As the financial services sector becomes ever more reliant on new technologies to decrease costs and create more efficient systems, it becomes more vulnerable to cyber attacks. On October 11, 2016, the Group of Seven (“G7”) industrial nations agreed on a set of guidelines to combat the cyber risks that are “growing more dangerous and diverse, [and] threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.” These issues have been particularly visible following a number of high profile cybersecurity attacks at financial institutions.
The G7 sought to address these issues through eight non-binding, fundamental elements to be used by entities as building blocks to design their cyber-security strategy and operating framework.
The elements include:
- Cybersecurity Strategy Framework – establishing and maintaining a framework tailored to specific cyber risks, informed by the appropriate standards and guidelines.
- Governance – defining and facilitating roles and responsibilities of personnel to oversee the framework and provide the necessary resources and access to the governing authority.
- Risk and Control Assessment – identifying functions, activities, products and services and managing the risks within the tolerance set by the governing authority.
- Monitoring – systematic monitoring processes to detect cyber incidents and evaluate the effectiveness of controls and procedures.
- Response – timely assessment, impact mitigation, notifying stakeholders and coordinating joint responses to cyber incidents.
- Recovery – resuming operations while allowing for continued remediation.
- Information Sharing – sharing of information on cybersecurity threats and risks with internal and external stakeholders.
- Continuous learning – reviewing frameworks regularly and addressing changes in cyber risks.
The elements are designed to create cohesion between public authorities within and across jurisdictions who can use the elements to guide their public policy, regulatory, and supervisory efforts. They are designed as an alternative to specific regulatory standards, and as they are non-binding, allow for greater flexibility in implementation.