The security of sensitive data (including those constituting banking or professional secrets) is currently one of the main reasons for the “regulatory tsunami”, which affects, among others financial sector. Universal digitization is, on the one hand, an important step towards the dissemination of financial services among the least banked, and on the other, a high risk due to the vulnerability of IT systems to attacks. Both at the level of the European Union (including the Cybersecurity Act) and national (Act on the national cybersecurity system – uKSC – implementing the so-called Directive 2016/1148 – NIS) various legislative initiatives are taken in order to strengthen the resilience of these systems and safeguard customer data. Banks, as potentially exposed to cyber attacks, must also use various safeguards, as well as meet high standards if they are qualified as key services operators. I will focus on this second aspect today. Get Ready!
What is the key service operator at all? It is an entity which, according to art. 5 paragraph 1 UKSC:
- It is included in Annex 1 to the CCC (in the case of banks, this is the banking and financial market infrastructure sector);
- Having an organizational unit in Poland and
- “Obtained” the decision to recognize the key service as the operator (the decision is issued in this case by the Polish Financial Supervision Authority).
While the first two premises are basically “clear”, the third point requires clarification. The issuing of such a decision depends on – apart from the decision of the competent authority itself:
- The provision of a key service by the entity (this will be, for example, deposit activity);
- That the service depends on information systems and
- The occurrence of an incident (an event that has or may have an adverse effect on cybersecurity) would have a significant disruptive effect on the provision of this service.
Determining whether an incident would have a significant disruptive effect takes into account the Regulation on the list of key services and the materiality thresholds for the disruptive effect of an incident for the provision of key services (the threshold applies to selected key services). In the case of banks, the criterion of a significant bank’s share (according to the methodology set out in the Banking Law – Article 3 point 35) was adopted in the market (at a certain level of generality it can be stated that it must be at least 2%).
Determining the occurrence of the above premises authorizes the authority (here the PFSA) to issue a decision, which is subject to immediate execution. Immediately after issuing the decision, the entity shall enter the list of key services operators kept by the Minister of Digitization.
What basic duties?
These were specified in art. 8 and subsequent UKSC and there are quite a lot of them, although for banks they should not constitute a “novelty” due to the high requirements already set by the regulator. The most basic duties of a key service operator include:
- Designation of point of contact with entities constituting the national security system
- Educating and informing users about threats related to cyber security (such information must be found, among others, on the bank’s website, but also e.g. in online banking)
- Transfer of certain data to the KNF (e.g. termination of key service).
They are also more detailed:
As a key service operator, the bank must have a security management system that meets stringent requirements, including in terms of:
- Systematic estimation of the risk of a cybersecurity incident;
- The implementation of appropriate technical and organizational measures (these are quite well described in KNF Recommendation D and the Polish API group recommendations already mentioned – it’s worth looking into this article ) adequate to the estimated risk, which also includes physical security of access to infrastructure, having the appropriate Business Continuity Plan or implementation of the security policy;
- Analyzing the latest cyber security threats and performing penetration tests and, where applicable, stress tests;
- Incident management (here EBA Guidelines on operational and security risks will be helpful , KNF Announcement on incident reporting and EBA Guidelines on the same reporting );
- Ensuring an adequate level of security of processed data and
- Enable secure communication within the national cybersecurity network.
As part of incident management, it is important to provide relevant information (especially for major incidents) to the competent authorities. The provisions of the UKSC specify the detailed conditions for providing this information (including the manner and scope of necessary data – however, this is a topic for a separate article). It will also be extremely important to properly register and archive information about the occurrence of the incident (as well as how to remove it and possible impact on users and / or service continuity).
There are other responsibilities
Other obligations include the obligation to have (and regularly update) cybersecurity documentation. The scope of this documentation is specified in the Regulation on the types of documentation regarding the cybersecurity of the information system used to provide the key service.
The most important will be technical and security documentation that could allow third parties to access it and the data collected there. This includes documentation on security system management, infrastructure protection or business continuity management, but also technical documents specific to the banking sector (payments). It will be accompanied by other operational documents, including security policy, procedures for removing and reporting incidents, as well as regular maintenance of infrastructure and software (including updating) or reports on completed activities.
For this reason, art. 10 UKSC imposes an obligation on the key service operator to ensure that such documentation:
- It is only available to authorized persons and on a deny all basis;
- It is protected against misuse or loss of integrity and in addition
- Each subsequent version of the document has the appropriate reference number (control number / symbol).
- These are extremely important documents, the loss of which or “leakage” could contribute significantly to the incident and expose the key service operator to an effective cyber attack.
All activities undertaken as part of the implementation of the obligations arising from the CCC must be subject to a security audit (at least once every 2 years), which “ends” with the auditor’s report, which, on a reasoned request, may be submitted, among others to the PFSA. Auditors are subject to very high requirements specified in art. 15 paragraph 2 UCSC.