Anyone who is paying attention knows the financial industry is going through an unprecedented digital transformation which has been accelerated by the coronavirus pandemic. At the same time, cyberattacks, particularly ransomware attacks, grow in number by
the day.
The results of a study by the Ponemon Institute and Keeper Security in January showed that 70% of UK financial companies suffered from cyberattacks. Another Keeper Security report
announced in July found that more than nine in ten (92%) UK business suffered a cyberattack in the last 12 months and three quarters (78%) feel unprepared to deal with this threat.
These attacks are absolutely taking advantage of the global digital transformation trend. This poses real threats to financial systems, financial stability, and confidence of the integrity of those financial systems and financial data.
While digital transformation became even more necessary due to the pandemic, it has proven to be a major source of cost and time savings when applied to workflows and processes in business. This is particularly obvious in the Financial Services sector, where
many products and services require legally binding agreements by all parties. A typical example would be the application and provision of a mortgage or loan. Digital transformation of these workflows and digitally signing of complex documents can save substantial
amounts of money.
How do eIDAS and other regulations play a significant role with secure digital transformation?
The Electronic Identification, Authentication, and Trust Services (eIDAS) first came into effect in July of 2014, years before digital transformation would become a global business initiative. It turns out that eIDAS is extremely relevant for secure digital transformation as it reinforces
the optimization of digital business practices whilst simultaneously enhancing security for all users.
Financial Services are one of the main sectors to benefit from eIDAS. Not only that, eIDAS also aligns perfectly with other EU initiatives in the financial sectors – such as the Payment Services Directive (PSD2).
The EU has focused on cybersecurity through the creation of other regulations and directives which aim to allow secure trading
through cross-border trusted authentication.
Within these regulations, qualified electronic signatures (QES) are recognized as they are legally admissible across the entire EU and enhance trust in electronic transactions. A QES is a type of digital signature that offers a heightened level of verification
when compared to a standard electronic signature. Digital certificates embedded within a digital signature show that signers have completed extra steps to confirm their identities. A signer’s digital certificate is used to create the signature and then attached
to the signed document, allowing, for example, customers and employees of banks to sign documents digitally anywhere, either from their workstation or any mobile device with the maximum legal guarantee.
Digital certificates are issued by Certificate Authorities, also called Trust Service Providers. Once a Trust Service Provider issues a digital certificate, it can be stored on a smart card, USB drive, local computer, mobile phone, or in the cloud. Qualified
certificates can only be issued by a QTSP (Qualified Trust Service Provider) authorized by regulatory bodies who assess the QTSP security standards.
What does this mean for the financial industry going forward?
The January issue of the Cybersecurity Ventures report discussed how global cybercrime costs are expected to grow
by 15% per year over the next five years — reaching $10.5 trillion USD annually by 2025. Furthermore, we have been seeing an increase in the number and severity of cyber threats associated with ICT risks such as phishing, identity theft, and ransomware.
Every day the financial industry manages documents, loans, agreements, and these need to be using the digital technology available. Digital native customers expect to get everything, and at once, but want to know their data is safe. All the while, financial
services companies continue to be heavily targeted, and typically feature in the top five sectors for severity and frequency of cyberattacks, according to Thomas Kang, Head of Cyber, Tech and Media, North America at AGCS: “These companies hold a lot of sensitive
data on individuals, businesses and governments. At the end of the day, it is where the money is.”
The financial sector is heavily dependent on information and communication technologies. This dependence makes financial entities particularly vulnerable to cyber-attacks.
In response to the European Union’s demand for increased operational resilience within the financial sector, the Financial Conduct Authority (FCA) recently introduced rules and guidance on operational resilience for banks and insurers. The rules, which will
come into force on March 31, 2022, require firms to address disruption to important business services from a range of events, including a cyberattack, technical glitches and power outages. In Europe, the proposed Digital
Operational Resilience Act (DORA) would introduce an EU-wide regulatory framework on digital operational resilience for a wide range of financial services firms, with a focus on business continuity and the management of third-party risk.
Despite Brexit, DORA will also align with the UK’s Prudential Regulation Authority (PRA) and Financial
Conduct Authority (FCA) requirements. This means that the UK-specific framework will exist in parallel with the guidelines provided by the European Supervisory Authorities (ESAs) – which are the European
Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European
Securities and Markets Authority (ESMA).
The UK financial sector is already embracing the digital transformation and, in some cases, managing cyber risks. However, DORA will place a greater responsibility on organizations to classify, report and respond to threats and incidents.
There are QTSP's throughout the EU but only a handful in the UK. Following the UK withdrawal from the EU the eIDAS Regulation was adopted into UK law and amended by The
Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019). In addition, the existing UK trust services legislation, The
Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696) was also amended. Taken together, these regulations are referred to as the UK eIDAS Regulations.
By choosing to work with one of them, your organization will receive help from services compliant with the UK & EU eIDAS regulation and with the highest level of security on the market. Even if you do not necessarily opt for a qualified signature (or any
other qualified services) you will still exchange with a reliable, trustworthy partner with extended ability and qualifications in trust services.