This consultative document provides a toolkit of effective practices to assist financial institutions before, during and after a cyber incident.

Cyber incidents pose a threat to the stability of the global financial system. In recent years, there have been a number of major cyber incidents that have significantly impacted financial institutions and the ecosystems in which they operate. A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.

Efficient and effective response to and recovery from a cyber incident by organisations in the financial ecosystem are essential to limiting any related financial stability risks. Such risks could arise, for example, from interconnected information technology systems between multiple financial institutions or between financial institutions and third-party service providers, from loss of confidence in a major financial institution or group of financial institutions, or from impacts on capital arising from losses due to the incident. The toolkit lists 46 effective practices, structured across seven components:

  1. Governance - frames how cyber incident and recovery is organised and managed.

  2. Preparation – to establish and maintain capabilities to respond to cyber incidents, and to restore critical functions, processes, activities, systems and data affected by cyber incidents to normal operations.

  3. Analysis – to ensure effective response and recovery activities, including forensic analysis, and to determine the severity, impact and root cause of the cyber incident to drive appropriate response and recovery activities.

  4. Mitigation – to prevent the aggravation of the situation and eradicates cyber threats in a timely manner to alleviate their impact on business operations and services.

  5. Restoration – to repair and restore systems or assets affected by a cyber incident to safely resume business-as-usual delivery of impacted services.

  6. Improvement – to establish processes to improve response and recovery capabilities through lessons learnt from past cyber incidents and from proactive tools, such as tabletop exercises, tests and drills.

  7. Coordination and communication – to coordinate with stakeholders to maintain good cyber situational awareness and enhances the cyber resilience of the ecosystem.

Responses to this the consultation report should be sent to [email protected] by Monday 20 July 2020. An optional template for submitting responses to optional guiding questions can be downloaded here. Responses to the consultation should be sent to [email protected] with “CIRR” in the e-mail subject line. Responses will be published on the FSB website unless respondents expressly request otherwise. The final toolkit, taking on board feedback from public consultation, will be published in October 2020.