The Financial Stability Board (FSB) has published a report setting out its conclusions following a stocktake on cybersecurity regulations, guidance and supervisory practices which were recently delivered to G20 Finance Ministers and Central Bank Governors.

The conclusions from the FSB’s stocktake of members include the following:

  • FSB member jurisdictions have been active in addressing cybersecurity for the financial sector;
  • FSB member jurisdictions report a significantly higher number of publicly released regulatory schemes than publicly released supervisory practices schemes;
  • international bodies also have been active in addressing cybersecurity for the financial sector;
  • all FSB member jurisdictions report drawing upon a small body of previously developed national or international guidance or standards of public authorities or private bodies in developing their cybersecurity regulatory and supervisory schemes for the financial sector;
  • the number of schemes of regulations and guidance addressing cybersecurity for the financial sector varied widely across jurisdictions;
  • jurisdictions reported that their regulatory schemes more commonly took a targeted approach to cybersecurity and/or IT risk (66% of reported schemes) and less commonly addressed operational risk generally (34% of reported schemes);
  • regulatory schemes categorised by jurisdictions as addressing operational risk often were characterised as principles-based, risk-based or proportional and specified the objectives to be met by regulated institutions;
  • there were 56 schemes of regulations and guidance reported as targeted to cybersecurity and/or IT risk, which covered a variety of content elements;
  • there were 35 schemes of reported supervisory practices, which covered a variety of content elements. Including review of policies and procedures, review of data security controls and review of governance arrangements;
  • there are a number of similarities across international guidance, with many of the same topics addressed, even though there are considerable differences in the scope of entities covered and date of issuance of the guidance;
  • jurisdictions remain active in the area of cybersecurity. Seventy-two percent of jurisdictions reported publicly released plans to issue new regulations, guidance or supervisory practices that address cybersecurity for the financial sector within the next year;
  • jurisdictions provided a wide range of responses when asked to cite practices that they deem effective in addressing cybersecurity through regulations, guidance and/or supervisory practices.

The FSB also discusses a recent workshop on cybersecurity noting that private sector participants emphasised that effective cybersecurity requires a strategic, forward-looking, fluid and proactive approach. Private sector participants also stressed the importance of integrating security with business operations, as well as the importance of governance and communication with a firm’s board.

View FSB publishes stocktake on cybersecurity regulatory and supervisory practices, 13 October 2017