The Bank for International Settlements said there is still much work to to tackle the international nature of cyber-risk which requires a collaborative response from governments, regulators and industry and a high degree of alignment across national regulatory frameworks.
In a report, Regulatory approaches to enhance banks’ cybersecurity frameworks, the BIS said recent high-profile cyber-attacks on financial institutions have focused attention on the need to strengthen cyber-security, which is a major concern for most bank supervisors. For example Unicredit, Italy's largest bank, last month said that the accounts of approximately 400,000 customers had been hacked, with the loss of data on personal loans.
Last month the Financial Stability Board also included the need to monitor cyber-risk arising from fintech and to identify the supervisory and regulatory issues from a financial stability perspective in its 2017 workplan. The FSB’s report for the July 2017 G20 Hamburg summit placed the need to mitigate the adverse impact of cyber-risk on financial stability among the top three priority areas for future international cooperation.
The BIS said the G7’s Fundamental elements is a step in the right direction but there is still much work to do.
“Differing regulatory frameworks for cyber-risk across jurisdictions have the same impact as regulations that are in conflict with existing technical standards,” added the BIS. “For banks operating in various jurisdictions, alignment of regulatory expectations would help them avoid conflicting guidance, some of which would be undertaken simply for compliance purposes without any real improvement in cyber-security.”
The BIS said it is necessary to explore further collaboration with the industry in strengthening banks’ cyber-security, and to pursue greater cross-border cooperation and harmonisation of practices. For example, in some jurisdictions such as Hong Kong and Singapore, regulators are working closely with the industry in creating or promoting platforms for intelligence-sharing, developing a pool of cyber-security professionals, and establishing guidelines on penetration testing.
“This could be a model that other jurisdictions could use, especially those with limited regulatory and supervisory resources, smaller banks, or a scarcity of cyber- and information security professionals,” added the BIS. “Moreover, given the scarcity of cyber-security resources and the cross-border nature of cyber-risk, the need for international harmonisation of regulatory expectations and supervisory cooperation cannot be overemphasised.”
The BIS also said the United Kingdom’s CBEST framework is a good example of a threat-informed or intelligence-led testing framework for assessing cyber-risk vulnerability and resilience. Under this approach the simulated attack is not just a random hacking attempt but based on what cyber-threat intelligence identifies as the probable target systems of the bank and attack methods. Banks are then assessed on the quality of the intelligence gathered, as well as their detection and response capabilities, and an appropriate remediation plan is put in place.
“Other jurisdictions are implementing a similar approach, modified as needed to suit local specificities,” added the BIS. “However, for most jurisdictions adoption of this approach could prove challenging, given the general scarcity of the two critical elements that must be present for this approach to be effective: (i) experienced cyber/information security professionals and (ii) sound cyber-threat intelligence.”
The full report can be read here.