Anti Terracide Financing: The New Frontier in AML

The fight against the many forms of financial crime has been going on for many decades now. It is an important issue. Financial crime can rob companies of years of hard work spent building wealth and shareholder value, at a stroke. Financial crime can subject individuals and even whole populations to a lifetime of misery and poverty. Financial crime can subvert whole economies. It can fritter away the finite natural resources of the planet.

Yet there are bigger issues than financial crime facing the planet at present, which are growing in impact and urgency, and which require concerted international action. This comes at a time when the world is becoming increasingly fragmented by nationalistic policies, exacerbated by a global pandemic and the fracturing of international trade. So the question is how we can align our global effort on money laundering and financial crime with these more pressing global issues. Here are ten key issues to address:

  1. Climate change

Moves towards net zero, limiting temperature rise to 1.5°C, and the forthcoming COP 26 are well aired. Yet four of the seven stock indices of the G7 countries, including the FTSE 100 and S&P 500, are on temperature pathways of 3°C or above. Not a single one of the G7’s leading stock indices is currently aligned with a 1.5°C or 2°C pathway. Financial markets will need to bite the bullet.

  1. Biodiversity loss

Biodiversity is the variety of all living things on the planet, and how they fit together in the web of life, bringing oxygen, water, food and other benefits to every part of the global ecosystem. Recent reports and studies about the state of nature are very worrying. In 2019 an intergovernmental panel of scientists highlighted one million animal and plant species now threatened with extinction. In 2020, a report found global populations of mammals, birds, fish, amphibians and reptiles plunged by 68%, on average, between 1970 and 2016. Illegal wildlife trafficking is now one of the five largest crimes worldwide.

  1. Deforestation

About 31% of the earth’s land surface is covered by forests. More than half of all plant and land animal species in the world live in tropical forests. The most concentrated deforestation occurs in tropical rainforests. 15 – 18 million hectares of forest, an area the size of Belgium, are destroyed every year. On average, 2,400 trees are cut down each minute. Wildfires are increasing as a result of global warming.

  1. Desertification

More than 75% of the earth’s land area is already degraded, according to the European Commission’s World Atlas of Desertification, and more than 90% could become degraded by 2050. The Commission’s Joint Research Centre found that a total area half of the size of the EU (4.18 million km²) is degraded annually, with Africa and Asia being the most affected.

  1. Soil degradation

Soil fertility has declined considerably in many parts of the world due to intensive agriculture, over-grazing, water pollution, increasing use of fertilisers and pesticides, salinisation, deforestation and accumulation of non-biodegradable waste. Today, our food only contains 5-20% of the nutritional value of 100 years ago. Soil mineral depletion as compared to a century ago ranges from 72% in Europe to 85% in North America. Only Australia fares better at 55%.

  1. Plastics pollution

From having little impact on the climate just 20 years ago, the production and disposal of plastic now uses nearly 14% of all the world’s oil and gas. Plastic production is expected to grow to 20% by 2050 by which time related climate emissions could rise to 2.75bn tonnes a year and plastic could be driving half of all oil demand growth. The International Energy Agency states plastic could take up to 15% of the remaining annual carbon budget and make plastic equivalent to the world’s fifth largest climate heating country, emitting more than Germany or the UK, twice as much as all of Africa and nearly as much as shipping and aviation combined. Nearly a third of plastic goes to single use packaging and less than 10% is recycled. The rest goes to landfill, incinerators (adding to emissions and increasing air pollution), or is left uncollected (8m tons ending up in the sea). Plastic is now everywhere. We each eat a credit card’s worth every week.

