When European leaders, back in 2012, embarked on an ambitious plan to create a truly pan-continental financial system, they overlooked one important detail: how to protect it from cyberattacks.
Banks have remained closely tied to national governments, including in cases of financial stress, as the so-called banking union is only half-finished. And because the European Union’s cybersecurity authorities are national, banks are also in tight lockstep with their country’s security authorities.
With much of the debate focused on how to facilitate better cross-border banking, the security vulnerabilities emanating from an integrated financial system are hardly discussed. Some policymakers even worry that labeling the financial system as critical infrastructure would stall the banking union agenda.
Ignoring the cyber risks involved would be madness.
Imagine a social media attack that leads to a bank run, as occurred in Bulgaria in 2014, or a large-scale electricity blackout caused by cyberattacks, as happened with the December 2015 Kyiv power outage. We might even see a full-blown attack on a country bigger than Estonia, which was targeted in 2007, or a more extreme case where the payment system goes down for a day.
Any of these would disrupt the daily lives of millions of people and countless businesses, which rely on continuous access to financial services.
Of course, the prime responsibility for providing those services lies with the financial institutions themselves. In fact, all major financial institutions are investing substantially in cybersecurity. And for good reason: Surveys indicate that the number of cyberattacks are increasing.
But under the current set up, the EU’s financial system is unprepared to respond to such an attack.
Currently, when major attacks happen, the banks’ first port of call is to inform their national authorities, which do not readily exchange information with their counterparts in other countries. The European banking supervisor, the European Central Bank, has to interact with various national security agencies when it comes to cyber occurrences that fall under its remit. And the EU has never conducted a cybersecurity preparedness exercise for the bloc’s financial system — much in contrast with the G7, which undertook such an exercise under the leadership of the French central bank.
The financial system’s vulnerabilities would be exacerbated in a truly pan-European banking union.
Take, for example, an attack on a bank that provides financial services in several countries. What incentives would the national security agency of the country where the bank is headquartered have to address cyber problems in third countries?
In the eurozone, the lack of security cooperation would also harm the provision of financial services, because a cyberattack that undermines trust in payments would immediately be a concern for all euro area countries. Just as money laundering and financial crimes are more than an embarrassment for the ECB, cyber vulnerabilities would threaten the entire common currency area.
At the very least, the EU urgently needs to conduct joint preparedness exercises and create uniform information and disclosure requirements that help build a true pan-European insurance market for cyber risks — an important growth segment in the insurance industry and an important contributor to reducing and assessing risks.
But if the EU wants to truly complete its banking union, it will have to go even further and create a much more tightly integrated cybersecurity infrastructure. The EU’s agency for cybersecurity, ENISA, is small and mostly provides support to national authorities. It could not provide for the cyber safety of a highly integrated European financial system.
European Commission President Ursula von der Leyen, who kickstarted Germany’s cybersecurity infrastructure as the country’s defense minister, should now invest political capital in creating a fully operational cybersecurity authority for the EU. Having one authority would be cheaper than having many national ones, and it would also be more effective, for example when it comes to attracting talent.
It’s time for Europe’s policymakers to send a clear signal: If they integrate further financially, they have to accept much greater levels of security cooperation.
The banking union emerged from an existential financial threat. But unless the EU coordinates better on cybersecurity, it risks becoming a threat itself.