Obligation to notify serious cybersecurity incidents might expose banks to new risks
A draft Dutch law will, once adopted, require mandatory notification of security breaches or loss of integrity of ICT systems that may have a significant impact on the availability or integrity of certain vital products or services (the Bill). The Bill will affect the financial services sector. The new law is expected to take effect in the second half of 2017. The absence of regulatory guidance, the involvement of multiple regulators and potential public exposure will create additional compliance and reputational risks.
The Bill will affect businesses operating in various industries that are considered vital to the proper functioning of Dutch society, including financial services, energy, telecoms and transportation. The list of organisations falling under the new notification obligation (so-called “operators of vital services”) is not finalised yet, but earlier versions of the list specifically mentioned financial institutions, including banks and intra-bank and retail payment operators.
Ahead of the EU
Certain banks and credit institutions will in any event fall under similar notification obligations pursuant to the EU Directive 2016/1148 on Security of Network and Information Systems (NIS Directive). The NIS Directive was adopted on 6 July 2016 with two main purposes: (i) enhancing cross-border cooperation in the EU in cases of cyber incidents and (ii) introducing cyber risk management and incident reporting obligations for operators of vital services.
While the Dutch Bill will introduce reporting obligations only, the NIS Directive also requires EU Member States to empower the regulator to issue binding instructions to take appropriate and proportionate technical and organisational risk management measures. The NIS Directive must be implemented by summer 2018. The Dutch Bill was introduced in anticipation of the NIS Directive and will be amended at a later stage to become its full implementing measure in the Netherlands. There is (as yet) no guidance on the exact obligations and no clear description of the organisations affected by the Bill.
Obligation to notify
The Bill provides that operators of vital services must notify a security breach or loss of integrity of ICT systems that affect or may affect the availability or reliability of their vital products or services. Notifications will be managed by the National Cyber Security Centre (NCSC), which operates under the Minister of Security and Justice. The Bill is intended to catch only those incidents that could potentially disrupt Dutch society.
Information may be shared
The Bill envisages that the NCSC will share information on submitted incidents with other government agencies and contains provisions relating to confidentiality and security of information sharing. For instance, confidential information traceable to an operator of vital services can in principle only be shared without the operator’s permission with designated computer crisis teams (CERTs) and Dutch intelligence services. However, in exceptional cases, the Bill permits the NCSC to share information on an incident with other organisations or even make it publicly available.
Overlapping notification requirements
The notification obligation in the Bill does not affect any other existing or potentially overlapping notification obligations. For example, security breaches related to personal data and covered by the Bill will need to be notified to both the NCSC and the Dutch Data Protection Authority. For sector-specific notification obligations (eg notification of incidents that are part of normal supervisory practice in the financial services sector) the operator of vital services will need to notify both the NCSC and the sector-specific supervisory authority, eg the Dutch Central Bank (De Nederlandsche Bank or DNB) or the Authority for Financial Markets (AFM). The latest explanatory note to the Bill specifies that in such cases, the instructions of the sector-specific supervisory authority will prevail. However, it is silent on how to deal with overlapping or conflicting notification requirements or confidentiality rules.
More guidance for banks expected
We expect the European Central Bank (ECB) and the European Union Agency for Network and Information Security (ENISA) to provide guidance for banks concerning the obligations under the NIS Directive. Although the Dutch notification obligations are expected to take effect before such EU guidance is available, the national financial regulators DNB and AFM have not yet indicated whether they will be providing specific guidance on the new obligations.
Monitor developments and prepare for new obligations
The introduction of national notification requirements in anticipation of the implementation of EU rules, the absence of regulatory guidance, the involvement of multiple regulators and the potential public exposure will create additional compliance and reputational risks for affected operators of vital services.
Banks and other financial institutions operating in the Netherlands should be aware of the new requirements, monitor whether they will be included in the list of operators of vital services and seek regulatory guidance. They should update their processes and policies in a timely manner to comply with the new obligations to notify and share information with the NCSC. In addition, they should align the new notification obligations with existing notification obligations to DNB, AFM and the general personal data breach notification to the Dutch Data Protection Authority. Finally, they should prepare to manage risks created by the future information exchange about incidents by the stakeholder authorities.
This case summary is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. For more information please contact Karen Birch – email@example.com, or tel +44 20 3088 3710.