  1. Increased toxicity

Toxicity takes many forms, from creation and mishandling of toxic chemicals to air pollution. M.V. Wakashio crashed into a coral reef on 25 July 2020 and leaked almost 1,000 tonnes of fuel oil into Mauritian waters. The Japanese ship operator has pledged a pitiful JPY 1 billion (GBP 6.5 million) for environmental preservation efforts. X-Press Pearl, a ship laden with toxic chemicals, has caused an even worse issue in Sri Lanka just a few months ago. We need to take environmental issues much more seriously, not just as regards incidents, but policy. See for example the huge numbers of EU environmental law infringements:

  1. Ocean degradation

Oceans are important, and not just for their resources of fish. 70% of the oxygen we breathe comes from the oceans. Ocean currents are also vital in regulation of climate and there are worrisome signs that these are starting to slow down. Plastic waste is now everywhere in our oceans, and inside us. The number of overfished stocks globally has tripled in half a century and 1/3 of the world’s assessed fisheries are currently pushed beyond their biological limits

  1. Population increase

Global human population growth amounts to around 83 m annually (about the size of Germany), or 1.1% per year. The global population has grown from 1 bn in 1800 to 7.9 bn in 2020. UN estimates have put the total population at 8.6 billion by mid-2030, 9.8 billion by mid-2050 and 11.2 billion by 2100. It is not just raw population figures that are the issue. 1.3 bn tonnes of food are wasted each year. That is a heavy economic cost of USD 1 trn, and a huge cost to the planet and its ecosystems. Rates of consumption also differ, so each American, for example, consumes 7 times the amount of the average Indian. India has 1.4bn people, the US 330m. Yet in consumption terms, the effective population of the US (compared to India) is 2.31 bn.

  1. Water Shortages

Water shortages now affect more than 3 billion people around the world. The amount of fresh water available for each person has plunged by 20% in 20 years. More than 60% of irrigated cropland is highly water stressed. Water covers 70% of the earth’s surface, but only 3% is fresh water, and two-thirds of that is locked up in glaciers. Rivers, lakes and aquifers are drying up or becoming too polluted for use. Over half of the world’s wetlands have disappeared. Climate change is altering patterns of weather and water around the world, causing droughts for some and floods for others.


So how does all this fit in with the financial crime agenda? Some of the above have aspects which have been criminalised, such as environmental crime and illegal wildlife trafficking, though enforcement is difficult. Many of the above may be associated with more general financial crimes, such as corruption and money laundering. However, certain behaviours which adversely impact the planet have yet to be criminalised, or do not lend themselves easily to policy change which could result in criminalisation. Others may be regarded as new forms of fraud, such as greenwashing (see the current IOSCO consultation). However, it is certainly worth addressing how the financial crime community could assist in progress on the above planetary issues, whether through:

  • changes to the sanctions environment
  • blacklisting countries, industries and individuals which ignore terracide issues
  • criminalisation of certain terracide behaviours
  • debarring recalcitrant firms from bidding for government or international contracts
  • ramping up enforcement on the financial aspects of terracide issues
  • refocusing the FATF 40 Recommendations
  • drawing up new conventions, toughening others and strengthening international cooperation

We may also need to reconsider certain fundamentals, such as:

  • the raison d’être of companies being to provide shareholder value
  • creation of new economic theory which is not GDP or growth based
  • recognition of the concepts and value of “natural capital” or “earth capital”
  • moving away from concepts of ownership to stewardship
  • moving from assessing short term profitability and economic quick wins to planetary impact analysis and sustainability
  • rebalancing spending, e.g. the UK commitment to a £3bn nature fund sounds great, but a distortion when contrasted against £100 bn plus for the HS2 rail project
  • building high terracide risk into Enhanced Due Diligence programmes
  • securing real cultural change
  • making anti corruption agencies truly independent, armed with effective powers

There is certainly little time to lose. Our future depends on quick action and success. Now is the time to bring Anti Terracide Financing to the forefront.

Read More

AML in Europe: Time to Get Serious

The EU Task Force on Improving AML Effectiveness across Europe has just finalised its report and you can access it here. Richard Parlour is the co-rapporteur. The report looks at all the key strategic difficulties in AML in terms of three pillars: Governance, Risk Management and Capability. We hope you enjoy it.

We also have a specialised summary as to how the various issues raised translate themselves into practical issues for private sector institutions, and the steps you need to consider to reduce your risk and increase your profitability. There is a separate one for public sector institutions. Please feel free to make contact for a copy.

Read More

Coronavirus and Resilience

Coronavirus and Resilience

This blog considers the legal, regulatory, logistical and personal protection measures you can take during the current outbreak to protect you and your business.

