Legislation expected to be introduced in May 2018 will require U.K. clearing houses to complete regular cybersecurity reports, moving regulation closer to current EU directives around critical financial market infrastructure, including the Network and Information Security (NIS) Directive.
Finextra reported the EU’s Directive allows each member state to define what is classed as an “essential service” covered by the legislation. Earlier this month, the U.K. government announced that firms operating in banking and financial market infrastructure would be exempt from the “essential service” operators, despite the Directive stating the firms fall within its scope.
But this new report shows the U.K. plans to codify cybersecurity reporting for clearing houses in separate legislation, stating, “Provisions at least equivalent to those specified in the Directive will already exist by the time the Directive comes into force.”
The government added these firms “must continue to adhere to requirements and standards as set by the Bank of England and/or the Financial Conduct Authority.” The Bank of England has already taken steps to promote cybersecurity measures for market participants and infrastructure operators, including payment networks, central securities depositories and clearing houses.
In addition, the Bank’s Financial Stability Report detailed its vulnerability testing of the market’s infrastructure operators and participants, including identifying cyber risks and the need to boost its cybersecurity efforts.
“In some cases, controls on the integrity of systems and confidentiality of data needed to be strengthened,” the Bank said. “In others, the tests identified the need for further investment in capabilities to detect, mitigate and respond to attacks. And, in general, the tests highlighted the importance of firms continuing to invest in their people, processes and technology in order to counter the risks of cyberattack.”