Sector CIP Instruments - Financial Sector
Sector CIP Instruments - Financial Sector
This page presents a comprehensive annotated list of Critical Infrastructure Protection (CIP) resources specifically tailored to the financial sector.
Incorporating cyber resilience considerations to ensure confidentiality, reliability, and safety will contribute to advancing SDG8, which aims to promote sustainable, inclusive, and robust economic growth, as well as full and productive employment, and decent work for all.
Financial Institutions Urgently Require to Incorporate Better Safeguards
Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or build resources to enforce them, according to a recent IMF survey of 51 countries.
- 56 percent of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector.
- 42 percent lack a dedicated cybersecurity or technology risk-management regulation, and 68 percent lack a specialized risk unit as part of their supervision department.
- 64 percent do not mandate testing and exercising cyber security measures or provide further guidance.
- 54 percent lack a dedicated cyber incident reporting regime.
Financial Market Infrastructure Key Cyber Resilience Issues
The CPMI-IOSCO report reviews the state of cyber resilience (as of February 2021) at a sample of 37 financial market infrastructures (FMIs) from 29 jurisdictions. It found significant gaps:
- Shortcomings in established response and recovery plans to meet the 2hRTO under extreme cyber-attack scenarios;
- A lack of cyber resilience testing after a significant system change;
- A lack of comprehensive scenario-based testing; and
- Inadequate involvement of relevant stakeholders in testing of their responses.
The financial sector has experienced significant adoption and disruption due to the emergence of new technologies. The extent of adoption, growth, and impact has varied considerably depending on factors such as the local market, institutional maturity, infrastructure development, culture, and more. However, the reliance on and relationship with IT services and infrastructure have become increasingly important, leading to the emergence of guidelines, policies, regulations, and practices specific to this sector. We have summarized some of these sector-related regulations in the chart below.
| Organization | Title | Year ↓ | Type |
Description |
| interface |
Navigating the EU Cybersecurity Policy Ecosystem A Comprehensive Overview of Legislation, Policies and Actors Policy Area 3: Economic, Monetary and Commercial Policy
|
2024 |
Compendium |
This compendium reviews the EU cybersecurity policy by providing:
Within the scope of this compendium are all (i) EU legal acts published in the EU’s Official Journal and (ii) EU policies that were published up until or were in force by May 31, 2024, and contain cybersecurity and/or information security-related components (explicitly or implicitly). |
| Thematic Report on national financial education initiatives on digitalization, with a focus on cybersecurity, scams and fraud | 2023 | Best Practice |
The three European Supervisory Authorities (EBA, EIOPA, and ESMA - ESAs) published today a joint thematic Report on national financial education initiatives on digitalization, with a focus on cybersecurity, scams, and fraud. The Report identifies good practices that national competent authorities and other public entities can follow when designing and implementing their financial education initiatives.
The European Supervisory Authorities (ESAs) found the lack of financial literacy and unfamiliarity with digital technologies to be key drivers of the risks of the use of digital financial services and identified financial vulnerability and exclusion. The access to digital channels and digital infrastructure has become a prerequisite for consumers to make use of such services and a lack of digital financial skills makes consumers more prone to be targets of digital scams and fraud.
The ESAs identified 12 good practices that can help NCAs, in particular how to address specific target groups, increase the reach and effectiveness of such initiatives, and improve the planning of the initiatives in general.
|
|
|
Critical third parties to the UK financial sector – third party survey |
2023 | Survey |
As part of ongoing work, the supervisory authorities have issued a survey to aid analysis into the costs and benefits of a potential critical third-party regime in the UK.
The survey asks for the estimated cost of applying the resilience standards and testing requirements to a single service that is provided to clients. The survey includes the option to provide estimates for additional services in later sections. This survey is intended for service providers in the UK financial sector. Information provided in this survey will be shared across supervisory authorities for analysis. Only aggregated and anonymized information will be shared. |
|
| Mitigating systemic Cyber risk | 2022 | Framework | This report identifies the need for the establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF) to mitigate the risk of coordination failure. The objective behind such a mechanism is to increase the level of preparedness of financial authorities in the EU and to define a coherent and thus more effective response to a cyber incident. The EU-SCICF should help bridge any coordination and communication gaps between financial authorities themselves, with other sector authorities, and with other key actors at the international level. As such, it should complement existing coordination and communication protocols. To ensure the non-duplication of frameworks, the EU-SCICF should correlate with the existing financial crisis framework and EU cyber incident landscape. | |
| DP3/22 – Operational resilience: Critical third parties to the UK financial sector | 2022 | Discussion Paper |
The UK financial sector is a complex, interconnected system in which financial services firms (firms) and financial market infrastructure firms (FMIs) increasingly rely upon third-party services to support their operations. Technology services such as cloud computing and data analytics can bring multiple benefits – enabling digital transformation, catalyzing innovation, and providing greater resilience than firms’ and FMIs’ technology infrastructure.
