Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank. On October 11, 2016, G-7 financial leaders attempted to respond to the growth of these hacks by agreeing to a set of guidelines to promote best practices in the financial industry. The guidelines, entitled Fundamental Elements of Cybersecurity for the Financial Sector, are intended to provide common, non-binding, high-level fundamental elements for both public and private financial sector entities to tailor to their specific cybersecurity programs and incident response plans. The practices consist of the following elements:
- Cybersecurity Strategy and Framework – establish and maintain a cybersecurity strategy and framework tailored to specific risks.
- Governance – define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors).
- Risk and Control Assessment – identify functions, activities, products, and services, and prioritize their relative importance, while assessing their respective risks. Identify and implement controls to protect against and manage those risks within the tolerance set by the governing authority.
- Monitoring – establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls.
- Response – timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders; and (d) coordinate joint response activities as needed.
- Recovery – resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
- Information Sharing – engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.
- Continuous Learning – review the cybersecurity strategy and framework regularly and when events warrant to address changes in risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.
These G-7 practices follow the New York Department of Financial Services’ recent proposed rules that would require banks and other financial institutions to adopt minimum cybersecurity standards. Both public and private financial sector entities remain prime targets for cyberattacks. Given recent events, anyone operating in the financial sector should consider strengthening cybersecurity programs and incident response plans, both as a result of prudent operational and business practice, and the increasing focus regulators place on complying with existing (or forthcoming) cybersecurity regulations.