Given that the financial sector is a top target for cyber criminals, legislating cybersecurity standards would be positive for the industry, says Moody’s Investor Service in a new report.
Last week, European regulators called on the European Commission (EC) to toughen its laws relating to cybersecurity and other technology risks in the financial sector. Moody’s reported that an analysis by regulators found that existing legislation doesn’t explicitly deal with cybersecurity risk, and that minimum requirements should be legislated to address these risks.
Moody’s noted that it views banks, securities firms and market infrastructure providers (such as exchanges and clearing firms) as three of the top sectors with the highest inherent cyber risk exposure. Legislating minimum standards in this area would be a positive for financial firms, it said.
“Because cybersecurity risks threaten the stability of the financial system and financial institutions are vulnerable to cyberattacks, cross-border legislative efforts to improve the risk management and resiliency of cybersecurity and promote stronger operational resilience and harmonization are credit positive for European financial institutions,” the rating agency said.
Among other things, Moody’s reported that the regulators recommend that firms should be subject to basic cybersecurity risk governance requirements; that incident reporting requirements should be introduced, or enhanced; and that there should be appropriate oversight of critical third-party service providers to financial institutions, such as cloud computing services.
Moody’s also noted that regulators concluded that penetration testing based on threat intelligence, which involves controlled hacking attempts that simulate cyber criminals’ behaviour, represents the best approach to testing cyber resilience.
However, they also concluded that it’s not feasible to introduce a coordinated threat-led penetration-testing framework in the short term, “because there are significant differences across and within financial sectors in terms of cyber maturity, and only a few authorities currently organize such testing.”
Longer term, they’d like to see to comprehensive mandatory testing of this sort, but in the short term, they’d like to see lawmakers consider establishing voluntary threat-led penetration testing.