Brexit and cyber attacks are two of the "key risks to the EU financial system", the joint committee of the EU supervisory authorities (ESAs) has said.

The potential for "sudden risk premia reversals", and risks around the "sustainability of investments" stemming from "climate change and the transition to a lower-carbon economy" were also identified in the committee's new spring 2018 risk report (15-page / 1.03MB PDF).

The committee provides for cooperation between the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA).

According to the risk report, financial services firms should look at how to provide for "contract continuity", as well as whether they need to relocate some of their operations, with Brexit coming.

"EU financial institutions and their counterparties, as well as investors and retail consumers should consider appropriate mitigation actions to prepare for the UK's withdrawal from the EU in a timely manner," the regulators said. "Such contingency planning should consider timely responses to all potential challenges, such as contract continuity and possible relocations."

A recent report by Pinsent Masons, the law firm behind Out-Law.com, found that the majority of the UK's biggest companies have already triggered Brexit 'no deal' contingency plans. Businesses that undertake comprehensive structured scenario planning around Brexit will be best prepared for the changes Brexit promises and to meet their duties to shareholders, Guy Lougher of Pinsent Masons said at the time.

In its report, the EU regulators also called for continued scrutiny of cyber risk at financial institutions by national authorities.

"Cyber risks threaten data integrity, data confidentiality, data protection and business continuity," the regulators said. "The risk is particularly significant because of possible multiplier effects, leading to further business risks, such as supply chain risk and reputational risk. Moreover, it can trigger high (legal) costs, for example in cases of data breaches with notifications, litigation and solution, as well as in case of fraud. Insufficient protection against cyber incidents and a disruption in the availability of critical IT infrastructures could lead to major damages for financial institutions concerned, and potentially to the wider financial system."

"Moving forward, supervisors should continue to encourage financial institutions to improve the robustness of IT systems, and to address concerns about connectivity and outsourcing to third-party providers. They should pay particular attention to cybercrime risks and information security risks," they said.

Within the risk report, it was also announced that ESMA will undertake a new "supervisory project on cloud computing".

"The main objective of the project is to explore the compliance risk of cloud computing outsourcing, with a view to formulating a clearer supervisory response and strategy," the report said.

Requirements for regulators around addressing cloud outsourcing risks will be based on recommendations on outsourcing to cloud service providers that the EBA published for financial institutions last year, it said.

ESMA is also considering developing "further general guidance on outsourcing to cloud computing service providers for market participants", according to the report.

Luke Scanlon, expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com, has scrutinised the EBA's cloud guidance, including in respect of what it says about when financial institutions must notify regulators about their cloud arrangements, and further highlighted the need for more detailed direction to be given to banks and other financial institutions on the steps they need to take to comply with financial regulation when outsourcing business operations to the cloud.

Useful Links

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.