cyber risks and resilience.”
Below the Board, regulators seem inclined to require the three-lines-of-defense model – a
familiar concept in the world of financial institution compliance. That means that
businesspeople need to provide a first line of defense against cyber threats. (And rightly so: A
recent Accenture study found that a surprising number of hacks are detected by employees
other than IT personnel.) Next, a risk management function, independent from the business
and reporting directly to the Chief Risk Officer, provides a second level of defense. In most cases
this will be a Chief Information Security Officer (CISO), and several regulators are specifically
requiring the appointment of a CISO. Finally, integrating cybersecurity into financial
institutions’ regular audit programs provides a third level of defense.
Training is critical. Perhaps leading the way on this, the Hong Kong Monetary Authority has
introduced standardization in the form of a cybersecurity training and certification scheme,
intended to provide a kind of “gold standard” level of competence for cybersecurity
professionals in the Hong Kong banking industry.
You might say it’s
Where previous waves of
regulation were aimed at
and investors, this third
wave is about protecting
themselves, and for the
ultimate goal of ensuring
the stability of the
financial system as a
A good cybersecurity
system is not necessarily
one that requires this
form of encryption or
that brand’s firewall.
and incident response
planning are much more
Freshfields Bruckhaus Deringer LLP Down to the wire
Importantly, these responsibilities and corresponding reporting lines need to be documented in
detail in firm policies.
Risk and control assessment
Firms’ cybersecurity strategies need to reflect a robust and continuous assessment of cyber risk
and controls. As discussed above, that broadly means understanding what could go wrong – and
how badly. As the G7 puts it, companies should “evaluate the inherent cyber risk” and then
“identify and assess the existence and effectiveness of controls to protect against the identified
risk to arrive at the residual cyber risk.”
To look at the FFIEC’s follow-up proposal in this regard, one of the more notable aspects is that
it requires not only consideration of the risks to each financial institution, but also the risk that
each financial institution poses to its counterparties and the system at large. In other words, if
your bank is hacked, how does that endanger everyone else?
Another notable aspect of the FFIEC’s proposal is the quantification of cybersecurity risks. As
the FFIEC admits, there isn’t any generally accepted way of measuring cybersecurity risks.
Indeed, this has been a major difficulty in establishing cybersecurity insurance products; it’s
also posed a challenge for buyers seeking to measure the cyber risks of acquisition targets.
Monitoring, response and recovery
Since it’s a certainty that hackers will target financial institutions, they need to be able to
respond. The first step is having capabilities to monitor their systems in real time to detect
attempted cyber attacks. Once detected, they need to stop the attack and restore systems to
operational status. The FFIEC even proposed requiring certain banks and certain systems to
adopt a “recovery time objective” – that is, the time between attack and restoration of normal
service – of as little as two hours. The CPMI-ISOCO guidance similarly calls for safe resumption
within two hours, as well as settlement of affected transactions by the end of the day of the
The key to effective response, of course, is advance planning and rehearsal. That’s why these
regulations all require financial institutions to adopt response plans detailing responsibilities,
escalation protocols, containment procedures and communication strategies. (These include
notification to data subjects, reporting to authorities and disclosure to investors or the greater
Information sharing and continuous learning
Another common element of proposed regulations is information sharing. Regulators firmly
believe that sharing insights between all participants (including public authorities) is essential
to improve the level of cybersecurity. It may deepen the understanding of vulnerabilities and
the effects of attacks, providing a better basis to address and react to cyber risks.
Finally, cybersecurity is no static theme; rather, cyber threats and vulnerabilities evolve rapidly.
Therefore, regulators expect companies to be quick to react. In addition, the composition of the
financial sector changes over time. Therefore, it is not enough to simply set up a cybersecurity
system and then forget about it. Rather, regular review is necessary.
