Big British banks, such as RBS, Barclays and HSBC, will all have to report major breaches to the ECB
Banks regulated by the European Central Bank (ECB) will be forced to reveal all major cyber security breaches from this summer.
Sabine Lautenschlaeger, a member of the ECB’s executive board, said that the move would help the organisation to “assess more objectively how many incidents there are and how cyber threats evolve”.
“It will also help us to identify vulnerabilities and common pitfalls,” she said in a speech in Frankfurt.
The organisation will also perform regular reviews on cyber security and outsourcing arrangements at banks. Outsourcing IT infrastructure, resources and applications as well as other services can lead to vulnerabilities which cyber criminals will try to exploit.
The new regulations come at a time when banks are increasingly being targeted in highly sophisticated campaigns.
The Russian central bank was hit by the WannaCry ransomware campaign, while an attack on the central bank of Bangladesh resulted in the theft of $81m – out of a total of $951m that could’ve been stolen if it weren’t for a crass spelling mistake by the attackers, believed to be North Korean.
The legislation coincides with the incoming General Data Protection Regulations (GDPR) in the EU, which will come into effect in May next year.
A recent report from Consult Hyperion, commissioned by AllClearID, dubbed Banks, Breaches and Billion Euro Fines, suggested that European financial institutions could face fines totalling €4.7bn in the first three years under GDPR.
The potential financial penalties for a data breach are substantial – either two per cent of the previous year’s global turnover revenues for a first offence, and up to four per cent for repeat offences. The size of fines will be substantially mitigated if an organisation can demonstrate that it has followed best practice, though.
The report suggested that the highest risk item in the GDPR is the 72-hour breach-notification requirement.
It’s as-yet unclear what the repercussions, if any, there will be if banks fail to notify the ECB of a major cyber security breach.Discover More