As well as chairing the EU’s Task Force on Cybersecurity in the Financial Sector, Richard Parlour chairs Financial Markets Law International, a law firm that advises financial institutions on compliance transformation. We talk to him about cybersecurity, the US, China – and Estonia.
What exactly does your EU Task Force do?
It was set up to get a better handle on the cybersecurity issues that were affecting the financial sector across Europe. Having run a survey of various financial institutions across Europe to gauge the potential issues, we put the nine issues we found into a report, having had a few meetings on the subject and taking submissions from various people – financial institutions but also organisations ranging from experts within the [European] Commission to the big tech companies like Microsoft and IBM.
Our report has been very well received; now we’re just waiting to see what the Commission’s going to do about it. These sorts of reports have in the past been quite influential, and we think this one may be too. But it’s still quite early days.
In terms of cybersecurity, the decision has been taken that we’re not going to have any specific cybersecurity laws – we’re just going to hang everything for the moment onto the GDPR [General Data Protection Regulation] and see how that goes. In some countries, like the UK, the GDPR has not been all that massive a change – but some other countries are totally starting from scratch. So the general feeling is that we’re waiting for that all to bed down a bit, then see what the issues are like. It’s a massive cultural change in many areas.
What are you expecting the Commission to do after digesting your report?
Make tweaks to the GDPR and breach reporting requirements. There are six or so such requirements that impinge upon financial institutions, which unfortunately are not particularly well coordinated, even on matters like how long after the breach it should be reported. We’re not expecting particular regulations, but there has also been talk of a directive on free flow of information, to make things flow more smoothly.
There are other bits of assistance we hope to get out of the Commission. The Commission produces quite a bit of guidance material and provides political support as well – support on enforcement, if you like. It’d also be looking at the experiences of the GDPR in the various different member states, and spotting issues that pop up in some countries but not others. All this collection, collation and analysis will take some time.
What progress has already been made in financial sector cybersecurity, and what are the main challenges ahead?
There’s been a big increase in cyber awareness. The UK government has been spending quite a bit of time on the protection of critical national infrastructure (CNI), which includes the key elements of the financial sector: the Central Bank, the G-SIBs [global systemically important banks], the clearing houses and exchanges, and so on.
But there are still cyber attacks going on all the time. Senior people at Barclays will tell you they’re getting thousands of attempted attacks every day. They seem to be doing pretty well so far, actually, in terms of fighting those off. But I’m not entirely convinced that we’re picking up sufficient data about those attacks and what the response is to individual customers. I don’t think people are really collating those. Liability is not purely on the banks, which are trying to fight it off and [find the blame].
There are also quite a few substantial financial institutions that don’t appear to have done very much, which is a bit of a concern. But I’m not naming names.
What kind of companies have been most and least responsive to cybercrime threats?
At the SME [small to medium-sized enterprises] end, I was quite surprised by FSB [Federation of Small Businesses] research into what SMEs had done after cyberattacks they’d suffered. Most had done very little between the attack and getting back up and running. Some businesses have taken some very public steps: TalkTalk had a significant issue that dramatically affected its share price, but took a number of steps to try to make sure customers were happy, and win them back. I saw a presentation they gave that suggested they were stronger after the attack than before, because of various messages they’d put in place and the PR activity they’d done. So if you’ve had the wake-up call and done something about it, it could be good news.
Having said that, I think research by Gartner suggests that [the vast majority] of businesses that have had a significant cyberattack are expected to fold within two years. They find it almost impossible to recover, and that is a concern.
What are your best practices for anti-cybercrime protection and compliance?
It’s a combination of GRC: governance (looking at data governance, information flow, storage and back-ups); risk (looking at threat reports by the likes of McAfee, Verizon, Kaspersky and the big consultancies, as well as at your own vulnerabilities); and capability (cyber awareness training).
For the latter, the training needs to get [employees] to be able to do something, not just sit there and nod – knowing how to respond to a phishing attack, for instance. That’s more of a challenge: cultural change takes nine months to [take effect], and you have to do things in a certain sort of way.