This increasing reliance on third parties also poses growing risks. In 2021, the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (the Bank) (collectively the supervisory authorities) introduced new rules to strengthen firms’ and FMIs’ operational resilience. The supervisory authorities hold firms and FMIs responsible, and ultimately accountable, for their operational resilience, regardless of whether or not they rely upon third parties to support the delivery of their important business services. |
|
| FSI Insights on policy implementation No 44. Big tech interdependencies – a key policy blind spot By Juan Carlos Crisanto, Johannes Ehrentraud, Marcos Fabian and Amélie Monteil |
2022 | Policy Guideline |
The increasingly prominent role of large technology firms (big techs) in the financial sector has raised questions about their inner workings and regulation.
In the short term, authorities can rely on an indirect approach to mitigate the financial stability risks. There are several options available to them. One is to identify risks stemming from interdependencies for regulated financial entities that are members of big tech groups and evaluate potential risk mitigants. Another is to assess these entities’ abilities, and those of other regulated financial entities that partner with big techs or depend on their services, to withstand and mitigate disruptive events, including cyber attacks, and take measures to further strengthen operational resilience if needed. Yet another option for authorities is to intensify their monitoring efforts about critical third-party service providers and, depending on the regulatory framework, use direct oversight powers over them. In this context, authorities could benefit from sharing information on their regulatory approaches and supervisory practices with each other. |
|
| International Monetary Fund (IMF) | Central Bank Risk Management, Fintech, and Cybersecurity, by Ashraf Khan and Majid Malaika | 2021 | Working Paper |
The paper focuses on central bank nonfinancial risks specifically related to the surge of
|
| Outsourcing and third party risk management | 2021 | Supervisory Statement |
The Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.
To ensure a consistent approach across PRA-regulated firms, the expectations in this SS apply to all forms of outsourcing and, where indicated, other non-outsourcing third-party arrangements entered into by firms. In addition, this SS includes specific examples, references, and chapters that aim to address the specific characteristics of cloud usage and set out conditions that can help assure firms and deploy it ‘in a safe and resilient manner’. In developing the expectations in this SS, including cloud usage, the PRA has taken into account international standards, e.g., BCBS Operational Resilience Principles, FSB Effective Practices, G-7 Third-Party Elements, and IOSCO Principles on Outsourcing. |
|
| Financial Stability Board (FSB) | Effective Practices for Cyber Incident Response and Recovery | 2020 | Toolkit |
The FSB has developed a toolkit of effective practices that aims to assist organizations in their cyber incident response and recovery activities. In this regard, the organization’s respond function executes the appropriate activities in reaction to a detected or reported cyber incident, while the recover function carries out the appropriate activities to restore any systems, capabilities, or resume services or operations that were impaired due to a cyber incident.
|
| European Systematic Risk Board (ESRB) | Systemic Cyber risk | 2020 | Guidelines |
The financial system has come to rely critically on robust information and communications technology (ICT) infrastructures and the confidentiality, integrity, and availability of data and systems. It follows that key economic functions can be disrupted through cyber incidents that affect the information systems and data of financial institutions and financial market infrastructures. Understanding the impact of such disruptions on financial stability is the focus of this report.
|
| International Monetary Fund (IMF) | Cybersecurity Risk Supervision, by Christopher Wilson, Tamas Gaidosch, Frank Adelmann, and Anastasiia Morozova |
2019 | Best Practice |
This paper highlights the emerging supervisory practices that contribute to
some key actions must be taken by all. Recent experience has demonstrated that no corner of the global financial system is immune to cyber-attacks. All supervisory agencies, even those facing significant constraints, are called upon to quickly establish a framework for cybersecurity risk supervision.
|
| Cyber Resilience for Financial Market Infrastructures | 2019 | Methodology |
This document presents a methodology developed by the European Central Bank to operationalize the CPMIIOSCO Guidance on Cyber Resilience for FMIs (Guidance), which could be used by FMIs to comply with the Guidance and by authorities (supervisors and overseers) to assess their FMIs against the Guidance, hence enhancing the overall cyber resilience of financial market infrastructures critical for financial stability and financial inclusion.
|
|
| Bank of Israel, Supervisor of Banks | Proper Conduct of Banking Business Directive 361 (03/15) | 2015 | Directive |
Cyber risk management constitutes a part of the overall risk management process within the
|