A. Legal Considerations

1. Business Continuity

Now is the time to dust off your business continuity plan and bring it into action. Who is in key positions in the plan and has every position got a backup person? How do you communicate in such a scenario and what extra resources do you need? Do you need to make changes to your business “battle rhythm”? What are the indicators which you need to look for so that you can start going back to normal or find new ways to boost your business?

2. Regulatory Requirements

Do any regulatory requirements apply to your business? For example, on 4 March, FCA made the announcement “We expect all firms to have contingency plans in place to deal with major events. Alongside the Bank we are actively reviewing the contingency plans of a wide range of firms. This includes assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers.” What is the impact on your capital adequacy requirements and cashflow?

3. Contract considerations

The impact of the Coronavirus may affect your contractual performance, whether you can perform on time or at all. Stay in touch with your supply chain (both upstream and downstream) and agree what you will do in the light of events. Consider whether any contracts you have entered into have a force majeure clause, and how that clause will operate. Are others you have contracted with using the virus as an excuse? If you do not have a force majeure clause, does the legal concept of frustration of contract apply? Each contract will need to be examined in the light of the particular circumstances.

4. Staff

You clearly need to look after your staff, but what policies do you have on sickness, how do you apply them, what about those medically or first aid trained, what measures do you need to put in place in the workplace and for travel to and from home or between workplaces? There are legal requirements not to discriminate on grounds of sex, age, ethnicity, etc., but when the coronavirus seems to have a particularly bad effect on those aged over 40, and on men more than women, do you need to put in place different measures for different groups of staff who are at different levels of risk? What is the position on sick pay? Can you claim any of it from Government sources? What of staff who need to take time off to care for their family members? What is the impact on your disciplinary procedures, if any? What about staff who are required to self isolate but show no symptoms?

5. Government and Regulatory Requirements and Advice

What changing governmental and regulatory requirements apply to your business, and how do you keep abreast of them? Do any of them have such an adverse effect that you may need to seek a derogation? Are any pronouncements open to challenge, or give rise to rights of compensation?

6. Directors’ Duties

Directors have certain duties at common law including the duty to act in good faith in what the director considers to be the best interests of the company. There is also a duty to act honestly and responsibly in how the company conducts its affairs. Directors also have certain statutory duties under health and safety and environmental law. How should these be carried out in a coronavirus environment? How do you devote sufficient time to business continuity and at the same time deal with the unexpected arrival of coronavirus? Certain sectors such as food, travel and entertainment are likely to be particularly badly hit. Others, in certain parts of the health sector for example, may have a boom. There are likely to be some tough calls over the coming weeks. Ensure that you carry out and document your thought and decision making process clearly and fully.

7. Insurance

What insurance do you have and what do you need? What are the conditions set out in the policy, particularly as regards notifying your insurer? What is covered and what is not covered? How much does cover extend to? What steps does your insurer require you to do in order for you to be paid under the policy? See what the policy has to say about business interruption, public liability and staff compensation. You may need to show a causal link between the virus and the losses you have incurred. Make sure that is well documented and keep an eye on the market. Remember that you have a general legal duty to mitigate your loss.

B. Logistical Considerations

Seeing as there is no scientific knowledge yet as to how the virus spreads, it is best to take certain precautions:

Business considerations

  • Reassess your corporate culture, the balance between promotion to keep the business going, and prevention against the virus and business interruption
  • Check out the logistical implications of your business plan
  • Can your staff work remotely, if so how many, and how?
  • For those who cannot work remotely, or who will need to visit the office from time to time, what safety precautions are needed?
  • What is your succession plan if one or more of your team become infected and unable to work or have to self isolate?
  • What essential travel is needed, and what safety precautions should you apply?
  • How do you communicate with your staff? Do you need to set up new social media channels? What about backup communications? What about those you need to communicate with who are not on social media?
  • What cybersecurity arrangements do you need to put in place? Check on encryption systems, use of VPNs, sending sensitive documentation electronically or by post or courier. Do you need extra hardware, software, or need to revisit IT policies?
  • How do you counteract fake news, or coronavirus related fraud attempts?
  • What business interruption insurance do you have or need?
  • How is the financial health of the company, and how do you maintain it in the event of lockdown?

