The Financial Stability Board (FSB) has published a stocktake of financial sector cybersecurity regulations, guidance and supervisory practices across all 25 FSB member jurisdictions and nine international organisations.
Two key takeaways from this stocktake are that (i) the range of regulatory and supervisory practices across FSB member jurisdictions are broadly consistent but by no means harmonised; and (ii) the pace of new regulation in this area shows no sign of slackening:
- FSB member jurisdictions have been active in addressing cybersecurity through a variety of regulations, guidance and supervision, covering a range of financial institutions
- FSB members have drawn in part on previously developed national or international standards in developing their cybersecurity regulations and supervisory schemes for the financial sector.
- All FSB members reported at least one regulatory scheme, with some reporting as many as 10. Most plan to issue new regulations, guidance or supervisory practices that address cybersecurity within the next year, including engaging in a self-assessment exercise, developing a cybersecurity strategy and issuing new cybersecurity regulation.
- Two-thirds of regulatory schemes took a targeted approach to cybersecurity and/or IT risk, while one-third addressed operational risk more generally.
- Targeted regulatory schemes focus primarily on risk assessment, regulatory reporting, the role of the board, third-party interconnections, system access controls, incident recovery, testing and training.
- Regulatory schemes addressing operational risk more generally were often principles-based, risk-based or proportionate and focused on the objectives to be met by regulated institutions - governance, risk assessment and risk management, policies, procedures and controls, prevention, detection and reduction of vulnerability, protection of information, third-party risks, security tests and independent review.
- Reported supervisory practices most frequently covered reviews of policies and procedures, programmes for monitoring, testing and auditing, data security controls, governance arrangements and risk assessment processes.
- Views varied on the most effective approaches, ranging from international standards to principles-based supervision and the role of the board and senior management in financial institutions.
Separately, an FSB workshop with financial institutions identified some concerns about cybersecurity regulation:
- it could become too prescriptive and too much of a compliance-focused approach, thereby stifling the development of more effective cybersecurity practices by industry participants;
- conflicting requirements across jurisdictions, including on timetables for required notification to regulators with respect to security incidents, penetration testing requirements, governance, data leakage protection and two-factor authentication requirements, and potential conflicts between privacy law requirements and cybersecurity requirements;
- similar, but not identical, requirements, for example multiple versions of regulatory schemes all of which implement a single NIST control;
- unhelpful regulatory requirements, such as encryption requirements that may make it unduly difficult to search for cyber threats, and penetration testing that carries the risk that hackers could gain access to test results; and
- a lack of trust in the ability of the authorities to protect firm information.
The FSB did not look specifically at the cyber security framework for financial institutions in Ireland, namely the Central Bank’s Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks issued in September 2016. Rather it looked at the framework used by the European Commission as a whole in its assessment.