Financial Stability Board Highlights Multiplicity of Cybersecurity Regulations in the Financial Sector

By Amélie Champsaur, Katherine Mooney Carroll & Martha E. Vega-Gonzalez on October 20, 2017

Last week, the Financial Stability Board (“FSB”) released the results of its stocktake on existing regulations and supervisory practices in G20 jurisdictions with respect to cybersecurity in the financial sector. The FSB is an international body that coordinates the work of national financial authorities and international standard-setting bodies, and the stocktake — essentially a survey — was requested by the G20 Finance Ministers and Central Bank Governors in March 2017.

The results of the stocktake underscore the growing international emphasis on cybersecurity and the interplay of varied regulatory and supervisory schemes. The 25 surveyed jurisdictions identified 56 schemes of regulation and guidance targeted to cybersecurity and/or IT risk, with some jurisdictions reporting as many as 10 such schemes. With respect to supervisory practices, 35 schemes were reported.

It is also clear from the stocktake that cybersecurity is a dynamic and quickly evolving area. Eighteen of the surveyed jurisdictions (Argentina, Australia, Brazil, China, the E.U., France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Russia, Saudi Arabia, Singapore, South Africa, Spain, and the United States) reported that they plan to issue new regulations, guidance, or supervisory practices that address cybersecurity for the financial sector within the next year.

At the same time, however, the FSB found some level of convergence among the different jurisdictions. According to the FSB, all of the surveyed jurisdiction draw upon a small body of guidance in developing their cybersecurity regulatory and supervisory schemes, and many schemes share common elements:

Common Elements Covered by Regulatory Schemes

Common Topics Covered by Supervisory Practices Schemes

risk assessment;
regulatory reporting;
role of the board;
third-party risks;
system access controls;
incident response and recovery;
testing;
training;
creation of role responsible for cybersecurity, such as chief information security officer;
information sharing;
board and senior management expertise; and
cyber risk insurance

review of policies and procedures;
review of programs for monitoring, testing and auditing;
review of data security controls;
review of governance arrangements;
review of risk assessment process;
review of past incidents and organization’s response and recovery;
testing by supervisor and/or submission of test results to supervisor;
communications by supervisor with other supervisors and authorities;
review of sectoral impact of past incidents;
review of information sharing by financial institutions;
expertise of supervisory team;
supervisory review of third parties; and
joint public-private testing.

The full report, including summaries of each jurisdiction’s responses to the survey, is available here.

A summary report, which also includes findings from a Workshop on Cybersecurity that brought together public and private sector participants to discuss cybersecurity in the financial sector, is available here.