Banks fighting cyber threats jointly
The Ministry of Finance is preparing an amendment to the Act on Banks and the Act on Savings and Credit Unions. Its primary purpose is to modify these laws according to changes that have been made to related legislation. Additionally, a new information database will come into existence to help banks to better inform each other on cyber security incidents and on measures taken to address them. The aim of all the actions is to enhance the prevention of cyber-attacks and to minimise potential losses.
The implementation of the information database follows a regulation in the Cyber Security Act, imposing on selected entities a duty to report, without delay, any cyber security incidents; this means any breach of information security in an information system, for example, the detection of fraud through the misuse of access passwords to internet banking. The database will be accessible to all banks, branches of foreign banks and the Czech National Bank. Of course, the banks will be obliged to keep confidential any information gathered from the database.
The purpose is to improve the banks’ awareness regarding possible cyber threats and to encourage their cooperation in addressing them. Experience has shown that once an attacker has attempted to compromise one bank’s system in a certain way, similar attempts to access other banks can be expected. The banks should also share information on the measures adopted to address such cyber security incidents within 30 days after their detection. Notably, the act does not stipulate a duty to always accept and implement a certain measure; this will always depend on the nature of the attack and other circumstances.
The amendment also extends the information duty vis-a-vis customers; introduces a new remedy in the form of a duty to replace the auditor; simplifies cross-border business for credit institutions; and reflects new reasons for lifting bank secrecy under the Act on the Police of the Czech Republic and the Act on the General Inspection of Security Forces. The wording of the amendment has not yet been approved by the government, which means that it still may change. The effective date is planned for 3 January 2018, the above described information database should start functioning from 1 January 2019.