One CEO decided that the best way he could cut down on his information risk was to introduce a clear desk policy. One Sunday evening he went into the office and checked on the clear desks, and found that all the junior staff were clear-desking because they saw it as a company policy with which they had to comply. With the senior management, he found there was still paperwork everywhere. The CEO gave chocolates to those that complied and none to those that didn’t. Little things like that can induce cultural improvements.
There are harder ways of doing this, of course, such as blocking the ability to use USB sticks on office equipment. You have to be slightly careful about that, though: if the office system is so difficult to access, as we saw with Hillary Clinton, you just end up emailing things to yourself at home and do work on a less secure system.
Lithuania and Estonia frequently rank highly in global cybersecurity indexes. Why, and what are they doing that others should emulate?
Estonia – or E-stonia! – made a major strategic play for the country. There aren’t many Estonians, but they sat down and said, “What can we do as a tiny country on the edge of Europe, with our EU membership?” And they spotted that the world was going digital, so decided to train their people, and give special dispensations to encourage those good at IT to go to Estonia or link up with Estonians.
Then they wanted to get people to be able to come to Estonia electronically, if not physically. So they developed this concept of electronic residency. You can become an e-resident in Estonia and use the benefits of an EU passport if you’ve set up an Estonian company and do things from there. That works for quite a few sectors, but not for regulated financial instruments. The 1995 Post-BCCI Directive, when it was decided that a bank’s head office and registered office had to be in the same jurisdiction under the same regulator, makes it hard for companies wanting to get around Brexit difficulties by setting up an operation in Estonia. But if your business isn’t covered by the Post-BCCI Directive, there’s no problem in doing that.
Estonia is obviously very close to Russia, and Russia has been exercising quite close to the border, flexing a bit of muscle. There’s a bit of concern in the Baltic states about that. They’ve been subject to lots of cyberattacks too, so their cyber defences are going to be pretty strong.
Their EU residency scheme isn’t hugely [utilised], but they’ve got some significant figures – Shinzō Abe, the Prime Minister of Japan, is electronically resident in Estonia. Lots of people from lots of countries have decided to base their electronic business out of Estonia. That’s good in terms of the digital side.
Estonia had the presidency of the EU as well, and each state when it gets the presidency is allowed to work out what its priorities should be. Top of the Estonians’ list was the development of the digital single market. And they’ve got some very bright people.
This all sort of explains why Estonia is in certain respects ahead of countries like the UK, where to do certain things would need parliamentary approval, ministerial sign-off and endless discussion with various parties. In Estonia, there are fewer people, a single strategy, and everyone singing from the same hymn sheet.
The Lithuanians are slightly different. Some of their governmental figures have told me they’re trying to provide back-office facilities for companies operating around Europe. This would mean outsourcing your corporate secretarial work into Lithuania, where it would be a lot cheaper. They’re set up to make that as efficient and effective as possible. One of my clients is in the process of getting Central Bank of Lithuania authorisation to perform various payment institution services. Latvia is a bit behind the curve, I think.
Some senior figures seem very trusting of the US-UK information-sharing agreement and the fact that the US wouldn’t spy on the UK. What are your thoughts on US proclivities in this direction?
My first thought would be that they don’t need to spy: they’ve already got the information. It sort of depends on what you’re looking at. Most UK and US businesses are probably on a Microsoft platform, and if you’re on Windows, the amount of data that is automatically transmitted to Microsoft is just phenomenal. There are ways of turning that down a bit, but you have to be quite switched on about how you configure that operating system.
We have to have a certain amount of trust in this area. Edward Snowdon’s new book Permanent Record explains in detail what gets transmitted, stored and used. In certain respects, this is extremely important – particularly when you’re looking at terrorist organisations. Some of them have fantastic capabilities: ISIS managed to hack into US Central Command’s [Twitter account] and deface it, for example. They’re quite adept, and quite capable of developing their own apps for their own communication, and set up their own encryption.
