FSB finalises “more proportionate” cyber response toolkit

The Financial Stability Board has published a finalised cyber response toolkit, after critics said its earlier draft guide could prove to be a financial burden for smaller banks.

The FSB published a toolkit of effective practices for financial institutions’ cyber incident response and recovery (CIRR) on 19 October.

The toolkit comprises 49 different practices across several categories including governance, planning and preparation, analysis, and mitigation. They also include restoration and recovery, coordination and communication, and improvement.

The FSB explained that the guide is not intended to create an international standard, but rather designed as a “range of effective practices” that any organisation can choose from based on its size, complexity and risks.

Among the suggestions featured in the toolkit, it includes a list of the information that financial institutions could share with stakeholders following a cyber threat. The FSB says banks could notify stakeholders of the exploited vulnerabilities already fixed or still emerging, threat actors or suspected attackers and the course of action already taken and planned.

The FSB also suggests that organisations regularly conduct tests to “validate and improve the knowledge as well as understanding of resources regarding their CIRR activities and capabilities”.  

It said banks could conduct phishing exercises to test awareness and training of employees, and “tabletop exercises or walk-throughs” of CIRR plans involving incident responders and incident management teams to “build muscle memory”.

Live tests such as “basic and threat-led penetration tests, bug bounty, cyber range and adversarial attack” could enhance an organisation’s actual technical response and recovery capabilities, according to the FSB.

The toolkit also clarified that organisations do not have to rigidly assign roles, responsibilities and accountabilities – such as incident owner, independent observer or media spokesperson – to individuals, as it suggested in its April consultation paper, and said that an institution can instead elect to assign roles depending on its size, complexity and risk.

The FSB first published its consultation paper on the cyber response toolkit in April, to which market participants and trade associations responded by calling for greater emphasis on tailoring each area to an entity’s characteristics.

In the consultation, the FSB initially suggested certain tests and exercises that could improve response and recovery capabilities, such as red/blue teaming exercises.

The Institute of International Finance (IIF) called on the FSB to apply greater proportionality to the “preparation and planning” section to avoid smaller institutions being burdened with costly exercises.

“For some of the effective practices, the sophistication of the processes might be too complex or costly for all but the largest firms,” said Martin Boer, director of the IIF’s regulatory affairs department.

“For example, undertaking red/blue teaming exercises can be very beneficial to support cyber security maturity but organising and executing these simulations are extremely complicated and technical.”

Denyette DePierro, vice president of the American Bankers Association (ABA), also said there were several areas in the consultation that where the language was “not inclusive of smaller, less complex financial services companies” and might not be perceived by community and mid-size banks as applicable to their business model.

The ABA also called on the FSB to highlight the fact that certain institutions rely on consultants, core processors, third party service providers, and external experts as primary stakeholders to accomplish the type of tasks set out in the toolkit.

The FSB also acknowledged that several respondents called for an update of the terms used in its Cyber Lexicon, and that the terms in the toolkit could better encourage authorities to adopt more “harmonised practices” based on existing frameworks.

Maya Atig, head of the French Banking Federation (FBF), said the current “fragmentation of cybersecurity regulations” across the financial services industry poses a problem to the European banking industry.

“Rather than improving resilience, a global regulatory environment for financial services cybersecurity that is not properly coherent is likely to increase financial stability risk by driving complexity into the system,” she wrote.

In order to ensure coherence and reduce the risk associated with an incoherent regulatory environment, the FBF said the toolkit should further encourage authorities to adopt more “uniform practices” by referring to existing and well-established mechanisms and best practice.

The FSB said it will consider whether to review the Cyber Lexicon and ways to enhance coordination as part of its “forward work programme”.

The FSB delivered the toolkit as part of a report to G20 finance ministers and central bank governors at their meeting on 21 October.

It agreed to develop a toolkit in 2018, to help financial institutions respond to and recover from cyber incidents to minimise any financial stability risks.

Get unlimited access to all Global Banking Regulation Review content