IMF published a paper that discusses the emerging supervisory practices that contribute to effective cyber-security risk supervision. This paper highlights emerging supervisory approaches with the intention of promoting good practices. The focus is on how these practices can be adopted by the agencies that are at an early stage of developing a supervisory approach to strengthen cyber resilience. The paper notes that regulatory requirements ensuring that good cyber-security risk management practices are in place are critical.
The paper discusses the importance of addressing cyber risk and points out that financial sector supervisory authorities worldwide are working to establish and implement a framework for cyber risk supervision. Progress, however, is uneven, particularly for lower-income countries and lower-capacity supervisors, which face a number of challenges developing an effective regulatory and supervisory framework for cyber risk supervision. The goal of cyber-security risk supervision should be to influence, incentivize, and shape cyber-security capabilities of firms. Supervision activities to build resilience should include the following:
- Identify the threat landscape
- Map the cyber and financial network
- Create coherent regulation
- Conduct supervisory assessment
- Establish formal information-sharing and reporting mechanisms
- Provide adequate response and recovery
- Ensure preparedness of supervisory agencies
The experience from IMF technical assistance shows that establishing a framework for cyber-security risk supervision involves many challenges, with the dearth of specialist skills being one of the biggest challenges. Notwithstanding these, all supervisors can take action to build information-gathering and sharing systems, improve basic security practices, and identify and deploy resources toward key assets and carry out basic cyber exercises. The report highlights that the transfer of knowledge across the community of supervisors, especially lower-income and lower-capacity supervisors, will help raise resilience globally. Regulations should leverage established approaches, including those developed by industry, which will help with a convergence of standards. Although all firms face cyber-security risk, smaller- and lower-capacity firms should focus on strengthening cyber hygiene while the largest and most globally connected firms and key system nodes should be subject to heightened standards.
The report notes that authorities should work together to promote a more consistent and coordinated approach that promotes consistency and convergence. A strong regulatory and supervisory framework should allow supervisors to substantially improve the resilience of financial sector to cyber attack. Whether the regulatory framework is based on principles or rules, the framework must grant supervisors sufficient authority to address cyber-security risk and allow supervisors to be sufficiently adaptive to the dynamics of the risk.
Related Link: Report on Cyber Risk Supervision
Keywords: International, Banking, Insurance, Securities, Cyber Risk, Cyber Resilience Framework, Supervisory Practices, Operational Risk, IMF
Previous ArticleRBNZ Seeks Assurance About Prudent Operating of ANZ New Zealand
The Hong Kong Monetary Authority (HKMA) revised the Supervisory Policy Manual module CG-5 that sets out guidelines on a sound remuneration system for authorized institutions.
The European Banking Authority (EBA) published the final guidelines on the monitoring of the threshold and other procedural aspects on the establishment of intermediate parent undertakings in European Union (EU), as laid down in the Capital Requirements Directive (CRD).
In a recent Market Notice, the Bank of England (BoE) confirmed that green gilts will have equivalent eligibility to existing gilts in its market operations.
The Financial Conduct Authority (FCA) published the policy statement PS21/9 on implementation of the Investment Firms Prudential Regime.
The European Banking Authority (EBA) proposed regulatory technical standards that set out criteria for identifying shadow banking entities for the purpose of reporting large exposures.
The Board of the International Organization of Securities Commissions (IOSCO) proposed a set of recommendations on the environmental, social, and governance (ESG) ratings and data providers.
The European Securities and Markets Authority (ESMA) published recommendations from the Working Group on Euro Risk-Free Rates (RFR) on the switch to risk-free rates in the interdealer market.
The European Central Bank (ECB) published a paper as well as an article in the July Macroprudential Bulletin, both of which offer insights on the assessment of the impact of Basel III finalization package on the euro area.
The International Swaps and Derivatives Association (ISDA) published a paper that explores the impact of the Fundamental Review of the Trading Book (FRTB) on the trading of carbon certificates.
The Prudential Regulation Authority (PRA) published the remuneration policy self-assessment templates and tables on strengthening accountability.