Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices
This report present conclusions from a stocktake on cybersecurity regulations, guidance and supervisory practices which was delivered to the October 2017 G20 Finance Ministers and Central Bank Governors in Washington DC. With the aim of enhancing cross-border cooperation, the G20 at its March 2017 meeting in Baden-Baden asked the FSB, as a first step, to perform the stocktake.
The G20 has noted that cyber attacks have the potential to disrupt financial services that are crucial to both national and international financial systems and to endanger financial stability. The changing nature of cyber risk to financial institutions is driven by several factors, including evolving technology, interconnections among financial institutions and between financial institutions and external parties, and determined efforts by cyber criminals to find new methods to attack and compromise information technology systems. Authorities across the globe have taken regulatory and supervisory steps to facilitate both the mitigation of cyber risk by financial institutions, and their effective response to, and recovery from, cyber attacks.
The summary report was published together with a detailed analysis of the results of the stocktake. The reports are informed by the responses of FSB member jurisdictions and international bodies to a survey conducted by the FSB. The summary report also sets out key themes raised in an FSB workshop in September that brought together public and private sector participants to discuss cybersecurity in the financial sector.
FSB member jurisdictions have been active in addressing cybersecurity, with all member jurisdictions having released regulations or guidance that address cybersecurity for the financial sector. Findings of the FSB stocktake include:
All FSB member jurisdictions report drawing upon a small body of previously developed national or international guidance or standards when developing their own regulatory or supervisory schemes for the financial sector.
Two thirds of reported regulatory schemes take a targeted approach to cybersecurity and/or information technology risk and one-third address operational risk generally.
Some elements commonly covered by regulatory schemes targeted to cybersecurity include risk assessment, regulatory reporting, role of the board, third-party interconnections, system access controls, incident recovery, testing and training.
Jurisdictions remain active in further developing their regulation and guidance. Seventy-two per cent of jurisdictions report plans to issue new regulations, guidance or supervisory practices that address cybersecurity for the financial sector within the next year.
International bodies also have been active in addressing cybersecurity for the financial sector. There are a number of similarities across the international guidance issued by different sectoral standard-setting bodies and other international organisations. Many of the same topics are addressed, including governance, risk analysis and assessment, information security, expertise and training, incident response and recovery, communications and information sharing, and oversight of interconnections.
Private sector participants at the workshop emphasised that effective cybersecurity requires a strategic, forward-looking, fluid and proactive approach and noted the importance of integrating security with business operations, as well as the importance of governance and communication with a firm’s board. They expressed support for principles-based, risk-based and proportional regulation, and also stressed the importance of a globally consistent approach that avoids multiple, potentially conflicting regulatory schemes.