2019-06-25 Item 3 - Overview of The Cyber Regulatory Frameworks Internationally

Overview of the
cyber regulatory
frameworks
internationally
JUNE 25, 2019
Frank Adelmann
Financial Sector Expert (Cyber Security)
Monetary and Capital Markets Department - Financial Supervision
and Regulation (MCMFR)
International Monetary Fund
INTERNATIONAL MONETARY FUND 1

Disclaimer
• The enumeration of organizations and documents in the presentation does not intend
to be exhaustive
• Acknowledging multiple national initiatives in many countries, the focus is on

international groups
• Indeed, things evolve so quickly that some references may be outdated since the
slides were prepared!!

(Some) Regulatory Bodies/ Organizations
G7 Cyber IAIS CPMI – IOSCO European

Expert Group Working Group on Systemic Cyber
Cyber Resilience Group (ESCG)
FSB
EBA
BCBS –
Operational
ECB
Resilience Group
(ORG) European
CYBERSECURITY
INTERNATIONAL Commission
Senior
Supervisors FORUM
ENISA
Group (SSG)
Global Financial
G 20 Market Association
(GFMA)
International
World Cyber Institute of
Monetary OECD World NIST
Economic Defence International
Fund (IMF) Bank
Forum Alliance Finance

(Some) Regulatory Bodies/ Organizations
 Financial Stability Board (FSB)

 International Standard-Setting Bodies (SSBs)
► Basel Committee on Banking Supervision (BCBS)
► International Association of Insurance Supervisors (IAIS)
► International Organization of Securities Commissions (IOSCO)
► The Committee on Payments and Market Infrastructures (CPMI)
 International financial institutions

► Bank for International Settlements (BIS)
► International Monetary Fund (IMF)
► Organization for Economic Co-operation and Development (OECD)
► The World Bank
 Other international bodies

► Senior Supervisors Group (SSG)
► …

2017 G20 FINANCE TRACK COMMUNIQUE
“The malicious use of Information and Communication Technologies (ICT) could disrupt financial
services crucial to both national and international financial systems, undermine security and
confidence and endanger financial stability. We will promote the resilience of financial services and
institutions in G20 jurisdictions against the malicious use of ICT, including from countries outside the
G20. With the aim of enhancing our cross-border cooperation, we ask the FSB, as a first step, to
perform a stock-taking of existing relevant released regulations and supervisory practices in our
jurisdictions, as well as existing international guidance to identify effective practices. The FSB should
inform about the progress of this work by the Leaders Summit in July 2017 and deliver a stock-take
report by October 2017.”

Strategy and awareness
• Raising attention to increasing exposure to cyber-risks

• Speaking of global dimension of cyber risks, economic impact, international
cooperation, etc.
• Some references:
 World Economic Forum “The Global risks report 2018”

 European Union Cybersecurity Strategy (2013, reviewed 2017)
 European Commission Fintech action plan
 G20 leaders declaration Hamburg (2017)
 FMI “Estimating Cyber risk for the financial sector”, Christine Lagarde
 Different speeches from Financial Sector Authorities

General principles and best practices
• Definitions of cybersecurity
• What is different from the traditional approaches to Information Security
• The three dimensions: People / Processes / Technology
• Including or not operational (not malicious) events
• The concept of Operational Resilience

• “Cyber hygiene” measures
• Stocktakes on existing regulation and supervisory practices.
• Governance aspects
• Organizational changes, as cybersecurity goes beyond ICT security.
• The challenge to create and keep talent. At banks, providers, supervisors.
• Need of training for all staff, not only technical staff.
• Board involvement
• Roles have changed

General principles and best practices
 NIST: “Cybersercurity framework” (2013, reviewed 2018)

