Banks: what EU regulations do they have to comply with?
While not all companies from the financial sector are concerned by the regulations mentioned in this article, being extremely targeted by cybercriminals, their interest in cybersecurity is high. We must also note that other regulations (such as ISO Standards for example) also have significant consequences for entities in the sector.
As this article is not intended to be exhaustive, our analysis will focus on the regulations that are in force to provide a first overview of the legal framework surrounding banks. The proper application of the practices imposed/recommended by law and regulation is for us a crucial starting point to protect oneself against cyberattacks.
At the European level, the Network and Information System Security (NIS) Directive, adopted on July 6, 2016, aims to ensure a high level of security common to all IS and networks in the European Union member states.
Because of the negative impact that a disruption in the banks’ service could have, they must now comply with obligations regarding the security of information systems and networks. These obligations relate to four areas: security governance, protection and defense of networks and IS, and business resilience.
The GDPR frames the processing of personal data in the European Union. Banking data is specific and sensitive information that must be treated with particular vigilance.
To deal with the risks of loss of integrity or data leaks, the various sector players need to implement security measures such as encryption when the data are sent, when they transit or are stored.
The second Payment Services Directive (PSD2), which has been in force in the European Union since January 13, 2018, includes a set of regulatory provisions aimed at strengthening payment security.
In particular, the PSD2 requires the use of strong authentication for the following operations: access to the online payment account, electronic payment transactions, and actions carried out via a remote communication mode that presents a high risk of fraud (e.g., the registration of a new transfer beneficiary on his online bank account).
Internationally, the Sarbanes-Oxley Act, passed in 2002 by the U.S. Congress, aims to protect shareholders and the general public against accounting errors fraudulent practices, but also to improve the accuracy of information provided by companies. The SOX Act is extra-territorial. It applies to all European subsidiaries of American groups, to companies operating in the United States and to companies listed on a U.S. capital market, regardless of their nationality, as well as to their foreign subsidiaries.
The SOX Act (also known as SARBOX) deals with computer security from financial information’s accuracy and integrity. In its article 302, the SOX law requires quarterly audits to be carried out, including an IT security component.
The Basel Accords are banking regulation agreements. Drawn up by the Basel Committee and signed in the city of Basel (Switzerland), they require banks to guarantee a minimum level of equity capital to ensure their financial soundness.
The Basel Accords’ IT security section requires both regular reporting and crisis management exercises to simulate all risk situations and test the solidity of banks.
In addition to these laws and regulations, good security practices are stemming from the ISO 27000 standards, from the French National Agency for the Security of Information Systems (ANSSI), and the Cybersecurity and Infrastructure Security Agency (CISA) in the USA. Among those that we consider the most important, we can mention in particular:
An analysis by Ibrahima Sene, a cybersecurity consultant at Orange Cyberdefense France.