A word on China
As noted above, China may represent something of an outlier. Although its new cybersecurity
law contains many of the same high-level requirements that we see elsewhere, it also contains
requirements that are more prescriptive and technical. For example, one requirement is to store
the personal data of Chinese customers, and other “important business data,” only within
China. Some financial services companies have concluded that they will need to segregate the
systems of their Chinese operations to be compliant. And even more technical requirements are
expected to be released soon.1
Looking down the road, is there another wave of cybersecurity regulation facing financial
For more on China’s new law, see our recent publication at http://www.freshfields.com/en/global/digital/
Freshfields Bruckhaus Deringer LLP Down to the wire
institutions? To understand the trajectory of financial-sector cybersecurity regulation, let’s step
backwards to understand where this recent activity fits within the longer history of
The earliest wave of financial institution cybersecurity regulation was barely about
cybersecurity at all. Rather, it was about the privacy of customer data. Cybersecurity was almost
an afterthought – just a means to the greater end of privacy. In the United States, for example,
we saw laws like the Gramm-Leach-Bliley Act of 1999. Of course, this wave of regulation wasn’t
specific to financial regulation. Although particular laws and regulations were specific to
financial customer data, this era simultaneously saw similar laws relating to medical data and
children’s data, among other things.
Similarly, the next wave was not quite about cybersecurity itself, but instead about how
companies disclose cybersecurity risks to investors. The US Securities and Exchange
Commission, for example, advised public companies to identify specific cybersecurity risks –
and major incidents – to investors. Again, it wasn’t just about financial institutions; the
requirement applied to any public company.
Cybersecurity for real
What we’re seeing now – the current wave – is actual cybersecurity regulation. You might say
it’s cybersecurity for cybersecurity’s sake. Where previous waves of regulation were aimed at
protecting consumers and investors, this third wave is about protecting financial institutions
themselves, and for the ultimate goal of ensuring the stability of the financial system as a
whole. As the FFIEC put it: “Due to the interconnectedness of the US financial system, a cyber
incident or failure at one interconnected entity may not only impact the safety and soundness
of the entity, but also other financial entities with potentially systemic consequences.”
The EU’s Network Information Security directive shows this systemic approach in action.
Member countries will have to designate and regulate essential service providers – that is,
sectors and businesses which are crucial to the country’s economic and social infrastructure.
The financial industry is certainly one of those sectors. In France and in Germany, national
regulation has been enacted which implements this approach.
In the UK, the FCA has recognized that an attack on even a small financial services firm could
have a “ripple effect” across the whole financial sector and across business generally. It has
therefore described cyber resilience as “a matter of priority,” and has created a specialist team
to lead on this area of work. It has undertaken resilience exercises with the industry and with
other regulators, and has already introduced voluntary vulnerability tests (e.g., the CBEST
scheme) for large financial services providers.
Of course, the desire of regulators to ensure stability in the financial sector is nothing new. The
collapse of Lehman Brothers highlighted the dangers of contagion in the financial system. Since
then, regulators have been committed to preventing the collapse of even a single important
financial institution. Recovery and resolution planning has been the name of the game for
years in North American and European jurisdictions, and is now being adopted in numerous
jurisdictions in Asia. So it should come as no surprise that regulators are demanding that
financial institutions engage in robust cyber-incident planning.
The fact that we’re seeing a wave of specific cybersecurity regulation at this precise moment,
though, is probably the result of several other factors. Public awareness of the risks posed by
hackers has reached new levels during the past two years. Last year’s hack of RBS’s systems –
and the resulting collapse of several of its consumer systems – highlighted the risk to business
continuity for individual banks. This year’s so-called SWIFT hacks (actually hacks of member
banks) raised questions about the integrity of wire transfer systems.
The rise of Fintech and its myriad applications that target the mass market, such as mobile
payments, peer-to-peer lending and crowdfunding, has brought more consumers than ever into
direct contact with financial technology. As financial institutions incorporate new and
innovative Fintech applications into their businesses, ensuring the security of this new
technology is crucial.
Cyber threats and
expect companies to be
able to react to new
developments. . . . It is
not enough to simply set
up a cybersecurity system
and then forget about it.