 CPMI-IOSCO: “Guidance on cyber resilience for financial market infrastructures” (2016)
 IAIS: “Paper on Cyber Risk to the Insurance Sector” (2016)
 G7: “Fundamental elements of cybersecurity for the financial sector” (2016); “Fundamental elements
for effective assessment of cybersecurity in the financial sector” (2017)
 SSG: “Cybersecurity White paper” (2017, not public outside the group)
 FSB : “Stocktake on cybersecurity regulatory and supervisory practices” (2017); “Cyber Lexicon”
(2018)
 World Bank Group FinSAC “Financial sector’s cybersecurity, a regulatory digest” (2018)
 BCBS: Risk Management Principles for Electronic Banking (2003), High-level principles for
business continuity (2006), Principles for the Sound Management of Operational Risk (2011) and
Principles for effective risk data aggregation and risk reporting (2013); Cyber-resilience: Range of
practices (2018)
 OECD: Recommendation of the Council on the Protection of Critical Information Infrastructures
(2008 – being revised and aligned in 2018), Recommendation on Digital Security Risk Management
for Economic and Social Prosperity (2015)

Third parties
• From outsourcing to third parties risk management regulation often still has to evolve
• Different concept of the relevance of a third party: size of contract is not any longer
the key aspect, even small ones can be a threat vector
• Cloud computing and cybersecurity
• Difficulty to control the complete supply chain
• From the supervisory side:
 Ability to supervise service providers
 How to deal with concentration risk
 “From systemic banks to systemic service providers”

Third parties
• Almost all general principles frameworks and best practices address third parties risk
• Some more specific references:
 G7: “Fundamental Elements for Third Party Cyber risk management in the financial
sector”, (2018)
 EBA :
 Recommendation on outsourcing to cloud (2017)
 Consultation Paper on Guidelines on Outsourcing (2018)
 Consultation Paper on ICT and security risk management guidelines (2018)

Systemic dimension
• Could a cyber incident threaten financial stability?
• From assessing likelihood of cyber incidents (malicious or not) to assuming they will
happen
• Impact will not only depend on the duration and severity of the incidents but also on
the readiness of the different stakeholders to respond and recover
• How to measure the systemic impact of cyber risk?  Lack of reliable and sufficient
data and indicators
• Cross sectorial and cross border dimensions pose an additional challenge

Systemic dimension
•Some references:
 FSB: “Operational and cyber risk: Consideration from a financial stability

perspective in member jurisdictions” (2018); Publications of Standing Committee
on Assessment of Vulnerabilities
 European Systemic Cyber Group on-going work
 IMF: “Cyber Risk for the Financial Sector: A Framework for Quantitative
Assessment” (2018); “Cyber Risk, Market Failures, and Financial Stability” (2017)
 BCBS Operational Resilience Group on-going work
 IIF: Cyber Security & Financial Stability: How cyber-attacks could materially impact
the global financial system (2017)

Sharing information
• General agreement on the importance of information sharing to prevent and

minimize impact of cyber incidents
• Different levels of information sharing: national vs cross-border, with or without
authorities involvement, sectorial or inter-sectorial, voluntary vs mandatory, etc.
• Due to the extreme confidentiality of the information it is crucial to build trust amongst
stakeholders
• Potential legal issues: restrictions, overlaps, uncertainty
• Intelligence agencies, national secrecy, political dimension

Sharing information
• Legal or regulatory incident reporting obligations. Some examples:

• European Directives on Payment Services, Network and Information Security,
Critical Infrastructures Protection
• European General Data Protection Regulation (GDPR)
• Reporting to financial sector authorities (e.g. SSM in Europe)
• Bilateral agreements amongst jurisdictions (e.g. Hong Kong and Singapore)
• FS-ISAC
• Cybersecurity Defence Alliance

Testing
• Types of tests: table top, pentest, red-teaming, physical security, …

• Which institutions should be tested? How do we ensure a sound financial
ecosystem? Levels of maturity?
• Role of the authority: firm-led vs institution-led
• Scope and frequency of the tests
• Testing on live vs preproduction systems
• Can tests be performed by institutions staff or should be done externally?
• Accreditation / certification of external testers
• Mutual recognition of results amongst authorities
• Cross-border and Cross –sectorial dimension

Testing
•Some references:
 G7: “Fundamental elements for threat-led penetration testing” (2018)

