Global financial systems overseer develops cyber response & recovery toolkit

The Financial Stability Board (FSB), the Basel-based global financial systems authority, is seeking public input on a set of 46 cyber incident response and recovery (CIRR) practices which aim to help financial institutions and government authorities worldwide uplift their collective cyber readiness.
 

The set of 46 practices are enclosed within a consultative document and structured across seven components: governance, preparation, analysis, mitigation, restoration, improvement, and finally, coordination and communication*.

FSB’s proposed CIRR toolkit will draw on insight from national authorities, international organisations and external stakeholders, as well as delivering a review of existing standards and cases studies of cyber incidents.

According to the international body, enlisted practices are intended as a “toolkit of options” rather than a “one size fits all approach” for financial institutions and national authorities.

Meanwhile, the FSB anticipates effective cyber practices will evolve in line with changing threat landscapes, as industries and authorities alike learn through shared experiences, garnering new insights.

The release of FSB’s consultative document comes as the body recognises the growing threat posed by security incidents to the stability of the global financial system.

“A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications,” FSB said in the document.

These stability implications include “risks from interconnected IT systems between multiple financial institutions or between financial institutions and third-party service providers”, as well as “loss of confidence in financial institutions or a group of financial institutions”.

FSB further warned against blows to capital resulting from cyber incident-related losses – those beyond the expectant market shocks resulting from negative news reports.

The international body appears in lockstep with Australia’s Prudential Regulatory Authority (APRA) which last July placed responsibility for cyber readiness firmly on the shoulders of boards, stressing the severity of cyber risk to the nation’s financial stability.

APRA’s information security standard CPS234 came into effect on 1 July 2019, requiring capability uplifts for regulated financial institutions across multiple security domains, including incident response.

Nevertheless, the prudential watchdog has offered a reprieve for institutions bearing the brunt of pandemic-related shutdowns, offering a six-month deferral in implementing an amendment to the CPS234 standard, albeit on a case-by-case basis.

FSB’s Effective Practices for Cyber Incident Response and Recovery document is open for feedback until July 20. Responses will be published on the body’s website, subject to respondents’ consent.

Hosted by the Bank of International Settlements in Switzerland, the FSB’s mandate is to “promote international financial stability”. The Board’s member countries include the G20 as well as the Netherlands, Switzerland and the wider European Union.

The FSB’s proposed CIRR toolkit can be viewed here.

*Of the core components outlined, the FSB offers further definition:

Governance – frameworks to establish how cyber incident and recovery is organised and managed.

Preparation – capabilities to respond to cyber incidents, and actions to restore critical functions, processes, activities, systems and data affected by cyber incidents to normal operations.

Analysis – measures response and recovery activities, including forensic analysis, and to determine the severity, impact and root cause of the cyber incident to drive appropriate response and recovery activities.

Mitigation – steps to mitigate the aggravation of the situation and eradicate cyber threats in a timely manner, alleviating their impact on business operations and services.

Restoration – reparative and restorative action to digital systems or assets affected by a cyber incident, allowing safe resumption of business-as-usual delivery of impacted services.

Improvement – processes to improve response and recovery capabilities based on past cyber incidents and from proactive tools, such as tabletop exercises, tests and drills.

Coordination and communication – ability to coordinate with stakeholders to maintain good cyber situational awareness and enhance the cyber resilience of the ecosystem.