Personal considerations

  • Avoid large events with lots of people. Some large events are still proceeding. However, increasing numbers are being postponed to summer or even autumn
  • Are there certain types of people you particularly need to stay away from, not only those who you know have contracted the virus, but also those who have a higher virus risk profile, such as those working in the medical profession? What steps should you take in your interaction with them?
  • Avoid touching high touch areas and things such as handrails, doorplates, etc.
  • If wearing a mask, use the right one (N95 or 96), know how to fit and remove masks properly and safely, and consider wearing gloves too
  • Observe physical distancing and adopt new greetings like prayer hands, “jazz hands”, nodding or bowing
  • Eat in rather than eat out
  • Drink in rather than drink out
  • Have food and supplies delivered rather than go shopping, if possible
  • Ensure you have sufficient supplies of any medications you are on
  • Ensure you have supplies of any foodstuffs, drinks, cleaning and protection materials you may need
  • Obtain any medical kit you may need such as a thermometer (maybe a forehead thermometer to avoid touching the skin), medication to reduce temperature
  • Consider holiday plans, whether postponement or rearrangement or cancellation

Monitor the news daily, not only in this country, but in other countries which have had a worse outbreak and see what measures are being introduced there. Those measures may soon be applied in your country. How would you cope with them? What measures would you need to take or refrain from taking?

C. Personal Health Measures

UK government and WHO advice is to wash your hands more often, avoid touching your face, sneeze into tissues or your elbow. However there is more we should be doing to improve chances of not catching it, and of surviving it if we do.

From talking to people in Italy in particular, it seems pretty much the best thing to do is to self isolate as much as possible, so stay away from places where there are lots of people, and work from home if you can. The good news, however, is that going for walks is a good idea, provided you don’t meet many people and you avoid touching high touch areas on gates and stiles. The same goes for petrol pump handles, pin number machines and screens. Wear gloves and either dispose of afterwards or disinfect immediately. Wear an N95/96 mask, at least it should give you some protection. Sun on your skin generates vitamin D, which ups your immunity and explains why there are fewer flu cases in the summer.

It is a good idea to work on building your immune system up just in case you do catch the virus. Essentially this means getting lots of vitamin C (the Chinese are using intravenous vitamin C to treat the virus). It also means a diet which contains foods to boost the immune system. Examples include:

  • Almonds
  • Blueberries, elderberry syrup
  • Broccoli
  • Dark chocolate
  • Garlic
  • Ginger
  • Green tea
  • Kefir
  • Oily fish such as salmon, mackerel, tuna, pilchards, etc.
  • Spinach
  • Sunflower seeds
  • Sweet potatoes
  • Turmeric
  • Oranges, kiwi fruit, grapefruit, lemons and limes
  • Red bell peppers

You can also support your immune system with beta glucans (in oats, seaweed and shiitake mushrooms for example), immune system probiotics, zinc and B vitamins. Apart from this it is useful to get daily exercise, sun (vital for vitamin D), lots of sleep and try to avoid stress and do more stress busting activities. Most viruses thrive in a high glucose environment. If you go ketogenic and autophagic, that may help. Stay hydrated and cut out the sugar!

You might need to buy a supply of useful items if there is an element of shut down.

Remember that health consists of four fundamentally separate elements:

  • Physical – it’s not just about trying to avoid contracting the virus, but about building your immune system to give you a better chance if you catch it
  • Intellectual – stressful times like these cause unwelcome impacts on the brain and thinking, as well as reducing your immune system. Try to stay rational and think things through. Start a new hobby, develop a new skill
  • Emotional – remember to support your family, friends and colleagues by staying in touch electronically, or even by post, and stay positive. Plan your day and celebrate the small things. Maintain morale
  • Spiritual – meditation, prayer and personal guidance can be a great help, but do take care about attending services, personal space and contact, etc.

D. A Sense of Perspective

At the time of writing, Covid 19 has reportedly killed well over 160,000 people worldwide. It is likely to kill tens of thousands more. However, many more die each year from “normal” flu, malaria, accidents, etc. This is a time for rationality rather than panic. Keep a sense of perspective. China is already showing signs of recovery, so is South Korea. Other countries have good approaches we can learn from. Rather than stopping what you do, work out how to change what you do so you can carry on, safely. How will you need to change or pivot your business model? Can you do the equivalent of converting a distillery to produce sanitiser, for example? What new relationships can you enter into? Use your entrepreneurial spirit and think laterally. What could you do online? How do you up your IT skills (see e.g. for ideas).

