The EBF would like to take the opportunity to note few general remarks on key issues as follows:

Transcription

1 Ref.:EBF_ Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries. The EBF represents the interests of some 4,500 banks, large and small, wholesale and retail, local and cross-border financial institutions. EBF s position on the Commission s proposal for a Directive concerning measures to ensure a high common level of network and information security (NIS) across the European Union COM(2013) 48 final General remarks: The Commission s proposal falls within the scope of the European Cyber Security Strategy aiming at ensuring a safe and reliable digital environment across the EU. Based on recent data the Existing NIS capabilities and voluntary mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats and to ensure a common high level of protection in all the Member States. The Commission is aiming at guarantying a high common level of network and information security (NIS) by improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies to ensure a reliable environment for worldwide trade in services via coordinated regulatory interventions, strategies and standards as well as trusted information sharing on NIS incidents and risks among the Member States. The European Banking Federation (EBF) positively welcomes the draft Directive, as it is particularly important for the banking sector which has already the infrastructures in place. The EBF supports strongly the objective of the draft Directive to ensure that there are tools in place to react properly in case of incidents. Indeed, appropriate tools may result in an increased consumers trust, leading to a more inclusive cyberspace, and a digital economy that grows even faster, supporting our economic recovery. The EBF fears however that in some aspects the Commission s proposal seems very ambitious. The EBF would like to take the opportunity to note few general remarks on key issues as follows: The EBF believes that the proposed Directive should promote the exchange of information among all the main actors involved in the security management process, not only among Member States and Computer Emergency Response Teams (CERTs) but also between the most relevant stakeholders. As the banking sector has already set and put in place well defined risk assessment and incident monitoring procedures, the EBF considers that one of the biggest challenges nowadays is an efficient cooperation with other stakeholders (e.g. Telecommunications operators), especially in case of incidents. EBF a.i.s.b.l ETI Registration number: Avenue des Arts 56, B-1000 Brussels +32 (0) Phone +32 (0) Fax

2 The EBF would like to draw the attention of the legislator that should any new requirements be adopted they should be proportional to the associated risk and of its impact of loss as well as being consistent all over Europe. However, first it should be noted that the scope of the proposed Directive has only sets minimum rules allowing EU countries to go beyond these requirements and secondly small companies are excluded from the risk management and notification requirements. However, they may also be confronted with or causing a cyber incident that may cause collateral damages or impact the economy/society. As a consequence the current proposal would allow Member States to adopt different reporting rules; which could lead to diverging requirements throughout the EU, These inconsistencies could be detrimental to the principle of a level playing field and may lead to additional costs inherent to the implementation of these new measures. The EBF would like to add as well that the sanctions and their enforcement can differ from one Member State to another, and therefore could create real uncertainty for transnational companies. As specific remarks, the European Banking Federation would like to point out the following issues: 1. Incident Reporting (Article 14) According to Articles 14 to 16, the Commission proposes new security and incident reporting obligations. The public administrations and private entities in specific sectors (e.g. financial services) will be required to adopt network and information security (NIS) risk management practices and notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide (art.14-16). Following the notification, national authorities may decide to inform the general public. The EBF would like to stress the importance of a coherence between the requirements of the proposed NIS Directive and the- currently under review- Data Protection Regulation. In terms of efficiency the specific obligations to notify data breach/ network incidents should require reporting to one authority with one single form to fill in. This is rightly mentioned in recital 31, with the establishment of harmonised exchange mechanisms and template to notify incidents. The requirement for mandatory reporting of incidents by market operators requires careful scoping in order to ensure it drives the desired behaviour that it is important to balance between the interest to inform the public, the level of details made public and its consequences as well as the guarantee of protecting reputation and image of the organisation involved in data violation episodes [Ref Article 14]: The EBF considers problematic that the authorities will decide on the information to disclose where it determines that the incident is of public interest. The Authorities should in collaboration of the market operators and the public administrations ensure that information on weaknesses in security are not detailed and do not identify specific problems. This would be otherwise equivalent to indicate to hackers where a specific sector is not good enough to protect its systems). 2

