My analysis of the European regulation of digital operational resilience regulation

In the past, I analyzed some more interesting EU regulations relating to privacy or cybersecurity, as well as some national cybersecurity strategies. This post is  about a  the proposal for a regulation just unveiled by the European Council. The primary focus of the regulation is the cyber resilience of the financial sector (“security of network and information systems supporting the business processes of financial entities needed to achieve a high common level of digital operational resilience”).

It touches the cybersecurity of the financial sector and it contains several interesting elements. It relates to cybersecurity - and we all know how influential are the aspects of the financial sector, so it should be closely watched.

The financial sector is among the prime targets of the various cyber activities like cyberattacks or intrusions. The creation of a focused regulation should not be surprising. I have the impression that the core strength of the regulation includes the broad requirements of cybersecurity testing (performed on an annual basis). This will further boost the market for cybersecurity products or services, too.

Cyber risk is serious

Financial firms must take cyber risks seriously. Fortunately most (if not all) important companies in the sector already have well-established teams. The regulation makes the firm’s management body responsible and liable. The management body must regularly take part in cybersecurity training. This means that cybersecurity in the financial sector will become essential.

Risk assessment

Risk assessment is a must. It must be a solid one and a regular exercise. According to the regulation - done yearly or upon a significant change in the system. The regulation speaks about asset mapping, change management, and so on.

Financial companies will need to be equipped with appropriate detection capabilities to detect anomalies. Security by design and defense in depth is the advertised way.

This is also about recovery. The need to identify the impacts, create post-mortems, bringing back services in an appropriate state. Business continuity (BCP) and disaster recovery (RDP) need to be in place and tested regularly. This includes tests of crisis communication.

Incidents, vulnerabilities, disclosure

It’s important to note that communication is also about “responsible disclosure” of vulnerabilities - to clients or the public, even. While some security experts and researchers are increasingly pointing to the controversies of this “responsible” part (I like this reasoned take), the atmosphere of the financial sector may be sufficiently stiff enough to put such elaborate debates aside. Financial firms from some sub-sectors maybe even built a notoriety for not speaking about cybersecurity incidents. There are stories about this. Can such a regulation affect this?

This highlights the difficulty of simply mandating that issues are to be made public, not just reported to a “competent authority”.

Single Hub

However, the regulation speaks also of a “Single EU Hub for major ICT-related incident reporting”. This would be quite an ambitious and interesting undertaking, considering the fragmentations. But this is probably doable. The question remains about the quality of such data. As well as the ability of the European Banking Authority (who is tasked with that) to hold the right expertise.

Security testing, audits, red teaming, whatnot

What’s particularly of note is the security testing part:

“financial entities shall establish, maintain and review, with due consideration to their size, business and risk profiles, a sound and comprehensive digital operational resilience testing programme”.


It sounds reasonably and very seriously:

“a full range of appropriate tests, including vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testing.“

While many types of testing is mentioned, there will be an express requirement of “carry out at least every 3 years" of advanced testing employing "threat led penetration testing”. The mentioned “threat led penetration testing” is the penetration testing with a special attacker-like mindset. So an exercise when the auditors try to think as if they wanted to hack stuff. Such testing will be made on “live production systems”. Which is great.

Approval of tests

But that’s not all, financial companies will need to report back to the competent authorities (financial sector regulator?) and ask them for a blessing (approve the test results!). Will the competent authorities have the expertise to meaningfully accept, assess, and validate such reports? It’s not like the competent authorities hold much staff with cybersecurity expertise, and we are speaking about having dozens of such reports every year. They are competent - in their subject matter of interest.


There are also formal requirements for testers:


  • They need to have high credibility and reputation,
  • Technical and organization capabilities, and demonstrate experience in threat intelligence, penetration testing, or red team testing,
  • They are certified by an “accreditation body” or “adhere to formal codes of conduct or ethical frameworks”,
  • They need to be fully covered (indemnity insurance).

I will only comment on certification. I accept that certification is a signal of competence conforming to some acceptable level of knowledge. But experts very often point to a still existing difference between certification (1, 2) and the actual reality. It’s a question of paperwork vs skillset. That said, I accept that there’s a value in certification in professional undertakings. Got CISSP?

There’s also no doubt that the part on testing will further help cybersecurity business (and certification).


Third-party suppliers


In Article 1, the regulation says that a formal role analyzing the third-party ICT supplier risk will need to be created. This regulation is indeed heavy on the aspects of third-party suppliers, particularly those in third-party countries. I reckon that this part of the regulation:

“Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate, and the latest information security standards.”


...will create considerable value in “the latest information security standards”. But the regulation is not naming the standards. Unless “standards” is assumed here in the general meaning (which sometimes may or may not amount to “whatever”). I guess this should be clarified by the European Parliament.

Financial companies will need to establish which third-party suppliers are not “easily substitutable”?

“contracting with an ICT third-party service provider which is not easily substitutable”

This clause is made more stringent in ICT-providers established in third-countries (the US?) where “the respect of data protection” (in that third-country? - this is not clear and should be clarified!) becomes important.


Information sharing will gain some grounds

“Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cybersecurity alerts and configuration tools”


The only thing that may worry is that this may effectively become a bypass of the data protection regulation (the GDPR), the topic is not linked at all. Article 40 should be updated accordingly.



Summary


Cybersecurity and the resilience of the financial sector are important. No doubt about that. We even included the financial sector in the International Committee’s report on the Humanitarian risks of cyber operations (https://blog.lukaszolejnik.com/icrc-report-on-cyberoperations/)

The proposal for regulation can be found here. This is an important but not a controversial file. Let’s see how quickly it gets to the final.


This regulation looks good, though it should receive some additional clarifications and perhaps even expansion. Cybersecurity still sees interesting evolution, even though most of the content of the regulation is quite standard (so reasonable).


Did you like the assessment and analysis? Any questions, comments, complaints or maybe even offers? Feel free to reach out: me@lukaszolejnik.com