Plan for what you will do when the outbreak is over and how you will go about life to stay safe and well, avoiding any secondary outbreak. You could well emerge stronger and more resilient than before it started.

Read More

Corporate Governance: The Latest

Corporate Governance The Latest

In the UK, the debate about corporate governance has been running since the Cadbury Code of 1992. Since those early days, a number of corporate scandals have provoked various revisions of the code. The latest iteration has just been issued in July 2018 by the Financial Reporting Council (FRC). There is no requirement to follow the Code, but the Code operates a principle of “comply or explain”. This is clearly rather more dirigiste than just leaving companies to decide whether to follow it or not, though there is only one mention of compliance throughout.

There are five elements of the revised Corporate Governance Code, with related principles. All are ones which should form part of the overall system of governance of a company, but there are others, some elements of the Code do not sit well with each other, and other areas are omitted entirely. Let’s take a look:

1. Board Leadership and Company Purpose

A. A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.
B. The board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture.
C. The board should ensure that the necessary resources are in place for the company to meet its objectives and measure performance against them. The board should also establish a framework of prudent and effective controls, which enable risk to be assessed and managed.
D. In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.
E. The board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.

The place to start is with the vision for the organisation and its rationale. It is extremely difficult to work out what to do effectively if the corporate destination is unknown. Start with “Why?” Once current and future locations are known, the company’s mission is far easier to set. The final part of setting a governance structure is culture. This is also vital from an intellectual property perspective. Whilst products and services can be copied, and values mimicked, culture is almost impossible to steal. Clarity on the above is the foundation upon which the other elements referred to can be built and operated.

2. Division of Responsibilities

F. The chair leads the board and is responsible for its overall effectiveness in directing the company. They should demonstrate objective judgement throughout their tenure and promote a culture of openness and debate. In addition, the chair facilitates constructive board relations and the effective contribution of all non-executive directors, and ensures that directors receive accurate, timely and clear information.
G. The board should include an appropriate combination of executive and non-executive (and, in particular, independent non-executive) directors, such that no one individual or small group of individuals dominates the board’s decision-making. There should be a clear division of responsibilities between the leadership of the board and the executive leadership of the company’s business.
H. Non-executive directors should have sufficient time to meet their board responsibilities. They should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account.
I. The board, supported by the company secretary, should ensure that it has the policies, processes, information, time and resources it needs in order to function effectively and efficiently.

The best starting point for the above is to map an organigram of the organisation, both in its current state and future desired end state. Go through it to ensure all business functions are included. Next, check against all potential conflicts of interest, and assess ideal reporting lines, finally checking the balance between all elements and ensuring against a 50/50 lockout.

3. Composition, Succession and Evaluation

J. Appointments to the board should be subject to a formal, rigorous and transparent procedure, and an effective succession plan should be maintained for board and senior management. Both appointments and succession plans should be based on merit and objective criteria and, within this context, should promote diversity of gender, social and ethnic backgrounds, cognitive and personal strengths.
K. The board and its committees should have a combination of skills, experience and knowledge. Consideration should be given to the length of service of the board as a whole and membership regularly refreshed.
L. Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. Individual evaluation should demonstrate whether each director continues to contribute effectively.

Diversity is an interesting topic. The assumption appears to be that diverse boards and organisations produce better decisions than those which are not so diverse. A word of warning, however, to avoid diversity for diversity’s sake. Ensuring that the necessary skills, knowledge and experience exist and work well together is one thing. Ending up with a Tower of Babel where the decision making process is mired in correctness and there is no effective organisational culture is quite another. Getting people who align with the culture will be more of a key to success. A warning on evaluation settings too, as these can take over a decision making process and heavily distort success. Make sure they are useful, and aligned with organisational culture.

4. Audit, Risk and Internal Control

M. The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
N. The board should present a fair, balanced and understandable assessment of the company’s position and prospects.
O. The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

Avoidance of bias and conflict is crucial, as indicated above. Yet this needs to be applied to other functions of the organisation than audit. Remember that risk is not necessarily a bad thing. No risk, no action. No action, no success. Carry out a benefit cost analysis, not a cost benefit analysis.

