Draft EU Legislation to Stop Banks Using Insecure Tech Suppliers

The Wall Street Journal reports that national regulators in EU member states could be given the authority to force financial institutions to drop existing tech suppliers, if they fail to address cybersecurity problems. The WSJ reports that these proposals have not yet been agreed upon by European governments, but – to invoke the immortal internet caveat, I am not a lawyer (nor a diplomat) – how the law will look at the end of that negotiation process is anyone’s guess.

 

While the ultimate shape of this legislation (assuming it ever emerges at all) is unknown, there will probably be yet more variation in its practical implementation from nation to nation. It will be interesting to see, a few years down the road, if these efforts result in marked improvements in the fight against financial crime. As lawmakers around the globe are grappling with the thorny problem of legislating for the digital era, they may be watching what their foreign counterparts are doing, and learning what works (or doesn’t).

 

However, merely proposing these measures could have knock-on effects within the tech industry. As anyone who has ever attempted it will know, switching key technology providers is a headache. One that no business (much less one as large and complex as a bank) will wish to undergo without a compelling reason. The WSJ observes that EU banks may begin reviewing contracts with existing suppliers now. As an extension of that, one might assume that new suppliers could face even tougher scrutiny.

 

So what could this mean for the tech industry? Forward thinking businesses that have (or hope to find) customers among the European financial industry will probably look to get ahead of the curve. Such businesses might seek accreditations for their services, if they do not already hold them. Although it remains to be seen how the details of this regulation will shake out, a respected cyber-security benchmark seems like a reasonable place to start.

 

Looking beyond the finance and tech industries, businesses (of all kinds) have traditionally relied on external suppliers for all sorts of technical goods and services. In recent years, this interdependency has expanded as organizations make the shift to SaaS, IaaS and other flavors of as-a-service. Against this backdrop, supply chain security is a growing concern (regulations or no) and banks are far from being the only ones with an interest in this area.

 

Consequently, we may see an expanding market for supply chain risk assessments. Such assessments can be conducted by internal teams, external consultants, or via a hybrid approach. There are also tools that assist with this. But, whatever the approach, on-demand, accurate information is vital. Many of our clients gain this on-demand ability to check up on the state of their third-party vendors’ security via our Pure Signal cyber reconnaissance solution. It allows them to continuously monitor their supply chains for anomalous traffic and the presence of outdated operating systems and software. It can also help to verify vendors’ claims about their security posture. For example, our clients can see traffic indicators firsthand that give them a better sense of whether an organization’s network is truly a zero-trust environment. Giving their analysts access to this ground truth allows our clients to close serious gaps in their third-party risk assessment processes and their security programs as a whole.