3 The EBF would prefer that the elements of respectively recital 17 and recital 28 regarding the handling of the information with confidentiality should be part of the main body of the Directive as considered as an essential part of the Directive. Art 14 (1) suggests a focus only on incidents that impact continuity of service. However, integrity of service is equally important. Art 14 (2) requires reporting by market operators of incidents having a significant impact on the security of the core services they provide. The word significant needs careful definition in order to determine whether this Directive will achieve its aim: o If the requirement includes reporting of incidents with minimal impact to the business of the market operator, then it could drive a culture that is encouraged not to identify incidents. This would be counterproductive as effective cyber security requires identification and investigation of a wide range of incidents, many of which appear to be insignificant at first sight. It is only by catching such incidents early that material incidents are prevented. o We would recommend the limitation of mandatory reporting to just incidents with significant and material impact and this needs to be established within the Directive in order to prevent scope creep in the future. It should also be noted that many cyber security incidents do not actually involve the breach of systems belonging to the victim organisation. o For example, the widely-publicised Denial of Service attacks against US Banks have not breached their systems, but rather prevented access to them. o Similarly, fraudsters often do not target banking systems, but rather the systems of banks customers. o It is unclear how the mandatory reporting would be applied in these circumstances. 2. Incident Identification (Article 14) The draft Directive contains no requirements on market operators to develop capability to detect incidents. If there are to be requirements on market operators to report incidents that have been identified, then there should be some requirement on the market operators to identify those incidents in the first place. Otherwise a disincentive to monitor for cyber security incidents will be created for market operators. The EBF considers that it could have a detrimental impact on the level of network and information security across the Union. We would therefore propose that the Directive includes a requirement for market operators to monitor their networks and information systems for incidents, in a manner appropriate with the threats they face, but without requiring compliance with specific technical standards. (see next comment) 3. Standards (Article 16) 3

4 Encouragement of the use of standards is a laudable principle. However, it must be recognised that requiring compliance to detailed technical standards by market operators is likely to be counter-productive: Technical standards take time to be developed and revised and are unlikely to keep pace with the dynamic threat environment; Requiring compliance to detailed technical standards will encourage a compliance culture, with an emphasis on box-ticking as opposed to genuine risk management. The risk management practices that must be encouraged across the Union involve a high degree of skill, judgement and investigation by capable professionals this research type culture will not be encouraged by compliance requirements; Compliance with technical standards can create a false sense of security for senior management. For example, the payments industry has for some time required merchants to comply with technical security standards (PCI-DSS) when handling payment card details. However, breaches in recent years have occurred in organisations that are certified as compliant with PCI-DSS standards. This illustrates that compliance with even the most stringent technical standards is not sufficient for effective risk management. 4. Delegated acts (art. 18) & implemented act (14.7): In reference to Articles 9(2), 10 (5) and 14(5) as well as Article 14 (7) delegated acts and implemented act have been conferred to the Commission. The EBF has serious concerns regarding this extensive power for the European Commission because of the limited involvement of stakeholders in this process. The EBF also sees this technique as problematic since it leaves too much uncertainty with regard to the actual implementation of the Directive. This is all the most worrying as the respectively proposed delegated and implemented acts apply to essential aspects of the draft Directive such as the definition of the criteria to be fulfilled for a member state to be authorised to participate to the secure information-sharing-system (Article 9(2)), the further specification of the risks and incidents triggering early warning (Article 10 (5)), the definition of circumstances in which public administrations and Market operators are required to notify incidents (art. 14(5)) and finally the format and procedures applicable for the Member States to ensure that market operators notify to the competent authority incidents having a significant impact on the security of the core service they provide. 5. Definition of Market Operators We note the suggestion in paragraph 24 on page 14 that software developers and hardware manufacturers be explicitly excluded from the requirements of this Directive. However we would argue the contrary; that they should be at the core of the scope of this Directive: Their products are relied on by all other market operators to ensure the security of services thus they are a critical dependency; 4

5 There are known examples of hardware and software providers either being targeted in order to then compromise other market operators, or publicly acknowledged as placing market operators at risk due to vulnerabilities in their products. Whilst we acknowledge that the list given in Annex II is indicative, we would suggest omissions have been made of whole sectors that are known to be targets of sustained cyber attacks, and represent risk to the security of the EU. Examples include: Legal firms Accountancy and audit firms Food and agriculture firms Utilities such as water Information Technology firms Persons of contact: Fanny Derouck-Tadros Séverine Anciberro Noémie Papp 5