5. Remuneration

P. Remuneration policies and practices should be designed to support strategy and promote long-term sustainable success. Executive remuneration should be aligned to company purpose and values, and be clearly linked to the successful delivery of the company’s long-term strategy.
Q. A formal and transparent procedure for developing policy on executive remuneration and determining director and senior management remuneration should be established. No director should be involved in deciding their own remuneration outcome.
R. Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.

This element has become highly politicised, essentially since remuneration multiples have increased as between the highest and lowest paid in organisations in recent years. What might be more useful is to avoid taking on the corporate “surfers”. These are easy to spot as they are the directors who move on every two years, are really only in it for themselves, almost guaranteed to be a drag on your organisation’s success, usually massaging results by cutting vital elements of the organisation’s services to improve profitability with no thought to the future (as they will be gone within two years anyway).

The latest version of the Code thus has some useful elements, but do not view them as comprehensive, and do not ignore the practicalities behind organisational success. It would be interesting to gain your views on the new Code and what has been set out above. Do not hesitate to get in touch!

Read More

EU Cybersecurity Policy in the Financial Sector

EU Cybersecurity Policy in the Financial Sector

With the inexorable rise of e-commerce comes the inexorable rise of the e-criminal. Cybercrime is now the world’s fastest growing crime. It has leapt to number two of the top ten business risks worldwide, from not even appearing in that list five years ago. For certain countries, cyberattack is now the risk of greatest concern. Gone are the days of concern about a low level hack of a website by a script kiddie. Today’s attackers are multi-faceted and increasing in sophistication, ranging from advanced persistent threats, corporate espionage, organised crime and “hactivists” to cyberterrorists, ever more competent, and ever better funded. Cybersecurity has moved from being a technical issue to a political and boardroom issue. Financial markets are particularly important as they oil the wheels of all member state economies.

So what should the priorities of cybersecurity be? There are three core themes to address:

  • Governance (at all of organisational, international and national levels)
  • Risk Management (both contextually and intelligence driven)
  • Capability (cybersecurity by design and by default, using a standard framework applied to context)

Amid several large cyberattacks in 2017, the European Commission adopted its multi-sector cybersecurity package. Nonetheless, a multitude of issues remain that the financial sector needs to address in order to bolster its resilience against current and future threats.

An EU Task Force on Cybersecurity Policy for the Financial Sector was established, chaired by Richard Parlour of FMLI. The key policy recommendations are set out below.

The policy recommendations

1. Convergence in the taxonomies of cyber-incidents is needed.

2. The framework for incident reporting needs to be significantly improved to contribute fully to financial institution cyber-resilience.

3. Authorities should assess how and to what extent data held by the centralised hub should be shared and with whom.

4. Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends.

5. Best practices for cyber-hygiene should be continuously enhanced.

6. The European Cybersecurity Certification Scheme needs to be strengthened to contribute better to cybersecurity, cyber-risk management and capability.

7. The reinforcement of cross-border cooperation and legal convergence remains a priority, both within the EU and more widely.

8. Best practices in remedies in case of cyberattacks need to be further encouraged.

9. Policy-makers should further assess the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks.

A common taxonomy for cyber-incidents

A common taxonomy across regulations, jurisdictions and sectors should ease the understanding of multi-country and multi-sector cyberattacks, and eventually strengthen the quality of responses. Given the ever-changing nature of cyberspace, the reference taxonomy should be flexible enough to be revised regularly. This common taxonomy should include specific variants applicable to different sectors.

Wherever possible, convergence in templates for incident reporting is needed across legislation. However, given the diversity of purpose of legislation, full harmonisation in those templates remains challenging.

Incident reporting framework

The emergence of different reporting requirements (notably in GDPR, PSD2, NISD, ECB/SSM, eIDAS regulation and Target 2) raises questions as to the best cyber-incident framework to boost financial institution cyber-resilience financial.

First, national templates for the NISD and GDPR should be harmonised across the EU. Secondly, large firms active in different countries need to develop adequate consolidation processes of the “overall cyber-risk” at group level. Thirdly, authorities should be able to exploit the content of incident reporting to inform and advise CSIRTs in return. For that purpose, policy-makers and firms should assess together the risks and opportunities of developing a standard messaging system.

