Winds of Change in the Finance Sector
The UK’s financial sector has seen the introduction of MiFID II, PSD2 and, of course, the GDPR. As well as better protecting end users, the laws harmonise how established and start-up organisations operate across the finance and fintech space.
With the focus on the needs and rights of the customer, the legislation underlines the importance of penetration testing for banks and finance companies. The rulings include personal finance apps, which are set to overtake online banking this year.
We’ve also seen the introduction of the NIS Directive, which, like the GDPR, isn’t exclusive to the finance sector. However, it does have a bearing on ‘relevant digital service providers’ (RDSPs) and is worth noting.
Here, we look at each of these laws in the context of cybersecurity and help you stay on the right side of them. You’ll find links to further guidance, including advice from the Financial Conduct Authority.
What is Penetration Testing
Penetration testing - also known as ethical or white hat hacking – proactively discovers IT security flaws. The goal is to identify and secure them before malicious forces do damage.
Penetration testing shouldn’t be confused with vulnerability scanning, which is an automated process that searches for known vulnerabilities.
While both tests have long played a valuable role in any solid cyber hygiene strategy, our increasingly digitised world makes them a necessity. Mobile apps are seen as the Achilles heel of security, with attacks on mobile devices and apps on the rise.
Moreover, it’s evident that banks are a target, as seven of the UK’s biggest banks were forced to shut down their systems or scale back their operations following a cyber-attack last year.
The EU’s Markets in Financial Instruments Directive was an ambitious and controversial move to transform the European financial sector.
MiFID applied in the UK from November 2007 and was revised by MiFID II, which took effect in January 2018. Just one month before, it was reported that one third of UK firms 'underprepared' for MiFID II despite the severe penalties of up to 5 million euros or 10% of annual turnover for non-compliance.
While the directive’s main thrust is around harmonisation, safety and transparency in the sector, it includes cybersecurity.
The European Commission's supplementing Directive PDF makes several references to risk and effective IT security management.
Global law firm DLA Piper refers to MiFID II: Microstructural Issues:
“RTS 6 prescribes additional rules in relation to security and access. Firms will need to protect against both physical and electronic security breaches and will have to promptly inform their home state regulator of any material breaches.”
And goes on to directly reference penetration testing:
“Firms will also be required to undertake annual penetration tests and vulnerability scans to safeguard against cyber-attacks and restrict access systems and ensure traceability at all times.”
Payments Service Directive 2 (PSD2)
The way we pay for goods and services is transforming. In 2017, debit card payments overtook those made by cash for the first time. In 2018, 20% of transactions were via mobile devices.
PSD2, which came into force on 13 January 2018, levels the playing field for payment services providers while ensuring enhanced security and greater customer protection. Guideline 7: Testing of Security measures reads:
“Payment services providers should establish and implement a testing framework that validates the robustness and effectiveness of security measures and ensure that the testing framework is adapted to consider new threats and vulnerabilities, identified through risk-monitoring activities.”
Source: European Banking Authority Guidelines on Security Measures for Operational and Security Risks Under PSD2 PDF 12/01/2018.
As part of a comprehensive programme of security measures in the payments industry, regular penetration testing will help you to satisfy compliance requirements.
Much has been written on the GDPR, suffice to say that Article 32 of the EU General Data Protection Regulation concerns “Security of processing”:
“(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Penetration testing is an accepted and trusted component of the financial services industry’s armoury against today’s unrelenting threats.
The NIS Directive
The EU Security of Network and Information Systems (NIS) Directive came into effect on 10 May 2018.
Financial services firms operating in more than one European member state have to comply with the NIS in those member states.
For relevant digital service providers (RDSPs) and operators of essential services (OESs), there’s an implied need to introduce controls to reduce risk and increase resilience. NIS doesn't mandate penetration testing, but it's a tangible way of evidencing that your security controls are functioning effectively.
You can read the response from the UK Finance body to the publication of the NIS Directive here: UK Finance response to Department for Digital, Culture, Media and Sport consultation on the implementation of the NIS Directive.
What the Financial Conduct Authority Says
The FCA doesn’t have a specific clause around penetration testing but is unambiguous on the need for the financial sector to protect their critical information. The authority reported:
“In 2017 we had 69 material attacks reported to us, an increase on the 38 last year and the 24 the year before.”
The FCA advises audited firms to put the necessary security controls in place and offers insights and guidance here: Building cyber resilience.