Agefi Luxembourg - novembre 2024

AGEFI Luxembourg 46 Novembre 2024 Informatique financière ByOrianeKAESMANN,ResearchManager the LHoFT C ompliance officers across the EuropeanUnion are grap- plingwith the demands of the newNIS2. Replacing the pre- viousNIS1Directive (1) , NIS2 (Direc- tive 2022/2555/EU (2) ) setsmore stringent cybersecurity require- ments across “HighlyCritical” sec- tors, fromenergy todigital infras- tructure, including Banking and financial market infrastructures. But NIS2 is more than a checklist of re- quirements; it represents a whole new field of action. For compliance teams facing “compliance fatigue,” the key to success lies in mastering two founda- tional principles: the all-hazards ap- proach and cyber hygiene. By adopting a comprehensive approach to riskman- agement and security, compliance lead- ers can enhance their organisations’ resilience, better preparing them for a secure digital future. TheAll-Hazards Approach What Is It? NIS2’s all-hazards approach (3) pushes organisations to look beyond conven- tional IT threats, requiring a broad as- sessment of risks across all operational areas, from HR to the supply chain. Cyber incidents may be the most prominent risks, but NIS2 recognises that any area that indirectly supports IT infrastructure can pose security threats if left unmanaged. - IT Risks: Traditional vulnerabilities like systemflaws, networkweaknesses, and outdated software remain critical, particularly given today’s advanced malware and phishing tactics. Compa- nies should favour proactive measures, such as penetration testing and intru- siondetection, to reduce these risks. The 2017 WannaCry ransomware attack (4) , which exploited a software vulnerabil- ity and affected thousands of systems globally, highlighted the importance of vigilant IT risk management. -HRRisks: Security alsodepends heav- ily on personnel. Untrained staff can ac- cidentally expose systems to cyber threats. Compliance teams must ad- dress issues like data misuse, insider threats, and social engineering, and NIS2mandates thatmanagement teams participate in cybersecurity training (5) , underscoring the need for a proactive approach to HR risk management. - SupplyChainRisks: Acompany’s cy- bersecurity is often only as strong as its partners. The SolarWinds breach (6) illus- tratedhowvulnerabilities in third-party software can allowattackers to infiltrate evenwell-defended organisations. NIS2 requires rigorous third-party risk as- sessments (7) , ensuring that all service providers adhere to cybersecurity stan- dards to protect the entire supply chain. Why It Matters NIS2 underscores that resilience isn’t just about IT defences; it’s about secur- ing the continuity of the entire organi- sation. This broad approach equips companies to adapt to unexpected dis- ruptions, protecting all components of the operation and minimising down- time. Compliance leaders who adopt the all-hazards framework strengthen their organisation’s reliability and con- tribute to create a more comprehensive shield against potential crises. How the Leaders Do It Top compliance professionals see NIS2’s all-hazards approach as a strate- gic defence tool. They foster resilience by embedding a culture of risk aware- ness across all departments, ensuring that everyone fromHR to procurement understands their role in cybersecurity. This unified effort ensures that all or- ganisational components support the digital security strategy and align with regulatory standards. Cyber Hygiene, The First Line of Defense The Daily Routine Like personal hygiene protects physi- cal health, cyber hygiene practices pro- vide essential protection against cyber threats. For NIS2 compliance, funda- mental cybersecuritymeasures such as multi-factor authentication, encryp- tion, and secure communication chan- nels are non-negotiable. These actions create an affordable, effective cyberse- curity foundation that can scale with evolving threats. - Multi-Factor Authentication (MFA): Requiring multiple verification steps significantly reduces unauthorised ac- cess risks. MFA is essential, particularly for sectors like finance, where data breaches carry severe consequences. - Encryption: Safeguarding data during transmission and storage keeps sensi- tive information secure, even if it is ac- cessed illegally. In May 2024, Ticketmaster experienced a significant data breach (8) where hackers accessed unencrypted customer data, including names, addresses, emails, phone num- bers, andpartial credit carddetails - em- phasising the critical importance of robust encryption policies to protect sensitive customer information. - Secure Communication Channels: All data within an organization should flow through secure channels. Tools like VPNs and secure messaging apps reduce risks of eavesdropping or inter- ception, strengthening internal security. Why It Matters Cyber hygiene is more than “best prac- tice”; it’s essential for reducing infiltra- tion risks. Without consistent application, even sophisticated systems can fail. By embedding these funda- mentals into daily routines, compliance professionals protect their organisations and ensure security awareness aligned with NIS2’s standards. How the Leaders Approach It Leading compliance officersmake cyber hygiene a core aspect of organisational culture. They collaboratewith ITandde- partment heads to ensure cyber hygiene becomes