 CBEST / CREST (UK)
 TIBER-NL (Netherlands)
 TIBER-EU (European Central Bank)
 ICAST (Hong Kong)
 GFMA “ Framework for the Regulatory use of Penetration Testing in the Financial
Services Industry “
 EBA Consultation paper on guidelines on ICT and security risk management (for
institutions)
 Table top exercises / simulation at different levels

Current work and future plans
 BCBS considering development of additional policy and/or supervisory measures

related to cyber risk and resilience over the next two years
 CPMI-IOSCO currently has two workstreams addressing cybersecurity
► CPMI-IOSCO working group on cyber resilience for FMIs has an approved workplan
that it intends to execute through year-end 2018
► in July 2016, CPMI established a task force to look into the endpoint security of
wholesale payments that involve banks, FMIs and other financial institutions - The
task force is currently developing a high-level strategy to reduce the risk of wholesale
payments fraud related to endpoint security.
 G7 Cross-border simulation exercise to take place in 2019 convening 23 authorities and,
in some countries, the private sector plus development of collective view of
vulnerabilities for future work
 FSB Socialization of FSB Cyber Lexicon plus new effort focusing on how financial
institutions respond to and recover from cyber incidents
 EC/EBA/SSM considering the adoption of a common cyber resilience testing framework
in Europe

Current work and future plans (Jan 2019)
 IMF continues to release documents addressing cybersecurity on a regular basis

 IAIS expects to publish a paper on the application of the ore Principles to
cybersecurity
 OECD is working on improving the evidence base for digital security and privacy
through the development of statistical indicators in this area and is reviewing the
2008 OECD Recommendation on the Protection of Critical Information
Infrastructures as well as the OECD 1997 Guidelines on Cryptography Policy
 World Bank Group in partnership with the International Telecommunication Union,
the World Bank Group (WBG) is convening a workstream on cybersecurity for
financial infrastructure under the security and trust working group of the newly
created Financial Inclusion Global Initiative (FIGI), funded by the Bill & Melinda
Gates Foundation
 US Advancement of “Financial Services Sector Cyber Security Profile”
 …

(Some key) Regulatory Standards
 NIST: “Cybersecurity framework” (2013, reviewed 2018)

 CPMI-IOSCO: “Guidance on cyber resilience for financial market infrastructures” (2016)
 IAIS: “Paper on Cyber Risk to the Insurance Sector” (2016)
 G7: “Fundamental elements of cybersecurity for the financial sector” (2016)
“Fundamental elements for effective assessment of cybersecurity in the financial sector” (2017)
 SSG: “Cybersecurity White paper” (2017, not public outside the group)
 FSB : “Stocktake on cybersecurity regulatory and supervisory practices” (2017)
“Cyber Lexicon” (2018)
 World Bank Group FinSAC “Financial sector’s cybersecurity, a regulatory digest” (2018)
 BCBS: Risk Management Principles for Electronic Banking (2003), High-level principles for business
continuity (2006), Principles for the Sound Management of Operational Risk (2011), Principles for
effective risk data aggregation and risk reporting (2013)
 OECD: Recommendation of the Council on the Protection of Critical Information Infrastructures (2018),
Recommendation on Digital Security Risk Management for Economic and Social Prosperity (2015)

Regulatory Bodies/ Organizations
 Financial Stability Board

► formerly the FSF – Financial Stability Forum (FSF) formed by the G7 in 1999 to
coordinate the work of national financial authorities and international standard-
setting bodies
► addresses vulnerabilities and develops strong regulatory, supervisory and other
policies in the interest of financial stability
► FSB since 2009 – formed by G20 - designed for standard setting and in promoting
Members’ implementation of international standards and agreed G20 and FSB
commitments and policy recommendations

 Basel Committee on Banking Supervision (BCBS)

► sets standards for the prudential regulation and supervision of banks
► provides a forum for cooperation on banking supervisory matters
► supports the work and activities of regional groups of banking supervisors worldwide
► BCBS members include organizations with direct banking supervisory authority and
central banks
► establishes groups, working groups, virtual networks, and task forces
► Financial Stability Institute (FSI) is a joint initiative of the BCBS and the Bank of
International Settlements (BIS) to assist supervisors around the world in implementing
sound prudential standards
► BCBS is a member of the Financial Stability Board (FSB)
Mandate: to strengthen the regulation, supervision and practices of banks worldwide

with the purpose of enhancing financial stability

 International Association of Insurance Supervisors (IAIS)