Rather, regular review is
Freshfields Bruckhaus Deringer LLP Down to the wire
Taking all of this into account, the time was ripe for financial services regulators to get serious
The third wave isn’t entirely new, of course. National authorities around the globe have been
looking at cybersecurity at banks for years as part of supervision and examinations, and have
issued a number of guidelines. For example, the FFIEC has encouraged banks to follow its
Cybersecurity Assessment Tool since it was created last year. And the US CFTC’s Systems
Safeguards Rules have long applied to certain trading platforms and market facilities. So what
we’re seeing now is, in many respects, the crystallization of these earlier efforts. What’s new is
that regulators are turning these nascent efforts into binding rules and applying them more
broadly to financial institutions.
What remains to be done?
If we want to predict where cybersecurity regulation might go next, a good starting place is to
ask whether the current wave of regulation is over or if there’s more left. The current goal is to
ensure the resilience and continuity of financial institutions and the financial system as a
whole. But no matter how good a company’s defenses, there will always be some risk that a
hack may be bad enough to bring down a bank. That raises the specter of contagion. And that
suggests that one avenue for future cybersecurity regulation could be to elevate the prominence
of cybersecurity in banks’ resolution planning. Indeed, the FFIEC is already proposing
something that looks a lot like resolution planning: a requirement for “secure, immutable, offline
storage of critical records, including financial records of the institution . . . to allow for
restoration of these records by another financial institution, service provider, or the FDIC in the
event of resolution.” Even more stridently, the FFIEC has proposed “a requirement that covered
entities establish plans and mechanisms to transfer business, where feasible, to another
entity . . . if the original covered entity or service provider is unable to perform” as a result of a
Another possibility is that governments will demand that financial institutions (or other
entities, for that matter) share cybersecurity intelligence with other entities and with the
government. Central governmental authorities need this information to mount defenses and
protect the financial system as a whole. Again, the US, UK, and German governments have each
already taken steps in this direction. In particular, the UK’s FCA and Germany’s BaFin have
made it clear that they expect financial services firms to inform them of material cyber
breaches. The FCA also encourages firms to share relevant information with each other via a
dedicated government platform – the Cyber Information Sharing Partnership. In Germany,
several private sector initiatives have been launched in the last few years which include
congresses, expert forums, associations and sharing platforms. As an example, the Alliance for
Cyber Security, an initiative of the Federal Office for Information Security (BSI) founded in
cooperation with the Federal Association for Information Technology, Telecommunications,
and New Media (BITKOM), provides background information and security solutions and
supports the exchange of information and experience in the field of cyber security. The
emphasis is not just on repelling individual attacks but on identifying broader patterns and
protecting the industry as a whole. This is in keeping with the government’s repeated public
commentary regarding the cyber threats to the country’s national security, including their
economic well-being. But these efforts aren’t global yet: In the United States there are new
mechanisms for sharing cyber intelligence, but few affirmative incentives to do so (let alone
A fourth wave?
Looking farther down the road, what happens when regulators someday move beyond these
initial goals – protecting data subjects, protecting investors, protecting the system? Is there
some further goal that might give rise to a fourth wave of cybersecurity law?
Here’s one possibility: At the risk of repeating a mantra, some hacks are inevitable. Those hacks
will cause harm. Which means laws will be needed to assign responsibility and liability for that
harm. In a phrase, the next wave of cybersecurity law may be about allocation of cybersecurity
risk. Traditional tort and contract concepts already provide a baseline, and there are some
special-purpose laws governing who pays for the harms caused by particular types of hacks. But
refining and interpreting those laws in the new cybersecurity context could easily occupy
legislators, regulators and courts for years.
Freshfields Bruckhaus Deringer LLP Down to the wire
For example, courts are now considering who bears the loss of hacks involving wire transfers.
