Cybersecurity Regulation in the Financial Sector: Prospects of Legal Harmonisation in the EU and Beyond

Abstract

Over the past several years, the cybersecurity regulatory landscape has undergone unprecedented change. Bespoke cybersecurity laws and regulations have replaced pre-existing general risk management and business continuity rules in a number of jurisdictions, including the European Union, Hong Kong, Russia, the USA and Singapore. Cybersecurity has also become the focus of international rules and recommendations adopted by numerous international organisations. The financial sector lies at the centre of the new regulatory initiatives – which, in the absence of an agreed international approach, vary substantially across jurisdictions. This article analyses these emerging legal frameworks by (i) conducting a comparative study of the novel cybersecurity regulations in finance, (ii) identifying the common features of such frameworks and (iii) assessing the prospect of their harmonisation at an international level. It argues that international harmonisation in this area is necessary to overcome the underlying regulatory challenges and outlines the scope of rules amenable, first, to initial (de minimis) and, second, subsequent (more expansive) harmonisation. The article concludes with a list of main upcoming challenges in designing and harmonising cybersecurity regulations in finance and practical recommendations for overcoming them.