► voluntary membership organization of insurance supervisors and regulators from
more than 200 jurisdictions in nearly 140 countries
► established in 1994 - international standard setting body responsible for
developing and assisting in the implementation of principles, standards and other
supporting material for the supervision of the insurance sector
Mandate: to promote effective and globally consistent supervision of the insurance

industry in order to develop and maintain fair, safe and stable insurance markets for
the benefit and protection of policyholders and to contribute to global financial
stability

 International Organization of Securities Commissions (IOSCO)

► established in 1983 - its membership regulates more than 95% of the world's
securities markets in more than 115 jurisdictions
► brings together the world's securities regulators and is recognized as the global
standard setter for the securities sector
► develops, implements and promotes adherence to internationally recognized
standards for securities regulation
► works intensively with the G20 and the Financial Stability Board (FSB) on the
global regulatory reform agenda
Significant and regular documents on cybersecurity and resilience.

 Committee on Payments and Market Infrastructures (CPMI)

► effective from 2014, the CPMI has a long history dating to 1980 when the G10 set
up a Group of Experts on Payment Systems
► promotes the safety and efficiency of payment, clearing, settlement and related
arrangements, thereby supporting financial stability and the wider economy
► CPMI is a member of the FSB and participates in the FSB's work to coordinate
and promote the implementation of effective regulatory, supervisory and other
financial sector policies
Mandate: monitors and analyses developments in these arrangements, both within

and across jurisdictions
serves as a forum for central bank cooperation in related oversight, policy and
operational matters, including the provision of central bank services

 Bank for International Settlements (BIS)

► established in 1930, the Bank for International Settlements is the oldest
international financial institution
► owned by 60 central banks, representing countries from around the world that
together account for about 95% of world GDP
Mandate: to serve central banks in their pursuit of monetary and financial stability, to
foster international cooperation in those areas and to act as a bank for central banks

 International Monetary Fund (IMF)

► promotes international financial stability and monetary cooperation, facilitates
international trade, promotes employment and sustainable economic growth, and
helps to reduce global poverty
► governed by and accountable to its 189 member countries
► conceived in July 1944 at the United Nations Bretton Woods Conference in New
Hampshire, United States- 44 countries in attendance sought to build a framework
for international economic cooperation and avoid repeating the competitive
currency devaluations that contributed to the Great Depression of the 1930s
Mandate: primary mission is to ensure the stability of the international monetary

system - the system of exchange rates and international payments that enables
countries and their citizens to transact with each other

 Organisation for Economic Co-operation and Development (OECD)

► founded in 1960, when 18 European countries plus the United States and Canada
joined forces to create an organization dedicated to economic development
► Global Relations Secretariat (GRS) develops and oversees the strategic
orientations of OECD’s global relations with non-Members
► More than 15 Global Fora have been established to address trans-boundary
issues where the relevance of OECD work is dependent on policy dialogue with
non-Members
Mandate: to promote policies that will improve the economic and social well-being of
people around the world

 The World Bank Group

► one of the world’s largest sources of funding and knowledge for developing
countries
► five institutions share a commitment to reducing poverty, increasing shared
prosperity, and promoting sustainable development
Mission: end extreme poverty by reducing the share of the global population that
lives in extreme poverty to 3 percent by 2030
promote shared prosperity by increasing the incomes of the poorest 40 percent of
people in every country

 European Banking Authority (EBA)
 EBA was established on 1 January 2011 as part of the European System of

Financial Supervision (ESFS) and took over all existing responsibilities and tasks of
the Committee of European Banking Supervisors (CEBS)
 The main task of the EBA is to provide a single set of harmonised prudential rules
for financial institutions throughout the EU.
 EBA also plays an important role in promoting convergence of supervisory practices
and is mandated to assess risks and vulnerabilities in the EU banking sector.

