Cyberthreats and cyberincidents are a major risk for companies operating in the financial sector. The Financial Services and Markets Authority (FSMA) has outlined some baseline principles for managing these risks in a communication dated 2 October 2019. In this way, the FSMA aims to raise awareness among companies and to inform them about the baseline principles for managing cybersecurity risks.
Together with the Centre for Cyber security Belgium (CCB), the national authority responsible for monitoring and coordinating the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security (in French), the FSMA has published a number of baseline principles designed to help companies implement cybersecurity measures. Although the FSMA's communication is primarily addressed to companies under its supervision, the principles can provide guidance to all companies in managing their cybersecurity risks.
Cybersecurity as a priority area for attention
The FSMA encourages companies to raise their information security awareness and their organisational and technical cybersecurity measures to a higher level and to treat them as a priority area for attention. It expects companies to take the necessary measures to manage cybersecurity risks and to regularly reassess and update these measures in the light of the latest techniques and best practices.
In particular, the FSMA expects boards and senior management to take responsibility for cybersecurity risks and prioritise them on their agenda. According to the FSMA, boards must take appropriate and the most advanced measures to improve their cybersecurity defences and take decisive action on important issues, such as aligning IT and business strategies, outsourcing risk management, change management and cybersecurity management.
Management of cybersecurity risks
According to the FSMA, effective management of cybersecurity risks is based on four principles:
1. Security strategy and support
First, the FSMA encourages companies to draw up a Cyber Incident Response Plan. This plan identifies the measures required to prevent cyberincidents and to respond adequately in the event of an incident.
An effective Cyber Incident Response Plan:
- is built around the most common disaster scenarios;
- includes all necessary measures so that companies can resume operations quickly, safely and with accurate data after an incident; and
- provides companies with the ability to communicate adequately and quickly with all parties involved, such as Cyber Incident Response Teams established within the company, competent (judicial) authorities, the Data Protection Authority and customers.
The FSMA stresses the importance of raising awareness throughout the company, including its branches or sales offices, partly because they will initially receive enquiries from concerned customers.
2. Asset identification and risk analysis
Second, the FSMA stresses that companies should identify their infrastructure and supporting information resources in order of priority:
- What are the critical processes and vital assets of the company that need to be protected?
- What supporting information tools are used for this purpose?
- Which data are the most sensitive?
In the context of this risk management and the implementation of cybersecurity processes and procedures, according to the FSMA, companies must always take into account the principle of proportionality: companies must start from their own risk profile, whereby the number of employees is not the only or the most relevant risk profile indicator.
3. Implementation of measures
Third, the FSMA underlines the importance of companies taking adequate technical and organisational measures to protect themselves against cybersecurity risks. These measures should enable companies to detect incidents at an early stage, to react quickly to incidents and to take appropriate countermeasures.
The FSMA advocates a clear allocation of responsibilities within the company in order to be able to handle incidents efficiently. In addition, the FSMA recommends that companies implement the SIEM solution (Security Information and Event Management), depending on their size. This solution analyses the network systems within the company in order to detect and deal with suspicious activities.
Furthermore, the FSMA recommends that companies, in relations with their IT service providers, check whether the (potential) service providers are well prepared in the area of cybersecurity (e.g. by means of vendor questionnaires). For example, companies must check whether the agreement with the service provider contains sufficient guarantees for the protection of data, including the timely reporting of incidents.
4. Evaluation of security measures
Finally, the FSMA insists on the importance of regular evaluation of security measures. For example, companies should re-evaluate their security measures at least once a year and further deepen and refine their risk analyses.