Cyber threats are growing more sophisticated and dangerous on a daily basis, threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems. To address these risks, the below high-level fundamentals are designed for public or private financial sector entities to tailor to their specific operational and threat landscape and regulatory requirements.
These elements are not a catch-all; instead, they should serve as the building blocks upon which a complete cyber security strategy and operating framework can be built. The elements also provide steps in a dynamic process through which the entity can systematically re-evaluate its cyber security strategy and framework as the operational and threat environment evolves. Public authorities across jurisdictions can also use the elements to guide their public policy, regulatory, and supervisory efforts. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cyber security and resiliency of the international financial systems.
Element 1: Cyber Security Strategy and Framework
Establish and maintain a cyber security and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.
The purpose of a cyber security strategy and framework is to specify how to identify, manage, and reduce cyber risks effectively in an integrated and comprehensive manner. Entities in the financial sector should establish cyber security strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture. Informed by the cyber threat and vulnerability landscape, a jurisdiction can also establish sector-wide cyber security strategies and frameworks that outline how cooperation occurs between entities and public authorities in the financial sector, with sectors upon which the financial sector depends, and with other relevant jurisdictions.
Element 2: Governance
Define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cyber security strategy and framework to ensure accountability, and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).
Effective governance structures reinforce accountability by articulating clear responsibilities and lines of reporting and escalation. Effective governance also mediates competing objectives and fosters communication among operating units, information technology, risk, and control-related activities. Consistent with their missions and strategies, boards of directors (or similar oversight bodies) should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cyber security programmes, consulting with third-parties where necessary.
Element 3: Risk and Control Assessment
Identify functions, activities, products, and services and prioritise their relative importance, then asses their respective cyber risks. Identify and implement controls - including systems, policies, procedures, and training - to protect against and manage those risks within the tolerance set by the governing authority.
Ideally as part of an enterprise risk management programme, entities should evaluate the inherent cyber risks (or the risk absent any compensating controls) presented by the people and underlying data that support each identified function. Entities should then identify and asses the existence and effectiveness of controls to protect against the identified risk to arrive at the residual cyber risk. Protection mechanisms can include avoiding or eliminating risk by not engaging in an identified activity, mitigating the risk through controls, or sharing or transferring the risk. In addition to evaluating an entity's own cyber risks from its functions, risk and control assessments should consider any cyber risks the entity presents to others and the financial sector as a whole. Public authorities should map critical economic functions in their financial systems as part of their risk and control assessments to identify single points of failure and concentration risk. The sector's critical economic functions range from deposit taking, lending, and payments, to trading, clearing, settlement, and custody.
Element 4: Monitoring
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.
Effective monitoring helps entities adhere to established risk tolerances and timely enhance or remediate weaknesses in existing controls. Testing and auditing protocols provides essential assurance mechanisms for entities and public authorities alike. Depending on the nature of an entity and its cyber risk profile and control environment, the testing and auditing functions should be appropriately independent from the personnel responsible for implementing and managing the cyber security programme. Through examinations, on-site and other supervisory mechanisms, comparative analysis of entities' testing results, and joint public-private exercises, public authorities can better understand sector-wide cyber threats and vulnerabilities, as well as individual entities' relative risk profiles and capabilities.
Element 5: Response
Timely (a) asses the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate; and (d) coordinate joint response activities as needed.
As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response. Among other things, these controls should clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with internal and external stakeholders. Exercising protocols within and among entities and public authorities contributes to more effective responses. Exercising also enables entities and public authorities to identify how potential decisions could affect each other's ability to maintain critical and other functions, services, and activities.
Element 6: Recovery
Resume operations responsibly, while allowing for continued remediation, including (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritisation of critical economic and other functions and in accordance with objectives set by the relevant public authorities. Maintaining trust and confidence in the financial sector significantly improves when entities and public authorities have the ability to mutually assist each other in the resumption and recovery of critical functions, processes, and activities. Therefore, before an incident occurs, establishing and testing contingency plans for essential activities and key processes, such as funding, can contribute to a faster and more effective recovery.
Element 7: Information Sharing
Engage in the timely sharing of reliable, actionable cyber security information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and response to enhance defenses, limit damage, increase situational awareness, and broaden learning.
Sharing technical information, such as threat indicators or details on how vulnerabilities were exploited, allows entities to remain up-to-date in their defences and learn about emerging methods used by attackers. Sharing broader insights among entities deepens collective understanding of how attackers may exploit sector-wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability. Given its importance, entities and public authorities should identify and address impediments to information sharing.
Element 8: Continuous Learning
Review the cyber security strategy framework regularly and when events warrant - including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components - to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.
Cyber threats and vulnerabilities evolve rapidly, as do the best practices and technical standards to address them. The composition of the financial sector also changes over time, as new types of entities, products, and services emerge, and third-party service providers are increasingly relied upon. Entity-specific, as well as sector-wide, cyber security strategies and frameworks need periodic reviews and updates to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources. Other sectors, such as energy and telecommunications, present external dependencies; therefore, entities and public authorities should consider developments in these sectors as part of any review process.
Content courtesy of Gov.uk