 European Central Bank (ECB)

 The European Central Bank (ECB) is the central bank of the 19 European Union
countries which have adopted the euro.
 Our main task is to maintain price stability in the euro area
 Single Supervisory Mechanism (SSM)

 The Single Supervisory Mechanism (SSM) refers to the system of banking
supervision in Europe. It comprises the ECB and the national supervisory authorities
of the participating countries
 It was created in 2014

 Senior Supervisors Group (SSG)

► forum for senior representatives of supervisory authorities to engage in dialogue
on risk management practices, governance, and other issues concerning complex,
globally-active financial institutions
► comprised of senior executives from the bank supervisory authorities of those
institutions’ home jurisdictions
► leverages the network of relationships in the Group to share information on
supervisory approaches and also engages with the financial services industry to
better understand new challenges and emerging risks that systemically important
institutions face

Existing Frameworks
 FSB Report - Stocktake of Publicly Released Cybersecurity Regulations,

Guidance and Supervisory Practices (13 Oct 2017)
► FSB member jurisdictions and international bodies have been active in addressing
cybersecurity for the financial sector
► significantly higher number of publicly released regulatory schemes than publicly
released supervisory practices schemes
► number of schemes of regulations and guidance addressing cybersecurity for the
financial sector varied widely across jurisdictions
► regulatory schemes more commonly took a targeted approach to cybersecurity
and/or IT risk (66% of reported schemes) and less commonly addressed
operational risk generally (34% of reported schemes)
► often characterized as principles-based, risk-based or proportional
► 56 schemes of regulations and guidance reported as targeted to cybersecurity

and/or IT risk

Existing Frameworks
 G7 Fundamental Elements of Cybersecurity for the financial sector

► establish and maintain a cybersecurity strategy and framework tailored to specific
cyber risks and appropriately informed by international, national, and industry
standards and guidelines
► define and facilitate performance of roles and responsibilities for personnel
implementing, managing, and overseeing the effectiveness of the cybersecurity
strategy and framework to ensure accountability; and provide adequate resources,
appropriate authority, and access to the governing authority (e.g., board of
directors or senior officials at public authorities)
► identify functions, activities, products, and services - including interconnections,
dependencies, and third parties - prioritize their relative importance, and assess
their respective cyber risks
► identify and implement controls - including systems, policies, procedures, and
training - to protect against and manage those risks within the tolerance set by the
governing authority

Existing Frameworks

► establish systematic monitoring processes to rapidly detect cyber incidents and
periodically evaluate the effectiveness of identified controls, including through
network monitoring, testing, audits, and exercises
► timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the
incident and mitigate its impact; (c) notify internal and external stakeholders (such
as law enforcement, regulators, and other public authorities, as well as
shareholders, third-party service providers, and customers as appropriate); and
(d) coordinate joint response activities as needed
► resume operations responsibly, while allowing for continued remediation, including
by (a) eliminating harmful remnants of the incident; (b) restoring systems and data
to normal and confirming normal state; (c) identifying and mitigating all
vulnerabilities that were exploited;(d) remediating vulnerabilities to prevent similar
incidents; and (e) communicating appropriately internally and externally

Existing Frameworks

► engage in the timely sharing of reliable, actionable cybersecurity information with
internal and external stakeholders (including entities and public authorities within
and outside the financial sector) on threats, vulnerabilities, incidents, and
responses to enhance defenses, limit damage, increase situational awareness,
and broaden learning
► review the cybersecurity strategy and framework regularly and when events
warrant—including its governance, risk and control assessment, monitoring,
response, recovery, and information sharing components—to address changes in
cyber risks, allocate resources, identify and remediate gaps, and incorporate
lessons learned

Existing Frameworks
 G7 Fundamental Elements for Effective Assessment of Cybersecurity in the

Financial Sector
► Desirable outcomes:
◆ The Fundamental Elements (G7FE) are in place

◆ Cybersecurity influences organizational decision-making.
◆ There is an understanding that disruption will occur.
◆ An adaptive cybersecurity approach is adopted.
◆ There is a culture that drives secure behaviors.
► Assessment components:
◆ Establish clear assessment objectives.

