Main content


Down to the wire

How financial institutions must manage cybersecurity threats

Financial services regulators are getting serious about cybersecurity as systemic threats come to the fore. What do financial institutions need to do now? And what’s next?

We’re in the midst of a global storm of activity by financial regulators on cybersecurity. For years there have been some generally applicable cybersecurity laws, but only a few directed specifically at financial institutions. The few laws focused on financial services were patchy – applicable to some businesses but not others, governing this activity but not that one. Then, in just the past few months, all that has changed.

The most dramatic activity is happening in the United States and the United Kingdom. In September, New York’s banking regulator proposed across-the-board cybersecurity standards for financial institutions. Meanwhile, in the UK, the Treasury, the Financial Conduct Authority (FCA), and Parliament have been hastily exchanging letters about ensuring the cyber safety of banks. Also in September, the FCA’s Director of Specialist Supervision outlined the UK regulator’s approach to cybersecurity. Then in October, US federal banking regulators, proposed new cyber security rules for systemically important financial institutions. Finally, the United States’ money laundering watchdog, FinCEN, advised financial institutions on the need to report cyber incidents as part of their antimoney laundering processes.

It’s not just the United States and the United Kingdom. In October, the G7 issued its Fundamental Elements of Cybersecurity for the Financial Sector – ostensibly a guide for financial regulators but in reality a set of expectations for financial institutions. The guide was prepared by an international group of experts, and chances are good that countries worldwide will take the G7’s Elements seriously and implement them, at least in some form. The G7’s Elements followed guidance on cyber resilience for financial market infrastructures produced jointly by the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO). That self-styled “landmark report,” released in June, was the first internationally agreed-upon guidance on cybersecurity for the financial markets industry. 
We’re also seeing cybersecurity developments that, although not specific to the financial sector, will pose special challenges for the sector. In August, the EU enacted the Network Information Security Directive, which will force member countries to enact their own cybersecurity laws. Some countries, like Germany, had already enacted cybersecurity requirements of their own and continue to enact new requirements. In addition, the German government just published.