Page 32 - Banking Finance April 2019
P. 32

ARTICLE

             to adapt and be continually refined. 27. However,   well as New York State’s financial services industry.
             actions by individual countries—and by financial sector  Further, SEC has issued disclosure guidance to public
             participants alone—will not be sufficient. Constantly  companies in early 2018 which mandates disclosure of
             evolving industry-wide standards are needed to keep  material information in a timely manner. The prominent
             pace with evolving cyber risks, even if these create  feature of all the regulations above is the right given to
             compliance costs for the affected institutions. Future  the individual to get his information deleted in certain
             viewpoints related to cybersecurity and data privacy  circumstances.
             continue to indicate strong regulatory developments,  30. European Union has published the first European
             with several countries either implementing or       framework for controlled cyber-hacking exercises called
             enhancing their regulatory requirements. Legislators  Threat Intelligence-based Ethical Red Teaming (Tiber-
             are keeping pace by introducing new privacy and     EU) in May 2018 which enables European and national
             cybersecurity laws. Key legislative and banking     authorities to work with financial infrastructures and
             regulation developments include:
                                                                 institutions (hereafter referred to collectively as
         28. In October 2016, G-7 countries came out with what is  “entities”) to put in place a programme to test and
             called as ‘Fundamental Elements of Cyber Security for  improve their resilience against sophisticated cyber-
             the Financial Sector’, which covers cybersecurity   attacks. Singapore has made it mandatory to conduct
             strategy and framework, governance, risk and control  penetration testing. The Association of Banks in
             assessment, monitoring, response, recovery,         Singapore has taken the lead in establishing guidelines
             information sharing and continuous learning as key  to be followed when conducting the tests
             elements. The Committee on Payments and Market   31. The US Treasury Department (Treasury) has issued its
             Infrastructures (CPMI), BIS and the International   fourth report in July 2018 that will help in identifying
             Organization of Securities Commissions (IOSCO) have  improvements to the regulatory landscape that will
             issued Guidance on cyber resilience for financial market
                                                                 better support nonbank financial institutions, embrace
             infrastructures (FMIs) which also emphasises on the
                                                                 financial technology, and foster innovation. The main
             importance for authorities to cooperate to support
             broader financial stability objectives. The Bank of  guidance from the report is to embrace the efficient
             England (BoE) has implemented “CBEST”, a new        and responsible use of consumer financial data and
             framework for testing cyber security vulnerabilities,  competitive technologies; Streamline the regulatory
             particularly in respect of core financial sector entities.  environment to foster innovation and avoid
             Hong Kong Monetary Authority has announced the      fragmentation; Modernize regulations for an array of
             launch of a “Cybersecurity Fortification Initiative” (CFI),  financial products and activities; and Facilitate
             a comprehensive initiative aiming to raise the level of  “regulatory sandboxes” to promote innovation.
             cybersecurity of banks. Other regulations targeted  32. Using Regulatory sandbox, regulators allow Financial
             towards cybersecurity and preventing data breaches  institutions or fintech companies to test their innovation
             include EU General Data Protection Regulation (GDPR)  in a controlled environment, subject to fulfilling the
             with an aim to protect all EU citizens from privacy and  eligibility criteria specified by the regulator. The
             data breaches in today’s data-driven world. The biggest  regulators may provide guidance and support in the
             change under GDPR is the extended jurisdiction as it  form of regulatory flexibilities during the testing period
             applies to all companies processing the personal data  where appropriate. Set of rules that allows innovators
             of data subjects residing in the European Union,    to test their products/business models in live
             regardless of the company’s location.               environment without following some or all legal
                                                                 requirements, subject to predefined restrictions.
         29. State of California Legislature has passed California
             Consumer Privacy Act (CCPA) of 2018 which expands  33. In India, RBI issued a circular on Cyber Security
             data subject rights, including the right to access personal  Framework in Banks on June 2, 2016 mandating cyber
             information to the individuals. New York Department  security preparedness. A specialised cell (C-SITE) has
             of Financial Services Cybersecurity Regulation requires  been created within the supervision department of RBI
             financial institutions to protect consumers and to  to conduct detailed IT examination of banks’ cyber
             “ensure the safety and soundness of the institution,” as  security preparedness, to identify the gaps and to

            32 | 2019 | APRIL                                                              | BANKING FINANCE
   27   28   29   30   31   32   33   34   35   36   37