Fourthly, the creation of a European sectoral hub in charge of centralising all incident reports, dispatching the right information to stakeholders and advising both authorities and CSIRTs could greatly reinforce the incident reporting framework. Finally, in order to create a resilient cybersecurity framework that could efficiently handle multi-sectoral cyberattacks and prevent contagion from one sector to another, the hub should also be able to cover all economic sectors.

Data sharing by a centralised hub

Authorities should encourage the set-up of platforms to facilitate voluntary exchange of cyber-information between financial institutions. In parallel, incident reporting requirements should fully contribute to financial institution cyber-resilience. Incident reporting data should be quickly shared with relevant stakeholders.

First, a centralised hub in charge of incident reporting should quickly provide relevant supervisors with the right information on cyberattacks. Secondly, the hub needs to share relevant information with financial institutions, provided there is balance between building up an efficient collective response to cyberattacks and safeguarding firms’ interests. To provide technical assistance to those firms, the hub would need a clear mandate.

Sharing information with firms’ potential clients through development of cyber-ratings that mirror the cyber-risk to which each supplier, and therefore their potential clients, is exposed should be based on market rather than regulatory initiatives. Tight security of the data managed by the centralised hub should be the main priority.

Macro statistics benchmark

The absence of a macro statistics benchmark on cyber-trends and the poor consistency across sources raise the risk that the cyber-strategies of firms and cyber-policies are not well-founded. If a centralised framework is developed for incident reporting, robust and relevant macro statistics could be developed at national and European level.

Specifically, robust statistics on the financial impact of cyberattacks will enable better understanding of the overall impact of attacks and inform cyber-policies and strategies. However, the complexity of measurement at firm level has so far made consistent methodologies impossible. A principle-based list should operate at EU level, with the aim of enhancing best practices to measure both “tangible” and “intangible” factors. Convergence should be achieved provided that collaboration is improved between cyber-authorities, CSIRTs, CFOs and CIOs, authorities, etc.

Promoting cyber-hygiene

Authorities should continue to enhance best cyber-hygiene practices. Principle-based lists should be updated on a regular basis. At present they should for example include conducting adequate education and awareness activities, updating programs regularly and patching systems, creating complex passwords and changing them frequently, using micro-segmentation, multifactor authentication and encryption of sensitive data, implementing the least privilege principle, developing an adequate strategy to handle shadow IT and establishing an incident response and reporting plan.

European Cybersecurity Certification Scheme

Given the rising importance of digital technologies and their vulnerability to cyberattacks, authorities need to address information asymmetries and the fragmentation of standards in national certification. A European Cybersecurity Certification Scheme could be a powerful tool for reinforcing harmonisation, raising awareness and ensuring mutual recognition.

Yet the Commission’s current proposal lacks practical operability and adds unnecessary complexity. As the scheme’s success depends on voluntary participation, value added must exceed costs. With too many issues left unclear, the current European Cybersecurity Certification Scheme needs to be strengthened to have a positive impact on cybersecurity.

Reinforcing cross-border cooperation and legal convergence

The cross-border framework to facilitate exchange of information and electronic evidence for prevention, investigation and attribution of cross-border cybercrimes needs further development. When cyber-criminals are identified, convergence in national legal frameworks is needed to facilitate extradition.

Enhancing best practices in remedies after cyberattacks

Best practices in cyberattack remedies need encouragement by EU and national supervisors through core principles. These include robust methodologies to assess how firms and/or clients share cyber-liability. Principles should also cover the best remedies where data theft has no immediate financial loss.

Emergency fund in case of large cyberattacks

Authorities should assess the feasibility of developing an emergency cyber-fund to alleviate the risk of financial instability in case of major cyberattack. Criteria for a cyber-incident to qualify will have to be well defined in advance.

The benefits and costs of the different options to create such a fund require careful analysis. Could existing EU natural disasters funds be extended to cyberattacks or would it make more sense to create a fund that covers all operators of essential services?

Please contact us if you would like a copy of the full report, or to discuss any cyber issues you may have.

Read More