On 18 June 2019, the Cyber Task Force of the International Organization of Securities Commissions (IOSCO) published a final report that provides an overview of how its members are using three prominent and internationally recognised cyber frameworks (defined in the report as the ‘Core Standards’):
- National Institute of Standards and Technology Cybersecurity Framework;
- CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; and
- International Organization for Standardization and International Electrotechnical Commission 27000 family of standards on information security management systems.
The report also:
- indicates how such existing cyber frameworks could help address any gaps identified in members’ current regimes; and
- provides a set of core questions that firms and regulators may use to promote awareness of cyber good practices or enhance their existing practices.
Some of the key findings in the report are:
- whilst many IOSCO members consider cyber to be at least one of the most important risks faced by regulated firms, other members consider it to be a risk like any other;
- the majority of IOSCO members indicate that their domestic regulations, guidance and/or supervisory practices are either “generally consistent” or “entirely consistent” with one of the Core Standards;
- almost half IOSCO members indicate that they are flexible and not prescriptive as to which of the Core Standards or otherwise firms may utilise to comply with applicable domestic regulations; and
- over a third of IOSCO members have reported that they have publicly declared plans to issue, within the next year, new regulations, guidance or supervisory practices that address cyber security for all or part of their financial sector.