◆ Set and communicate methodology and expectations.
◆ Maintain a diverse toolkit and process for tool selection.
◆ Report clear findings and concrete remedial actions.
◆ Ensure assessments are reliable and fair.

Presenter: Frank Adelmann
Degree in International Central Banking, Master of Science

(Economics), CISA
 2009-2014 Economist/On-site Inspector @ Deutsche Bundesbank
 2015-2018 Supervisor/On-site Inspector @ European Central Bank
 Since 2018 HQ-based Technical Assistance Advisor – Financial
Sector Expert (Cyber Security) @ International Monetary Fund
FAdelmann@imf.org
https://www.linkedin.com/in/frank-adelmann-18a2ab65/
Tel: +1 202 623 6263
Mobile: +1 202 361 4434

Thank you very much for your attention!

2019-06-25 Item 3 - Overview of The Cyber Regulatory Frameworks Internationally

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2019-06-25 Item 3 - Overview of The Cyber Regulatory Frameworks Internationally

Uploaded by

Copyright:

Available Formats

Overview of the

INTERNATIONAL MONETARY FUND 1

• Acknowledging multiple national initiatives in many countries, the focus is on

INTERNATIONAL MONETARY FUND 2

G7 Cyber IAIS CPMI – IOSCO European

INTERNATIONAL MONETARY FUND 3

 Financial Stability Board (FSB)

► International Association of Insurance Supervisors (IAIS)

► International Organization of Securities Commissions (IOSCO)

► The Committee on Payments and Market Infrastructures (CPMI)

 International financial institutions

► International Monetary Fund (IMF)

► Organization for Economic Co-operation and Development (OECD)

► The World Bank

 Other international bodies

INTERNATIONAL MONETARY FUND 4

INTERNATIONAL MONETARY FUND 5

• Raising attention to increasing exposure to cyber-risks

 World Economic Forum “The Global risks report 2018”

INTERNATIONAL MONETARY FUND 6

• Including or not operational (not malicious) events

• The concept of Operational Resilience

• The challenge to create and keep talent. At banks, providers, supervisors.

• Need of training for all staff, not only technical staff.

• Roles have changed

INTERNATIONAL MONETARY FUND 7

 NIST: “Cybersercurity framework” (2013, reviewed 2018)

INTERNATIONAL MONETARY FUND 8

 How to deal with concentration risk

 “From systemic banks to systemic service providers”

INTERNATIONAL MONETARY FUND 9

• Some more specific references:

INTERNATIONAL MONETARY FUND 10

• Could a cyber incident threaten financial stability?

• Cross sectorial and cross border dimensions pose an additional challenge

INTERNATIONAL MONETARY FUND 11

 FSB: “Operational and cyber risk: Consideration from a financial stability

INTERNATIONAL MONETARY FUND 12

• General agreement on the importance of information sharing to prevent and

INTERNATIONAL MONETARY FUND 13

• Legal or regulatory incident reporting obligations. Some examples:

INTERNATIONAL MONETARY FUND 14

• Types of tests: table top, pentest, red-teaming, physical security, …

INTERNATIONAL MONETARY FUND 15

 G7: “Fundamental elements for threat-led penetration testing” (2018)

INTERNATIONAL MONETARY FUND 16

 BCBS considering development of additional policy and/or supervisory measures

INTERNATIONAL MONETARY FUND 17

 IMF continues to release documents addressing cybersecurity on a regular basis

INTERNATIONAL MONETARY FUND 18

 NIST: “Cybersecurity framework” (2013, reviewed 2018)

INTERNATIONAL MONETARY FUND 19

 Financial Stability Board

INTERNATIONAL MONETARY FUND 21

 Basel Committee on Banking Supervision (BCBS)

► provides a forum for cooperation on banking supervisory matters

Mandate: to strengthen the regulation, supervision and practices of banks worldwide

INTERNATIONAL MONETARY FUND 22

 International Association of Insurance Supervisors (IAIS)

Mandate: to promote effective and globally consistent supervision of the insurance

INTERNATIONAL MONETARY FUND 23

 International Organization of Securities Commissions (IOSCO)