The European Securities and Markets Authority, or Esma, on Thursday announced that from 2025, cyber risk and digital resilience in Europe’s securities sector will take precedence alongside ESG reporting in terms of overarching priorities for the supervisors in EU member states.
Esma said its decision to elevate cyber resilience to an EU level priority aims to tighten the oversight of IT risk management among financial firms so that Europe’s financial markets can stand firm against the rising tide of cyber threats. The alignment of this initiative with the Digital Operational Resilience Act (Dora) underscores the integrated approach to digital security Esma intends to foster.
With cyber resilience being elevated to the highest priority level within the Esma community, fund and asset managers need to brace for increased scrutiny of their internal systems, inhouse processes and governance in regards to the safety of their IT systems. The prospect of tighter supervision on this theme means that firms who still need to upgrade their systems basically have one year if they want to avoid the risk of having their hands slapped by supervisors.
‘Mitigating cascading effects’
“This development points to a more robust framework to preempt and mitigate potential cascading effects of cyber incidents across the financial sector,” Esma said.
The new EU-level priorities will come into force in 2025, at the same time as the Dora framework. “This timeline is intended to provide supervisors and firms in Member States with sufficient time to prepare for compliance with the new regulatory requirements. Meanwhile, ESMA and national competent authorities (NCAs) will carry out preparatory work planning and shaping the supervisory activities to undertake under this priority,” Esma said.
Luxembourg’s financial supervisor CSSF already has flagged that Dora, applicable from January 2025, poses also a challenge for supervisors themselves. Director-general Claude Marx, in the 2022 annual report, said the CSSF needs to adapt to “this complex, changing environment” with digital products, services and networks, “ without compromising its core mission, consumer and investor protection and contribution to financial stability.” CSSF in 2022 invested some 23,000 training hours for its agents. That is the equivalent of 25 hours per agent on a staff of close to 1,000 people.
Red-team hackers
CSSF is a permanent member of the European Supervisory Authorities’ Sub-Committee on Digital Operational Resilience. It also has started to oversee the first tests under the so-called Tiber-EU framework, where threat intelligence and red-team hackers work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.
Dora’s objective is to develop a single regulatory and supervisory framework for digital resilience in the financial sector, covering ICT governance, ICT risk management, digital operational resilience testing such as advanced penetration testing simulating cyberattacks, a harmonised incident reporting process, managing risks resulting from third party ICT service providers and information sharing.
Ahead of 2025, Esma will collaborate with national competent authorities such as the CSSF and AFM and will be engaged in preparatory groundwork, defining the contours of the supervisory activities to be conducted under this revised priority, it said.
ESG disclosures focal point for 2024
Supervisors “will persist in refining ESG disclosure practices to combat greenwashing, augment investor comprehension, and integrate sustainability in advisory services. This initiative is slated to be the focal point in 2024, spanning crucial segments like issuers, investment managers, and investment firms within the sustainable finance ecosystem,” it said.
The reshuffled priorities will see cyber risk and digital resilience replace market data quality, which has been a major area of intensive supervisory efforts by Esma and national supervisors. Esma said the fruits of these efforts are evident in the creation of unified data quality methodologies and data-sharing frameworks, alongside advancements in supervisory tools and intelligence extraction from reported data.
“Ensuring data quality remains a primary duty of supervised entities,” Esma said. “Firms, and in particular their top management, should take ownership of the data they report and increase its use also for internal purposes. EU supervisors will continue to undertake important supervisory work on data quality, leveraging on the new methodologies and tools developed.”
The EU-level priorities, formally known as Union Strategic Supervisory Priorities, or USSPs, are seen as an important tool through which Esma coordinates and focuses supervisory actions with national supervisors across the EU.