The Financial Stability Board (FSB) has published a stocktake of financial sector cybersecurity regulations, guidance and supervisory practices across all 25 FSB member jurisdictions and nine international organisations.
Two key takeaways from this stocktake are that (i) the range of regulatory and supervisory practices across FSB member jurisdictions are broadly consistent but by no means harmonised; and (ii) the pace of new regulation in this area shows no sign of slackening:
- FSB member jurisdictions have been active in addressing cybersecurity through a variety of regulations, guidance and supervision, covering a range of financial institutions - almost all cover banks and FMIs, while the majority cover trading venues, insurance companies, broker dealers and asset managers.
- FSB members have drawn in part on previously developed national or international standards in developing their cybersecurity regulations and supervisory schemes for the financial sector.
- All FSB members reported at least one regulatory scheme, with some reporting as many as 10. Most plan to issue new regulations, guidance or supervisory practices that address cybersecurity within the next year, including engaging FMIs in a self-assessment exercise, developing a cybersecurity strategy and issuing new cybersecurity regulation.
- Two-thirds of regulatory schemes took a targeted approach to cybersecurity and/or IT risk, while one-third addressed operational risk more generally.
- Targeted regulatory schemes focus primarily on risk assessment, regulatory reporting, the role of the board, third-party interconnections, system access controls, incident recovery, testing and training.
- Regulatory schemes addressing operational risk more generally were often principles-based, risk-based or proportional and focused on the objectives to be met by regulated institutions - governance, risk assessment and risk management, policies, procedures and controls, prevention, detection and reduction of vulnerability, protection of information, third-party risks, security tests and independent review.
- Reported supervisory practices most frequently covered reviews of policies and procedures, programmes for monitoring, testing and auditing, data security controls, governance arrangements and risk assessment processes.
- Views varied on the most effective approaches, ranging from international standards to principles-based supervision and the role of the board and senior management in financial institutions.
- International bodies have also been active in addressing cybersecurity for the financial sector, publishing guidance on a range of subjects including electronic banking, FMIs and critical information infrastructures. This guidance generally contains some common topics, such as governance, risk analysis and assessment, information security, security controls and incident prevention, expertise and training, monitoring and testing, and incident response and recovery.
Separately, an FSB workshop with financial institutions identified some concerns about cybersecurity regulation:
- it could become too prescriptive and compliance-focused approach, thereby stifling the development of more effective cybersecurity practices by industry participants;
- conflicting requirements across jurisdictions, including on timetables for required notification to regulators with respect to security incidents, penetration testing requirements, governance, data leakage protection and two-factor authentication requirements, and potential conflicts between privacy law requirements and cybersecurity requirements;
- similar, but not identical, requirements, for example multiple versions of regulatory schemes all of which implement a single NIST control;
- unhelpful regulatory requirements, such as encryption requirements that may make it unduly difficult to search for cyber threats, and penetration testing that carries the risk that hackers could gain access to test results; and
- a lack of trust in the ability of the authorities to protect firm information.