Clearing houses to be subject to formal cybersecurity reporting duties in the UK

Out-Law News | 24 Aug 2017 | 5:14 pm | 4 min. read

Clearing houses in the UK will be subject to new formal cybersecurity incident reporting duties under changes likely to be implemented by 9 May next year.

The government is set to update UK legislation to codify reporting requirements for central counterparties (CCPs) as part of a move to bring the cybersecurity regulation of financial market infrastructures into line with equivalent regulations that will be introduced in other sectors under new EU laws.

The government told Out-Law.com that the new reporting requirements will be in line with current informal arrangements that apply. It did not detail what those informal arrangements are.

The government's plans to change the law to codify cyber incident reporting for CCPs relate to its separate proposals to implement the EU's Network and Information Security (NIS) Directive.

The Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like energy, health and transport are secure. It will apply to operators of such 'essential services', as defined by each EU member state. Slightly different rules will also apply to 'digital service providers'. EU countries have until 9 May 2018 to implement the Directive into national laws.

Earlier this month, the government clarified that firms operating in banking and financial markets infrastructure will not be classed as operators of essential services and will not therefore be subject to the UK legislation implementing the Directive. This is despite the fact the operators of essential services in the banking and financial markets infrastructure sectors are specifically identified in the Directive as being within the scope of the new requirements.

However in its consultation paper, the government explained that it was able to exempt those firms from the new UK NIS laws under other provisions contained in the NIS Directive.

According to the NIS Directive, if there are already "Union legal acts" that set out sector-specific requirements regarding the security of firms' network and information systems or the notification of cybersecurity incidents then those provisions should apply so long as the requirements "are at least equivalent in effect" to the obligations set out in the Directive.

The government said that "provisions at least equivalent to those specified in the Directive will already exist by the time the Directive comes into force" in the context of cybersecurity obligations and notification duties in the banking and financial market infrastructure sectors. It said that firms in those sectors "must continue to adhere to requirements and standards as set by the Bank of England and/or the Financial Conduct Authority".

The Bank of England has responsibility for the supervision of CCPs and other financial market infrastructures (FMIs), such as major payment systems and central securities depositories.

The regulatory expectations on FMIs regarding their cyber resilience is governed by a set of principles which set out regulatory expectations on them, while the Bank's oversight of the issue is enhanced via a cybersecurity testing framework.

The principles, the PFMIs, "require financial market infrastructure to identify plausible sources of operational risk, and ways to mitigate their impact", and also "have credible business continuity and recovery plans, with the aim of resuming operations within a maximum of two hours following the most disruptive events", Sir John Cunliffe, deputy governor for financial stability at the Bank of England, explained in a speech (17-page / 655KB PDF) earlier this year.

Sir John's speech coincided with the launch of the Bank of England's latest annual report on its supervision of FMIs (36-page / 1.82MB PDF), in which the Bank described as a "supervisory priority" its oversight of the way in which FMIs manage threats to their "operational resilience", including their defences against cyber attacks.

The report provided details of a "specific review of cyber risk management" that the Bank had conducted "across a range of FMIs" last year. The reviews "were intended to ensure FMIs’ risk management functions were operating effectively, and were adequately focused on the increasing risk of cyber threats". The reviews led to the Bank identifying "points for remediation" for some firms, it said.

The Bank also said at the time that it was working to develop "an enhanced micro-supervisory approach to operational resilience".

Further detail of the Bank's approach to supervision of FMIs' cyber risk management was detailed more recently in its June 2017 Financial Stability Report (69-page / 1.47MB PDF). The report confirmed that 31 of 34 "core" financial services firms and FMIs had completed so-called CBEST testing, with two more "close to completion".

The CBEST vulnerability testing framework was set up in 2015 as a scheme through which firms could subject their systems and processes to a cyber risk assessment. Participation in the scheme was initially encouraged but not mandated.

According to the June 2017 Financial Stability Report, the testing identified some weaknesses in "core firms’ cyber resilience".

"In some cases, controls on the integrity of systems and confidentiality of data needed to be strengthened," the Bank said. "In others, the tests identified the need for further investment in capabilities to detect, mitigate and respond to attacks. And in general, the tests highlighted the importance of firms continuing to invest in their people, processes and technology in order to counter the risks of cyber attack."

According to the report, the shortcomings are being addressed through the implementation of action plans by firms – an exercise which is being overseen by supervisors.

The Bank said that CBEST testing "will become a regular component of supervisory assessment of firms". It said the 34 'core firms' will be expected to "conduct their own regular tests of cyber resilience" and that "they will also be subject to supervisor-led CBEST testing at regular intervals", the frequency of which it said would be "proportionate to firms’ importance for financial stability".

According to the Bank, the CBEST framework is also being adopted in other jurisdictions and sectors.

For financial firms, obligations relating to cybersecurity can also be found in the Financial Conduct Authority (FCA) Handbook, albeit they are stipulated in the context of general requirements regarding the effective management of risk and controls, as well as in relation to rules on business continuity and outsourcing. In addition, rules on notification to regulators also impose on firms a duty to report material cyber incidents.

According to the FCA, an incident may be material if it results in significant loss of data, or the availability or control of your IT systems, affects a large number of customers or results in authorised access to, or malicious software present on, firms' information and communication systems.