By Giovanni Campi and Sofia Karagianni
The Financial Stability Board (FSB) issued a consultation on a toolkit of measures designed to help ensure firms and regulators are well prepared to tackle cyber incidents. This consultation is part of the work initiated in 2017 following the launch of the FSB report gathering financial sector cybersecurity regulations, guidance and supervisory practices from several jurisdictions. The consultation is expected to lead to the submission of the toolkit to the G20 in October 2020.
The FSB highlights that the increasing level of digitalization of financial services coupled with the presence of high value assets and data, make the financial system vulnerable to operational incidents and cyber-attacks. The FSB took account of these issues and their impact on financial stability (if not properly contained). The FSB therefore set out a toolkit of best practices to assist financial market participants in the response and recovery process in relation to cyber incidents. The toolkit should not be understood as a standard or prescriptive recommendation for any particular approach.
It consists of 46 effective practices. They should not be implemented in one-size-fits all approach given the existing divergent regulatory frameworks, the size and the type of organization affected by cyber incidents. The FSB notes that more cyber incident response practices will gradually emerge, particularly as organizations move towards reliance on third-party service providers. The toolkit is structured around seven components:
- Governance: It involves defining the decision-making framework with clear steps and measures of success, and allocates responsibilities and accountabilities to ensure that the right stakeholders are engaged when a cyber incident occurs. The FSB indicates that apart from staff who are responsible for the cyber-attack response, organizations should also identify other key roles (such as the incident owner responsible for handling the cyber incident, a media spokesperson and independent observers to maintain an accurate record of the cyber incident throughout its different phases).
- Preparation: The FSB recommends the establishment and maintenance of capabilities to respond to cyber incidents and to restore critical functions, processes, activities, systems, and data affected by cyber incidents. It states that organizations can appoint primary and alternate cyber service providers in the event that the former is unavailable to provide immediate support, especially in the case of a system-wide cyber incident.
- Analysis: It is conducted to ensure effective response and recovery activities, including forensic analysis, and to determine the severity, impact and root cause of the cyber incident to drive appropriate response and recovery activities. The FSB mentions that organizations tend to use a pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions, along with a pre-established severity assessment framework to help gauge the severity of the cyber incident.
- Mitigation: Mitigation activities are performed to prevent the aggravation of the situation and eradicate cyber threats in a timely manner to alleviate their impact on business operations and services.
- Restoration: It refers to the repair of systems or assets affected by a cyber incident to safely resume business-as-usual delivery of impacted services. Among others practices, the FSB underscores that companies need to isolate their digital data backups and keep them in different geographical locations to avoid a total collapse of their systems.
- Improvement: It addresses the implementation of processes to improve response and recovery capabilities through lessons learnt from past cyber incidents and from proactive tools, such as table top exercises, tests and drills.
- Coordination and communication: The aim is to coordinate with stakeholders to maintain good cyber situational awareness and enhance the cyber resilience of the ecosystem.
The consultation is an important step in the development of the G20 regulatory strategy for cyber security, which will be essential in post COVID-19 financial landscape.
Stakeholders can provide input until 20 July 2020.