Banking regulation Q&A: data security and cybersecurity
The banking regulation Q&A series provides a comprehensive overview of the rules governing the banking sector in Luxembourg. Today's chapter focuses on data security and cybersecurity.
What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?
In the European Union, the protection of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
The GDPR defines the concept of 'personal data' and establishes rules relating to the processing of such personal data, including a number of obligations to be complied with by controllers and processors of personal data. It:
- sets out the conditions under which the processing of personal data is deemed to be lawful and principles applicable to personal data processing (eg, lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality);
- includes specific conditions in order to evidence the consent given by data subjects to such processing;
- sets out rules applicable to the processing of special categories of personal data;
- gives rights to data subjects with respect to their personal data (eg, the right to information, right of access, right of rectification, right to erasure, right to restriction, right to data portability, right to object);
- sets out the respective responsibilities of controllers and processors of personal data;
- introduces the concepts of data protection by design and by default;
- includes the obligation to ensure the security of the personal data;
- sets out conditions with respect to the notification of data breaches;
- obliges controllers to perform data protection impact assessments for certain activities;
- includes rules concerning the appointment of a data protection officer;
- regulates transfers of personal data; and
- includes the obligation for controllers to maintain records of processing activities (mapping of data flows).
The GDPR entered into force on 25 May 2018. Prior to its entry into force, banks established extensive GDPR compliance projects in order to assess their personal data processing activities, map personal data flows both within and outside their organisations, and ensure compliance with the new requirements. As the potential sanctions for GDPR breaches include fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial years, and in light of the reputational risk involved in case of personal data breaches, compliance is taken seriously by banks, which now need to integrate personal data protection into their day-to-day operations.
Challenges faced by banks during the implementation phase include:
- the collection of user consent;
- the concepts of 'controller' and 'processor', and the correct allocation of responsibilities in webs of service providers, data storage and data deletion, which may be complex in matrixed institutions with numerous electronic backups;
- data classification and mapping of data flows within complex international groups; and
- the need to adapt business practices.
What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?
At the EU level, a number of initiatives have been presented or are currently ongoing in the area of cybersecurity. The European Commission issued a recommendation on coordinated response to large-scale cybersecurity incidents and crises (Commission Recommendation (EU) 2017/1584 of 13 September 2017), and more recently a recommendation on cybersecurity of 5G networks (C(2019) 2335 final).
In terms of legislation, Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification was published in the Official Journal of the EU on 7 June 2019, and aims to achieve a high level of cybersecurity, cyber resilience and trust within the European Union. It has reformed ENISA, which supports EU member states, EU institutions, bodies, offices and agencies in improving cybersecurity; and has introduced a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, services and processes in the European Union. The first EU piece of legislation on cybersecurity was Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union which had to be implemented by the EU Member States by 9 May 2018.
At the national level, Luxembourg published its third national cybersecurity strategy for the 2018-2020 period ('NCSS III'). The NCSS III includes guidelines on strengthening public confidence in the digital environment, the protection of digital infrastructure and the promotion of the economy, with objectives such as:
- the dissemination of information on risks;
- the combating of cybercrime;
- the identification of critical digital infrastructure;
- the adaptation of the emergency response plan for cyberattacks;
- the development of skills and abilities in the field of cyber defence;
- the improvement of risk management and training; and
- the promotion of start-ups to develop the digital security ecosystem.
As banks handle very sensitive information, cybersecurity is particularly important to the banking sector. The Law of 5 April 1993 on the financial sector, as amended contains a general requirement for credit institutions to have in place effective control and security arrangements for information processing systems, as well as sound security mechanisms designed to guarantee the security and authentication of the means of transfer of information, to minimise the risk of data corruption and of unauthorised access and to prevent information leakage in order to maintain the confidentiality of data at all times. The Commission de Surveillance du Secteur Financier (CSSF) issued a number of circulars which address issues related to confidentiality, IT and security, including:
- CSSF Circular 12/552;
- CSSF Circular 15/603 on security of internet payments;
- CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure; and
- several circulars related to Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2), including CSSF Circular 19/713 concerning the European Banking Authority Guidelines on the security measures for operational and security risks of payment services under PSD2.
These circulars include:
- requirements to be complied with in case of IT and cloud outsourcing;
- the obligation to have backup and recovery plans and ensure business continuity;
- the obligation to monitor security vulnerabilities;
- the requirement to have an IT function (including an information security officer);
- specific requirements in the field of security of internet payments (eg, the implementation of a security policy, the performance of a risk assessment, incident monitoring, the implementation of security measures and the use of strong customer authentication);
- the obligation to ensure data and systems integrity; and
- reporting and auditing requirements.
The growing importance of data, the increased risk of cyberattacks and the related regulatory requirements mean that banks will need to continue to invest in their cybersecurity capabilities and IT infrastructure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
First published in Mondaq
Michael SchweigerLocal Partner Attorney at law / Solicitor
Michael Schweiger, local partner, is a member of the Banking & Finance practice group in our Luxembourg office. He leads the Luxembourg financial regulatory team and regularly advises banks, e-money and payment institutions, insurers, and other clients regarding financial regulation.T: +352 466 230 520 E: email@example.com
Adrien PierreSenior Associate Attorney at law / Avocat à la Cour
Adrien Pierre, senior associate, is a member of the Banking & Finance Practice Group in our Luxembourg office. He advises banks, asset managers, fintechs, payment institutions, insurance companies and other financial institutions on regulatory matters.T: +352 466 230 523 E: firstname.lastname@example.org