Financial Crime World

Technically-Oriented Tools Enhance Cybersecurity Principles for Financial Institutions

As financial institutions face increasingly sophisticated cyber threats, it is crucial to develop cybersecurity principles that go beyond regulatory requirements.

Continuous Improvement Approach

  • Emphasize a continuous improvement approach to cyber risk management
  • Focus on the pivotal role of risk and control assessments
  • Promote minimum scope, timing, and follow-up requirements for risk assessments while remaining agnostic about methodologies
  • Institutions should inform supervisors on the outcome of their risk and control assessments

Comprehensive Information Asset Identification

  • Require risk and control assessments to be based on comprehensive information asset identification and classification
  • Consider confidentiality, integrity, and availability objectives
  • Institutions can choose their own classification schemes, provided critical assets are clearly identified

Cyber Risk Management Responsibilities

  • Clear guidelines for cyber risk management responsibilities within financial institutions are essential
  • The board and senior management should be held accountable for approving and implementing cyber security strategies
  • Specific guidelines creating visibility for cyber risks

Material Outsourcing Arrangements

  • Special provisions for material outsourcing arrangements are necessary
  • Including notifications, formal rights to audit, and incident reporting requirements
  • Financial institutions should maintain comprehensive registers on outsourcing agreements

Scenario-Based Cyber Resilience Planning

  • Give due attention to scenario-based cyber resilience planning and exercising
  • Recognizing the increasing frequency of significant cybersecurity incidents
  • Institutions can improve their resilience by proactively developing incident response plans, incorporating recent attack vectors into testing scenarios

Key Areas for Coverage

  • Governance
  • Strategy
  • Monitoring and detection
  • Response
  • Recovery
  • Information sharing

Information Sharing

  • Effective sharing of operational threat intelligence requires trust relations between technical experts from financial institutions and a rulebook
  • Existing platforms for information sharing between central banks, regulators, and supervisory entities can facilitate this exchange

Supervisory Practices

  • The Central Bank of [Country] has adopted a general supervisory framework and methodology grounded in international best practices
  • Onsite examination planning includes identifying IT expertise needs, preliminary information gathering activities, and interviews with walkthroughs
  • Supervisors formally follow up on findings, with exception-based reporting allowing institutions to comment on factual correctness before the report is issued

By leveraging technically-oriented tools and country-specific examples, these principles will help financial institutions strengthen their cybersecurity posture and better prepare for increasingly sophisticated cyber threats.