The European Commission (Commission) has published the text of the G7 fundamental elements of cybersecurity in the financial sector together with an accompanying supporting statement. The Commission notes that the principles are designed for financial sector entities, both private and public, to be tailored to their specific operational and threat landscape, role in sector and legal and regulatory requirements. The G7 fundamental elements of cybersecurity consist of the following principles:

  • cybersecurity strategy and framework: establish and maintain a cybersecurity strategy and framework tailored to specific risks and appropriately informed by international, national and industry standards and guidelines;
  • governance: define and facilitate performance of roles and responsibilities for personnel implementing, managing and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority and access to the governing authority;
  • risk and control assessment: identify functions, activities, products and services – including interconnections, dependencies and third parties – prioritise their relative importance, and assess their respective cyber risks. Identify and implement controls including systems, policies, procedures and training to protect against and manage those risks within the tolerance set by the governing authority;
  • monitoring: establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including though network monitoring, testing, audits and exercises;
  • response: timely (i) asses the nature, scope and impact of a cyber incident; (ii) contain the incident and mitigate its impact; (iii) notify internal and external stakeholders and (iv) coordinate joint response activities as needed;
  • recovery: resume operations responsibly while allowing for continued remediation including (i) eliminating harmful remnant of the incident; (ii) restoring systems and data to normal and confirming normal state; (iii) identifying and mitigating all vulnerabilities that were exploited; (iv) remediating vulnerabilities to prevent similar incidents; and (v) communicating appropriately internally and externally;
  • information sharing: engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders on threats, vulnerabilities, incidents and responses to enhance defences, limit damage, increase situational awareness and broaden learning; and
  • continuous learning: review the cybersecurity strategy and framework regularly and when events warrant to address changes in cyber risks, allocate resources, identify and remediate gaps and incorporate lessons learned.

View G7 principles on cybersecurity for the financial sector, 11 October 2016

View Supporting statement – G7 fundamental elements of cybersecurity in the financial sector, 11 October 2016