Information security in financial sector entities is assessed in several stages – regulation is likely to become more stringent
The need for an adequate level of information security has recently been raised in public debate. Information security refers to arrangements aimed at ensuring the confidentiality, integrity and availability of information.1
Information security requirements for the financial sector are laid down in legislation and the FIN-FSA’s regulations and guidelines
Supervision of information security is an integral part of the supervision of the operational risks2 of service providers in the financial sector, which is one of the FIN-FSA’s basic tasks. The requirements for information security are laid down in several special acts, and financial sector participants must comply with them. For example, the Credit Institutions Act stipulates that a credit institution must must have measures to identify, assess and manage operational risks. A credit institution must have adequate, safe and reliable payment, securities and other information systems. A credit institution must also ensure that contingency and business continuity plans are in place to ensure its ability to operate on an ongoing basis and limit losses in the event of severe business disruption.
The FIN-FSA has been given, in several special acts, powers to issue more detailed regulations and guidelines on the adequate level of information security in its supervised entities.3
Information security is assessed already prior to start-up of activity
Operating in the financial sector is subject to authorisation. Only applicants that meet the minimum regulatory requirements may be authorised to carry out activities in the sector. In order for authorisation to be granted, the applicant entity must demonstrate that it meets the requirements for operational risk management. Applicants often demonstrate that they meet the information security requirements by obtaining an external independent assessor’s statement on information security (auditing).
Once authorisation has been granted, the entity becomes an entity supervised by the FIN-FSA and is subject to ongoing supervision. The FIN-FSA may conduct a supervisor’s review and evaluation (risk assessment, SREP) of the supervised entity, which may also comprise an assessment of the entity’s compliance with information security requirements. Other instruments available to the supervisor include inspections and assessments of outsourcing in the case of outsourcing of material IT activities.
Information security must also be taken into account when provision of services is to be discontinued. A plan in case of the cessation of service provision or the transfer of services is often required already when an entity applies for authorisation.
Level of information security in Finland generally good – incident and disruption reports provide valuable additional information to the supervisor
Finnish financial sector companies have generally fared well in comparisons of levels of cybersecurity.4 Nevertheless, it must be borne in mind that there is no such thing as 100% information security. Maintaining information security requires continuous development and comprehensive consideration of information security in all processes.
The FIN-FSA receives status information from supervised entities via notifications, as many regulations oblige supervised entities to report on faults and disruptions in operations to the FIN-FSA. These incident reports are used in supervision in many ways. Based on the reports, the supervisor can make observations on individual supervised entities and identify occurrences encountered by a larger number of entities. The supervisor also compiles anonymised data aggregations from the reports for use by European supervisory authorities. The data compilations enable the monitoring of occurrences at European level.
Tighter regulation in the foreseeable future
On 24 September 2020, the European Commission issued a comprehensive Digital Finance Package containing, among other things, a proposal for a regulation on digital operational resilience, the Digital Operational Resilience Act (DORA). If implemented, the Act would, for example, impose an obligation to carry out information security tests covering the ICT function and, for significant financial market actors, the obligation to conduct advanced penetration tests, i.e. test the system for information security risks. Supervision of outsourcing would be further tightened. In addition, the proposed Act envisages the establishment of a separate oversight framework for critical ICT third-party service providers, in which case significant ICT service providers would also be brought within the remit of financial supervisors.
The EU Directive on Security of Networks and Information systems5 (NIS Directive) is also under review at present. It is possible that information security requirements will be extended in this context, too. The Ministry of Transport and Communications, in turn, has appointed a working group to examine ways to improve information security and data protection in critical sectors of Finnish society.6
1 Confidentiality means that information is only available to authorised users and is not disclosed to others. Integrity means that information has not been modified without authorisation or by accident and that any changes can be verified. Availability refers to how information, an information system or a service can be used at the desired time and in the required manner. Availability also includes the aspect that there are necessary back-up facilities in place in case of faults and disruptions.
2 Operational risk means the risk of loss associated with
• inadequate or failed internal processes
• external factors.
3 See e.g. Regulations and Guidelines 8/2014, Management of operational risk in supervised entities of the financial sector
4 See e.g. https://www.huoltovarmuuskeskus.fi/johdon-ohjaus-on-ratkaisevaa-yrityksen-kyberkestavyyden-kannalta/ (in Finnish).