The legal landscape of cyber-security for financial institutions

“There are two kinds of big companies… There are those who’ve been hacked… and those who don’t know they’ve been hacked…” said the former FBI director, James Comey. Rhodri Thomas and Raphaella Pitt set out the plethora of laws and regulatory developments that financial services firms must consider as they advance their cyber-security strategies.

Rhodri Thomas (rhodri.thomas@freshfields.com) is a senior associate in the financial institutions disputes group at law firm Freshfields Bruckhaus Deringer.

The scale and sophistication of cyber-attacks on financial institutions is growing at an unprecedented rate. This brings not just operational and reputational risk, but also new types of legal risk. Cyber disturbances can lead to breaches of commercial contracts, with customers or counterparties now far more likely to experience disruptions in ‘real time’ owing to the instant nature of digitalised financial services. Firms must adhere to new laws and regulations designed to protect data and systems, and where legislation has failed to keep up with the pace of technological developments, institutions face real challenges in ensuring that new systems and products comply with outdated rules.