Huawei gets the headlines when it comes to Chinese involvement in our infrastructure. What are some of the less high-profile developments in China vis-à-vis Western cyber vulnerabilities?
Going back a few years, there was a report saying that China had set up six intelligence schools, one of which was entirely devoted to hacking. Loads of other countries will be doing the same thing. The Americans, the Iranians, the Israelis, who have a fantastic IT capability. Israel has made a strategic decision to focus on the IT sector.
A lot of the Huawei/China stuff, I can’t help feeling, is quite political and ramped up. It’s all to help stoke the US-China trade war. But when you look at the development of China and its internet, it’s phenomenal. Look at the amount of people in China, and how it’s expanding, and how the US isn’t expanding at the same rate – it’s pretty obvious China is going to overtake the US at some stage in economic terms. China’s buying up a huge amount of stuff in the US and other countries. It’s all over Africa, for instance.
You’ve talked about how the GDPR unfairly penalizes small companies. But in the GDPR’s first year, most of the $56 million total of fines was for Google, by the French regulator. Can you give examples of small business that were unfairly fined following cybercrime?
[The Google decision] shows that the data protection regulators around Europe are flexing a bit of muscle. But I think it varies a bit, depending on what the policy is nationally. The enforcement attitude is that there’s a lot of cultural change involved, which will take a fair bit of time, so when there are issues faced by companies, the authority wants to hear about them in advance. The authority’s usual approach is to then offer suggestions to the companies, which is a very mature approach to regulation, rather than just turning around and slapping people with a big fine straight away.
Fining, in terms of compliance behaviour, does not work. It’s never worked in the financial sector, and why people think it would work in data protection I’ve no idea. Culprits weigh the benefits of breaking the law against the cost of the fine, and just swallow hard, write the cheque, and avoid sorting out their institutions. There was a big song and dance around the Siemens corruption case in 2008, but when you look at the figures, Siemens has been taken back up by the regulators all the time. In the financial sector, see the number of times Deutsche Bank gets mentioned under some sort of regulatory action. It’s received loads of fines. What it needs to change is the culture of the institution. That’s difficult to change.
A good example in compliance terms is Marks & Spencer’s approach to shoplifting. A while ago, M&S realised that an hour of a lawyer’s time to discuss a case would cost more than any given stolen item, let alone the cost of pursuing justice through the courts. So it tackled the problem through perception. It put up notices in the areas where the high-value products were sold, and warnings at the till saying “Warning: we always prosecute shoplifters”. Of course, they didn’t – but they wanted to affect prospective shoplifters’ psychology. To back that up, they did take certain shoplifters to court, but only in egregious cases, and gave those cases lots of media coverage. They found that through massaging perceptions, they got the shoplifting figures right down. Our data protection regulators need to be equally clever. But it’s a long haul.
How, specifically, would you encourage businesses to improve their cybersecurity?
I’m on the advisory committee to IASME (Information Assurance to SMEs), which has been introducing a system whereby SMEs get in touch with IASME and ask it to have a look at their cybersecurity systems. We run through a questionnaire with them, and then give them a certification. They pay us a nominal sum – £300 for our lowest level of certification. Though if you look at the UK corporate database of six million companies, at the current rate of certification, it would take well over a century to certify everybody. And by then, everything will have changed anyway!
If you’re going for cyber insurance and you’ve completed the UK government’s Cyber Essentials scheme, you should get a discount off your cyber insurance. But then we’re looking at a different cost-benefit situation: would you need the cyber insurance if you’ve done the scheme?
Another way of getting people to put in place cybersecurity measures is for the government to say, “If you want to win a government contract, you’ll have to do the Cyber Essentials scheme, or Cyber Essentials Plus.” And if you’re a part of the CNI, further measures will be required, but you’d get a lot of help. No one wants the electricity grid going down. That could be a disaster.