Aggregated News From Investment Management Regulators

Information security in financial sector entities is assessed in several stages – regulation is likely to become more stringent


Please complete the required fields.

The need for an adequate level of information security has recently been raised in public debate. Information security refers to arrangements aimed at ensuring the confidentiality, integrity and availability of information.1

Information security requirements for the financial sector are laid down in legislation and the FIN-FSA’s regulations and guidelines

Supervision of information security is an integral part of the supervision of the operational risks2 of service providers in the financial sector, which is one of the FIN-FSA’s basic tasks. The requirements for information security are laid down in several special acts, and financial sector participants must comply with them. For example, the Credit Institutions Act stipulates that a credit institution must must have measures to identify, assess and manage operational risks. A credit institution must have adequate, safe and reliable payment, securities and other information systems. A credit institution must also ensure that contingency and business continuity plans are in place to ensure its ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

The FIN-FSA has been given, in several special acts, powers to issue more detailed regulations and guidelines on the adequate level of information security in its supervised entities.3

Information security is assessed already prior to start-up of activity

Operating in the financial sector is subject to authorisation. Only applicants that meet the minimum regulatory requirements may be authorised to carry out activities in the sector. In order for authorisation to be granted, the applicant entity must demonstrate that it meets the requirements for operational risk management. Applicants often demonstrate that they meet the information security requirements by obtaining an external independent assessor’s statement on information security (auditing).

Once authorisation has been granted, the entity becomes an entity supervised by the FIN-FSA and is subject to ongoing supervision. The FIN-FSA may conduct a supervisor’s review and evaluation (risk assessment, SREP) of the supervised entity, which may also comprise an assessment of the entity’s compliance with information security requirements. Other instruments available to the supervisor include inspections and assessments of outsourcing in the case of outsourcing of material IT activities.

Information security must also be taken into account when provision of services is to be discontinued. A plan in case of the cessation of service provision or the transfer of services is often required already when an entity applies for authorisation.

Level of information security in Finland generally good – incident and disruption reports provide valuable additional information to the supervisor

Finnish financial sector companies have generally fared well in comparisons of levels of cybersecurity.4 Nevertheless, it must be borne in mind that there is no such thing as 100% information security. Maintaining information security requires continuous development and comprehensive consideration of information security in all processes.

The FIN-FSA receives status information from supervised entities via notifications, as many regulations oblige supervised entities to report on faults and disruptions in operations to the FIN-FSA. These incident reports are used in supervision in many ways. Based on the reports, the supervisor can make observations on individual supervised entities and identify occurrences encountered by a larger number of entities. The supervisor also compiles anonymised data aggregations from the reports for use by European supervisory authorities. The data compilations enable the monitoring of occurrences at European level.

Tighter regulation in the foreseeable future

On 24 September 2020, the European Commission issued a comprehensive Digital Finance Package containing, among other things, a proposal for a regulation on digital operational resilience, the Digital Operational Resilience Act (DORA). If implemented, the Act would, for example, impose an obligation to carry out information security tests covering the ICT function and, for significant financial market actors, the obligation to conduct advanced penetration tests, i.e. test the system for information security risks. Supervision of outsourcing would be further tightened. In addition, the proposed Act envisages the establishment of a separate oversight framework for critical ICT third-party service providers, in which case significant ICT service providers would also be brought within the remit of financial supervisors.

The EU Directive on Security of Networks and Information systems5 (NIS Directive) is also under review at present. It is possible that information security requirements will be extended in this context, too. The Ministry of Transport and Communications, in turn, has appointed a working group to examine ways to improve information security and data protection in critical sectors of Finnish society.6

1 Confidentiality means that information is only available to authorised users and is not disclosed to others. Integrity means that information has not been modified without authorisation or by accident and that any changes can be verified. Availability refers to how information, an information system or a service can be used at the desired time and in the required manner. Availability also includes the aspect that there are necessary back-up facilities in place in case of faults and disruptions.
2 Operational risk means the risk of loss associated with
• inadequate or failed internal processes
• staff
• systems
• external factors.
3 See e.g. Regulations and Guidelines 8/2014, Management of operational risk in supervised entities of the financial sector
4 See e.g. (in Finnish).

Source link

Regulator Information

Abbreviation: FIN-FSA
Jurisdiction: Finland

Recent Articles

“We’ve Seen This Story Before” Remarks before the Piper Sandler Global Exchange & Fintech Conference

Washington D.C. Thank you, Rich, for that kind introduction.

OCC Hosts Risk Governance and Capital Markets Workshops in Denver

  • +1Bank Management, Banker Education, Board of Directors & Management, Community Banks, Operational Risk Management
WASHINGTON—The Office of the Comptroller of the Curren

SEC, NASAA, FINRA to Co-Host Webinar on Identifying and Reporting Suspected Senior Financial Exploitation

Regulators to Discuss Protecting Seniors During World Elder Abuse Awareness Day WASHINGTON—The Securities and Exchange Commission (SEC), the North American Securities Administrators Association (NASA

Financial sector’s capital position as at 31 March 2023: The Finnish financial sector’s capital position has remained good – risks in the operating environment...

The state of the Finnish financial sector has remained good in the early months of the year, despite the continued high level of risks...

Notification For The 2023 Capital Market Committee 2nd Webinar Meeting

The Director General has approved the 2023 Capital Market Committee (CMC) 2nd Webinar Meeting to hold on Wednesday, 23rd, August 2023. The usual interface with...

Get the latest from Regulatory.News in your inbox!