Results of a January study by the Ponemon Institute on behalf of Keeper Security show that 70 percent of all financial services firms in the UK have been affected by cyberattacks. A look at the figures from a study conducted by Cybereason, in which German companies participated along with other organizations spread around the world, gives an idea of the dimensions and consequences of this development:
- 80 percent of respondents who have already been a victim of a ransomware attack and paid a ransom will be attacked again.
- 32 percent of the affected organizations lose some of their top management in the wake of the attack, 29 percent have to cut jobs.
- 66 percent say they have suffered severe revenue losses. For German companies, this figure is as high as 75 percent.
- In terms of industries, 73 percent of the financial service providers surveyed worldwide see themselves as having suffered sustained damage.
Clearly, then, the attacks are successfully taking advantage of the global trend toward digital transformation. However, it is not only the systems as such that are threatened. Factors such as economic stability and trust in the integrity of systems and data also play a not insignificant role here. During the pandemic, it became necessary to implement digital transformation faster and more fundamentally than before.
This has had a positive impact on workflows and processes and has helped to save time and costs. This is particularly evident among banks and financial services providers. Many typical offers and services do not get by without legally binding agreements between all parties. An example is mortgages or applying for and granting a loan. Digitizing the complete workflow by digitally signing complex documents can reduce costs at this point.
eIDAS and the secure digital transformation
The Ordinance on Electronic Identification and Trust Services for Electronic Transactions (eIDAS) first came into force in July 2014. That was quite a while ago, years before digital transformation initiatives took hold around the world. In practice, however, it is now apparent that eIDAS in particular is especially relevant for the security of such processes. On the one hand, eIDAS ensures the best possible implementation of digital business processes; on the other hand, the regulation guarantees a higher level of security for all parties involved. Financial service providers benefit from this in particular. Also, because eIDAS fits perfectly with other EU industry initiatives – such as the Payment Services Directive (PSD2).
The EU has launched a series of regulations and directives to ensure secure commerce through cross-border trusted authentication. Within the framework of these regulations, qualified electronic signatures (QES) are also recognized, as they are legally permissible throughout the EU and strengthen trust in electronic transactions. A QES is a type of digital signature that offers a higher level of verification than a standard electronic signature. Digital certificates embedded in a digital signature ensure that signers have taken additional steps to confirm their identity. A signer's digital certificate is used to create the signature and then add it to the signed document. This allows, for example, customers and employees of a bank to digitally sign documents anywhere with maximum legal security. This works at work, but also from any mobile device.
Digital certificates are issued by certificate authorities (CAs), also called trust centers. Once such a trust center issues a digital certificate, it can be stored on a smart card, USB drive, local computer, cell phone or in the cloud. The so-called qualified certificates can only be issued by Qualified Trust Service Providers (QVDA).: QTSP) issue. You have been authorized to do so by regulatory agencies after security standards have been appropriately verified.
In response to the European Union's call for greater operational resilience in the financial sector, the Financial Conduct Authority (FCA) recently introduced rules and guidance on operational resilience for banks and insurers. The rules kick in at 31. March 2022 in force.
Debbie Hayes, GlobalSign
What it means for the industry?
Banks and financial service providers manage documents, loans and contracts on a daily basis, using available digital technologies. Customers, many of them "digital natives", are demanding. They expect to be able to use pretty much the full portfolio of products and services digitally, but at the same time want to be sure that their sensitive data is suitably well protected. A balancing act, as the industry has been shown to be among the top 5 targeted industries in terms of frequency and severity of cyberattacks. This is hardly surprising, given the vast amounts of sensitive data on companies, individuals and even governments that are held there. At the same time, the sector is highly dependent on information and communication technologies. And it is this dependence that makes it additionally vulnerable to cyberattacks.
In response to the European Union's call for greater operational resilience in the financial sector, the Financial Conduct Authority (FCA) recently introduced rules and guidance on operational resilience for banks and insurers. The rules come into force on 31. March 2022 in force. They are asking affected businesses to address the possibility that key business services and processes may become unavailable due to a series of events. These events include technical failures and power outages as well as cyberattacks.
In Europe, the proposed Digital Operational Resilience Regulation (DORA) would introduce an EU-wide regulatory framework for digital operational resilience for a wide range of financial services firms. The focus here is on the two areas of business continuity and third-party risk management.
Despite Brexit, DORA will also take into account the requirements of the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in the UK's jurisdiction. That is, the UK-specific framework will parallel the directives of the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
The UK financial sector has already adapted to digital transformation in many places, including the associated cyber risks. DORA, however, requires the organizations involved to take much more responsibility. Such as classifying threats and incidents, reporting them and responding accordingly.
There are a few QVDAs throughout the EU, but currently only a handful in the UK. Following the EU exit, the eIDAS regulation was incorporated into current UK law and, as part of The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019) amended. In addition, the existing UK legislation on trust services, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696) adjusted, collectively referred to as the "UK eIDAS Regulations". If a company decides to operate under these terms, it receives support from such services, which are compliant with both the UK and EU eIDAS regulations and offer the highest level of security currently available.
But even if UK and EU-based companies don't necessarily opt for a qualified signature (or other qualified services), it's a good idea to work with an experienced trust services partner given the complexities involved.