second nature for all employ- ees. Through regular cybersecurity training and reinforcement of dailypro- tocols, compliance professionals culti- vate a shared responsibility for cybersecurity that extends beyond com- pliance, building long-term resilience. Conclusion: The Stakes and Path to Resilience With fines reaching €10million or 2%of global annual turnover (9) , NIS2 compli- ance stakes are high. However, for com- pliance leaders, the drive toward NIS2 compliance is more than avoiding penalties: it’s about building a stronger, more resilient organisation. By mastering the all-hazards approach and instilling cyber hygiene practices, compliance officers are doing more than meeting regulatory demands. They are fortifying their organisations against threats, elevating security, and embedding cybersecurity deeply into their operational culture. As the European Union steps into this new cybersecurity era, the role of the compliance officer is expanding, requir- ingaproactive approach to riskmanage- ment and innovation. By championing NIS2’s principles, professionals con- tribute to establishing robust systems that can withstand tomorrow’s chal- lenges, keeping their organisations se- cure andadaptable ina rapidly evolving digital landscape. NIS2 - Keep Calm and Carry On Reporting ©Midjourney 1) As of October 2024, “Directive 2016/1148/EU (NetworkandInformationSystems)(NIS)willbe repealedbyDirective2022/2555/EU(NIS2),dated 14 December 2022, which shall be implemented by themember states by 17October 2024. Entities of the banking and financial sector fall within the scope of application of the NIS2 Directive. How- ever,withregardtofinancialentities,thisDirective shall be read in conjunction with Regulation 2022/2554/EU on digital operational resilience for the financial sector (DORA), which will be appli- cable as of 17 January 2025, with a direct effect in allmemberstates”.Source :https://lc.cx/da4Ziu 2) Consolidated text: Directive (EU) 2022/2555 of the EuropeanParliament andof theCouncil of 14 December 2022 on measures for a high common levelofcybersecurityacrosstheUnion,amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972,andrepealingDirective(EU)2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text withEEArele vancehttps://lc.cx/p1UTL8 3) See article 21.2: “The measures referred to in paragraph 1 shall be based on an all-hazards ap- proachthataimstoprotectnetworkandinforma- tion systems and the physical environment of thosesystemsfromincidents…” 4) Josh Fruhlinger (24 Aug 2022) “WannaCry ex- plained: A perfect ransomware storm” https://lc.cx/5aoR5S 5)Seearticle20.2:“MemberStatesshallensurethat themembersofthemanagementbodiesofessen- tial and important entities are required to follow training,andshallencourageessentialandimpor- tant entities to offer similar training to their em- ployeesonaregularbasis,inorderthattheygain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-man- agementpracticesandtheirimpactontheservices providedbytheentity.” 6)SaheedOladimeji,SeanMichaelKerner(03Nov 2023) “SolarWinds hack explained: Everything youneedtoknow ”https://lc.cx/_d-FMn 7) See article 21.2 (d): “supply chain security, in- cludingsecurity-relatedaspectsconcerningthere- lationships between each entity and its direct suppliersorserviceproviders;” 8)MarkSellman(May302024)“Ticketmastercus- tomers urged to change passwords after global hack” 9) See article 34.4: “4. Member States shall ensure that where they infringeArticle 21 or 23, essential entitiesaresubject,inaccordancewithparagraphs 2 and 3 of thisArticle, to administrative fines of a maximumof at least EUR 10 000 000 or of amax- imumofatleast2%ofthetotalworldwideannual turnover in the preceding financial year of the undertakingtowhichtheessentialentitybelongs, whicheverishigher. 3.Banking 4.Financialmarket infrastructures Thehighlycriticalsectorsarementioned inAnnexIofDirective(EU)2022/2555. Credit institutions as defined inArticle 4, point (1), of Regulation (EU) No 575/2013 of the EuropeanParliamentandofCouncil( 15 ) -Operatorsof tradingvenuesasdefined inArticle4;point(24),ofDirective2014/65/EUof theEuropeanParliamentandofCouncil( 16 ) - Central counterparties (CCPs) as defined in Article 2, point (1), of Regulation (EU) No 648/2012oftheEuropeanParliamentoftheCoucil( 17 ) By Eve WHITTAKER, director, financial crime compliance, EMEA, LexisNexis Risk Solutions U nsurprisingly, artificial intel- ligence (AI) has become a buzzword in compliance. In- creasing complexity in regulation andmounting data volumes drive up the cost of compliance. Countries are likely to add layers as they deve- lop their own rules, with the EU's AI regulations being one of the first. Consequently, the need for systems that streamline processes and reducemanual effort has reachednew levels. AI holds enormous potential to revolutionize compliance by significantly enhancing both effi- cacy and efficiency. However, organizations must overcome various challenges to imple- mentAI effectively. So, what does itmean to adoptAI inpractice? Fundamentals ofAI inCompliance Let's first define AI. AI is typically defined as machine-based systems, including generative AI systems, that autonomously infer solutions for spe- cific tasks. These systems leverage data to infer insights, recognize patterns, predict future out- comes and process language. Although there is some disagreement about what constitutes ‘true AI,’ the term encompasses various technologies with multiple applications. These includemachine learning (ML), natural lan- guage processing and deep learning powered by neural networks. In regulated environments, it's important to have this sort of inclusive definitional breadth because regulations typically focus less on methods (ML vs. AI) and more on ensuring responsible actions related to explainability, pri- vacy, transparency and bias. Organizations currently most com- monly adopt machine learning as a form of AI, where AI represents the systems andmachine learning repre- sents the algorithms guiding those systems Applying ML typically involves using a set of data to train models that per- form tasks like regres- sion, classification and anomaly detection, gene- rating highly accurate risk predictions. Organizations enhance efficiency in transaction monitoring and sanctions screening by layering these models over rules-based detection systems. Amodel can learn to distinguish true risks or true matches from false positives, reducing alert volumes and improving the ratio of alerts to true positives. ML also flags anomalies that indicate suspicious activity, enhancing the breadth and speed of risk detection to make compliance func- tions more effective. Recent advancements in large language model technology, including generative AI, have spar- ked an increase in text-based mining, which is typical in financial crime compliance. One appli- cation involves processing unstructured data to derive meaningful insights without extensive manual effort. Unstructured information holds valuable insights and efficiently extracting and structuring this data to form comprehensive counterparty profiles can significantly enhance know your customer, due diligence and investigation processes. These models also augment adverse media scree- ning through powerful entity resolution and sen- timent analysis, minimizing mismatched hits and capturing a broader spectrumof risk.Additionally, the ability to process and structure various data forms aids in cleaning and organizing messy or inconsistent data entering an organization, stream- lining data management operations. AI technolo- gies offer numerous applications. While they pre- sent tangible benefits such as considerable time savings, improved risk detection and more effec- tive compliance functions, users must remain aware of the associated risks and challenges. Ensuring ResponsibleAI Implementation Implementing AI responsibly remains a major concern. Ensuring that models are fair, trustwor- thy, safe, secure and reliable is crucial, especially when their outputs can impact human lives. Steps to ensure responsibleAI deployment include tho- roughly testingmodels for bias and rigorously exa- mining training data for over- or under-represen- tation of key data. Focusing on responsible AI allows organizations to proactively address many compliance concerns. Consider the explainability of AI solutions as understanding why a model produces a certain output. This is crucial for ensuring reliability and gaining an accurate view of risk. AI models are becomingmore explainable, with established tech- niques that reveal the connections between input data and outputs, providing assurance and clarity. Although complexity increases with advanced technologies like large languagemodels, deep lear- ning and generativeAI, a thorough understanding of the underlying models, training datasets and strong governance processes tomaintain oversight of the solution’s impact can help address this issue. The EU AI Act focuses on ensuring the transpa- rency and safety of AI applications, entering into force in June 2024 as themain legislationgoverning AI activities in the EU across all sectors. The act outlines requirements basedon amodel’s risk level, categorizingmodels that could impact safety, well- being or basic human rights as high-risk. Many banking applications used in the underwritingpro- cess are considered high-risk because they often involve steps in the ‘access to credit’ workflow. High-risk models must adhere to more stringent requirements regarding transparency, governance models and documentation. Models pre-trained on large datasetswill automatically face additional transparency requirements under the EU AI Act. Consequently, all AI applications must undergo thorough risk assessments, adding another layer of scrutiny for compliance functions. AI solutionsmust also operatewithin existing data protection and cybersecurity frameworks, adhe- ring to sector-specific controls like the Digital Operational Resilience Act (DORA). Financial regulators globally have started recognizing AI's benefits in compliance, increasingly referencing its responsible application for use cases such as redu- cing false positives, provided all regulations, trans- parency and security requirements are satisfied. Organizations face many challenges when adop- ting AI solutions, including considerations of in- house data science skills, infrastructural resilience, data readiness and the operational impact on the business. They must identify which use cases will provide the most value relative to the potential implementation costs. With careful controls and a responsible deployment approach, AI can signifi- cantly benefit compliance functions. When Innovation Meets Oversight: The Role of AI in Compliance Strategies