When wire transfers involve US financial institutions, they are usually governed by New York’s
implementation of the Uniform Commercial Code article 4A. That law was meant to define
when a bank bears the risk of loss from a hack, and when a bank’s customer bears that risk. But
laws aren’t self-interpreting, so US courts are now being forced to consider how to apply article
4A to real-world situations like the recent “SWIFT hacks.”2
In a certain sense, FinCEN’s recent admonition for financial institutions to report suspected
cyber crime (similar to earlier efforts in the UK and Germany) also represents a practical effort
to make sure that the right people pay for cyber crime. In pretty much every jurisdiction, laws
have always placed criminal and civil liability on hackers themselves (sometimes alongside
others). But the aspiration of these laws has run headlong into the difficulties of enforcement.
Hackers are notoriously hard to track down, especially if law enforcement learns of hacks long
after the fact. In the future, more government authorities may conclude that requiring
financial institutions to report potential cyber crime promptly will help law enforcement hold
hackers responsible for their actions.
Similarly, cybersecurity insurance is developing at a rapid clip, and the law is struggling to
catch up. For some time, we’ve seen courts grappling with how general insurance policies
(whether first-party or liability policies) apply to cybersecurity incidents. The recent advent of
cybersecurity-specific policies, too, is sure to generate new questions. Courts have a pretty good
idea how to deal with the insurance aftermath of an earthquake; the aftermath of a major hack,
not so much.
The UK’s Prudential Regulatory Authority, for example, has just proposed a supervisory
statement setting out its expectations for “the prudent management of cyber underwriting risk
by insurance firms.” In other words, what kinds of cybersecurity insurance should firms be
offering? If adopted, the supervisory statement would have obvious impact far beyond the
insurers that the PRA nominally regulates. Rather, the statement would influence the
allocation of cybersecurity risk across industries and markets.
* * *
The regulations that financial regulators have recently proposed are, of course, just proposals.
Still, proposed regulations usually are adopted, so companies need to start planning to comply
with these regulations now. That means considering which regulators’ requirements apply (or
deciding to go above and beyond and comply with them all) and designing a compliant
cybersecurity strategy. It also means drafting policies, incident plans and training programs.
And because continuous improvement is part of all of these regulations, financial institutions
need to be ready to repeat these steps on a regular basis.
Similarly, the future possibilities that we suggest are just possibilities, but there’s still lawyering
to be done to prepare for them. First and foremost, financial institutions need to track
developments in this area closely to determine whether developments may affect their business
models. If courts start assigning liability for hacks to banks, for example, banks may need to
reconsider certain business lines. Financial institutions may also seek to influence how these
developments unfold. There may be opportunities to comment on proposed regulations, testify
before legislators on the impact of cybersecurity regulation or appear in pending court cases to
educate courts considering these issues. And financial institutions should consider carefully
how they craft their contracts and business arrangements, as it may be easier to lock in
favorable allocations of cyber risk today than to repaper business relationships once these laws
For more on allocation of risk for wire transfer hacks, check out our recent video at http://digital.freshfields.com/
Freshfields Bruckhaus Deringer LLP Down to the wire
For more information, please contact our global cyber security team and visit our cyber security
This material is provided by the US law firm Freshfields Bruckhaus Deringer US LLP and the international law firm Freshfields Bruckhaus Deringer LLP (a limited liability partnership organized under the law of
England and Wales) (the UK LLP) and by the offices and associated entities of the UK LLP practicing under the Freshfields Bruckhaus Deringer name in a number of jurisdictions, together referred to in the material as
“Freshfields.” For regulatory information please refer to www.freshfields.com/support/legalnotice.
Freshfields Bruckhaus Deringer US LLP has offices in New York City and Washington, DC. The UK LLP has offices or associated entities in Austria, Bahrain, Belgium, China, England, France, Germany, Hong Kong, Italy,
Japan, the Netherlands, Russia, Singapore, Spain, the United Arab Emirates and Vietnam.
This material is for general information only and is not intended to provide legal advice. Prior results do not guarantee a similar outcome.
© Freshfields Bruckhaus Deringer LLP 2016