Systemic Cyber Incident Coordination Framework (EU-SCICF)

What is the Systemic Cyber Incident Coordination Framework (EU-SCICF)?

On December 2, 2021, the European Systemic Risk Board (ESRB), responsible for the macroprudential oversight of the EU financial system and the prevention and mitigation of systemic risk, published a recommendation for the establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF).

The European Systemic Risk Board has a broad remit, covering banks, insurers, asset managers, shadow banks, financial market infrastructures and other financial institutions and markets. In pursuit of its macroprudential mandate, the ESRB monitors and assesses systemic risks and, where appropriate, issues warnings and recommendations.

According to the ESRB, there is a need to establish a pan-European systemic cyber incident coordination framework (EU-SCICF) for relevant authorities in the Union. The objective of the EU-SCICF would be to increase relevant authorities’ level of preparedness to facilitate a coordinated response to a potentially major cyber incident.

Major cyber incidents may pose a systemic risk to the financial system, given their potential to disrupt critical financial services and operations. The amplification of an initial shock can either occur through operational or financial contagion or through an erosion of confidence in the financial system. If the financial system is unable to absorb these shocks, financial stability will be at risk and this situation can result in a systemic cyber crisis.

Understanding the recommendations for the Systemic Cyber Incident Coordination Framework (EU-SCICF)

According to the (December 2021) recommendation from the European Systemic Risk Board (ESRB):

Recommendation A – Establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF).

1. It is recommended that, as envisaged in the Commission’s proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector (hereinafter ‘DORA’), the European Supervisory Authorities (ESAs), jointly through the Joint Committee, and together with the European Central Bank (ECB), the European Systemic Risk Board (ESRB) and relevant national authorities, start preparing for the gradual development of an effective Union-level coordinated response in the event of a cross-border major cyber incident or related threat that could have a systemic impact on the Union’s financial sector.

Preparatory work towards a Union-level coordinated response should entail the gradual development of EU-SCICF for the ESAs, the ECB, the ESRB and relevant national authorities. This also should include an assessment of the resource requirements for the effective development of the EU-SCICF.

2. It is recommended that the ESAs undertake, in view of sub-Recommendation A(1), in consultation with the ECB and the ESRB, a mapping and subsequent analysis of current impediments, legal and other operational barriers for the effective development of the EU-SCICF.

Recommendation B – Establishment of points of contact of the EU-SCICF.

It is recommended that the ESAs, the ECB and each Member State among their relevant national authorities should designate a main point of contact which should be communicated to the ESAs. This contact list will facilitate the development of the framework and, once the EU-SCICF is in place, the points of contact and the ESRB should be informed in case of a major cyber incident. Co-ordination should also be envisaged between the EU-SCICF and the designated single point of contact under Directive (EU) 2016/1148 that Member States have established on the security of network and information systems to ensure cross-border cooperation with other Member States and with the Network and Information Systems Cooperation Group.

Recommendation C – Appropriate measures at Union level.

It is recommended that, based on the result of the analyses carried out in accordance with Recommendation A, the Commission should consider the appropriate measures needed to ensure effective coordination of responses to systemic cyber incidents.

For sub-Recommendation A(1), the following compliance criteria are specified.

1. When preparing for an effective Union-level coordinated response which should entail the gradual development of the EU-SCICF by exercising the power envisaged in the future Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector (hereinafter ‘DORA’), the European Supervisory Authorities (ESAs), acting through the Joint Committee, and together with the European Central Bank (ECB), the European Systemic Risk Board (ESRB) and relevant national authorities, and in consultation with the European Union Agency for Network and Information Security and the Commission where considered necessary, should consider including in the envisaged preparation for the EU-SCICF at least the following aspects:

(a) analysis of the resource requirements for effective development of the EU-SCICF;

(b) developing crisis management and contingency exercises involving cyberattack scenarios with a view to developing communication channels;

(d) development of a coherent cyber incident classification;

(e) establishment of secure and reliable information sharing channels, including back-up systems;

(f) establishment of points of contact;

(g) address confidentiality in information sharing;

(h) collaboration and information sharing initiatives with financial sector cyber intelligence;

(i) development of effective activation and escalation processes through situational awareness;

(j) clarification of the responsibilities of framework participants;

(k) development of interfaces for cross-sectoral and, where relevant, third country coordination;

(l) ensuring coherent communication by relevant authorities with the public to preserve confidence;

(m) establishment of predefined communication lines for timely communication;

(n) performance of appropriate framework testing exercises, including cross-jurisdictional testing and third country coordination, and assessments which result in lessons learned and framework evolution;

(o) ensuring effective communication and countermeasures against disinformation.

16 April 2024 – The European Systemic Risk Board (ESRB) published the paper “Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024.”

According to the paper, the pan-European systemic cyber incident coordination framework (EU-SCICF) should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

Read the paper: Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024

16 April 2024 - ESRB Recommendation to establish a pan-European systemic cyber incident coordination framework (EU-SCICF).

In 2021 the ESRB, recognising a gap in crisis coordination frameworks, recommended European supervisory authorities (ESAs) to start preparing for the gradual development of an effective EU level coordinated response in the event of a cross-border major cyber incident or a related threat that could have a systemic impact on the Union’s financial sector.

The ESRB recommended establishing the pan-European systemic cyber incident coordination framework (EU-SCICF). The EU-SCICF should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

It will also consider the interplay between operational disruption (including mitigants and financial stability) and relevant macroprudential tools. The swift coordination and communication required, and bridging coordination and communication gaps between the relevant authorities at the Union level, will make it possible to:

• make an early assessment of a major cyber incident’s impact on financial stability;

• coordinate properly and develop a clear action plan, if required, among the financial authorities involved in planning a coordinated response to a major cyber incident;

• maintain confidence in the financial system;

• limit contagion across the financial sector.

The EU-SCICF will contribute to preventing a major cyber incident from becoming a risk to financial stability. It also establishes a list of designated points of contact for the ESAs, the ECB and each Member State.

The success of collaboration between private and public parties when an incident has occurred depends heavily on effective communication. At-crisis communication can be depicted by and described in three layers.

1. The first level is tactical and is where initial action is taken (e.g. IT teams restore systems, markets teams analyse how much liquidity may be needed and briefings are provided to other parts of the organisation). These teams establish communication lines to third parties and employees at other authorities with relevant technical capabilities, as well as internal communication between relevant units. The main actors at the tactical level are computer security incident response teams (CSIRTs).

2. The second level is operational and is where (macroprudential) coordination is initiated and management informed. This level has the main responsibility for coordination in a crisis. It is activated quickly for serious events and entails crisis preparedness and contact with higherlevel officials at other authorities (including other central banks), with other coordinating bodies and with the media. At this level, EU-wide frameworks such as the EU-SCICF may be activated.

3. The third level is strategic and deals with major policy questions such as changing liquidity policies and coordinating with the Government and advising it on major policy issues such as use of public funds. This level is particularly important for pan-European incidents where highlevel EU crisis management mechanisms (such as the Integrated Political Crisis Response) may be triggered.