Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
PSD2 – The second EU Payment Services Directive – is set to open up and expand the range of financial services offerings and organisation types way beyond the traditional banks. As a directive the payment services rules are defined by the EU but must be implemented by member states in either local legislation or regulations.
In the case of the finance sector, which is highly regulated anyway, the European Banking Authority (EBA) has translated PSD2 into defined security management requirements centrally. The EBA has published sets of regulations that define the requirements around operational and security risk, the management and reporting of incidents and the mechanisms for authentication and connection security. These can be found at:
Although they don’t exactly make easy bedtime reading they do impose a set of security obligations for businesses that will have access to the banking systems (through open banking APIs) or who are conducting account information or payment initiation services.
For new Fintech start-ups, or existing smaller service businesses, these are most likely to be a useful set of security provisions; although as with any imposed regulatory standard, it might be viewed as somewhat overkill and a cost on doing business.
However for larger, established banks or major retailers, they could be no worse than pre-existing security requirements or expected norms; so they might for instance be viewed as running in parallel to PCI-DSS requirements on credit card information and hence a matter of ensuring compliance to the new sets of standards as an ability to demonstrate existing practices and safeguards; rather than being something that requires new controls or governance processes.
In the section below we will talk briefly about the first of these documents – Guidelines on the Security measures for operational and security risks.
The EBA guidelines don’t pose any particularly new challenges for organisations that have an existing Information Security Management System (ISMS) in place.
The core structure (as seen in our infographic on this page) follows established principles of risk assessments, control frameworks and monitoring and assurance activities around these. An approach commonly referred to as a PLAN-DO-CHECK-ACT management system. Specifically the documents present the 9 guidelines as summarised below (If you don’t want to have to read through them, just skip ahead to our views and observations) :
At first glance these requirements are fairly standard “security management” good practices. However, there are some nuances due to the relative newness around things like behaviour anomaly detection and threat intelligence. These are perhaps, more recent control safeguards or “good practices” that have been added to the cyber security fold since the last cycle of some more established standards. There is hopefully very little in these requirements that a large/medium/small bank or retailer is not already doing. To answer our initial question then – most definitely a case of evolution in terms of security and compliance management.
Where this set of guidelines might have more impact is within smaller businesses that are registering as PSD2 service providers – EITHER small FinTech start-ups (where the entirety of their business model relies on the PSD2 and open banking frameworks) OR established businesses that are now able to augment existing services and products with the provision of payment services (perhaps a retailer or service provider that will handle small payments directly rather than using a card scheme).
For businesses in these categories security may not have been as large a factor in the design of their businesses, systems and applications as perhaps it should be. Here, we may see the adoption of EBA guidelines as more of a revolution in the approach to security.
While they might carry liability for a resultant fraud, the size and resources of smaller businesses may simply mean that there isn’t space on the balance sheet to provide redress, refunds or compensation. A significant exposure in the systems of a smaller AISP or PISP therefore could be highly serious as the security issue rapidly becomes a theft or fraud impact.
Insurance, a requirement of being part of the PSD2 regulated payment community, is also unlikely to pay out to cover losses if security controls were found to be lax or missing.
While the presence of security guidelines for payment and information providers under PSD2 is a good thing for consumers and banks, it does not mean that smaller businesses, start-ups or non-FS businesses providing financial services will have adequate security to match the risk they could face (or cause).
For the providers themselves the EBA guidelines do give them a useful best practice yardstick against which to define and measure security effectiveness. So there is hope that this new world of payment processing and open banking will be robust and trustworthy at a systemic level. As long as security gets the attention it deserves.
As to whether these guidelines represent evolution or revolution… it rather depends on what security maturity and cyber readiness you already have in place when your PSD2 services are launched.
To discover the cyber security implications of PSD2, go to our PSD2 web page.
You can also download our Infographic:
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.