In announcing the G7‘s fundamental principles, the European Commission recognised the work of the G7 Cyber Expert Group in responding to the increasingly sophisticated cyber threats being faced by the financial sector.
The G7's fundamental principles are designed to assist both private and public sector financial entities in addressing the risks of cyber-attacks against such financial organisations. It is also expected that these fundamental principles will assist public authorities in steering any public policy, regulatory or supervisory obligations.
The report consists of eight non-binding elements that are intended to provide high-level guidance to support financial entities in creating cyber security strategy and policies. In summary, the elements are as follows:
- Cyber security strategy and framework: establishing and maintaining a cyber security strategy and framework tailored to the particular organisation and the markets in which they operate.
- Governance: imposing clear lines of responsibilities for personnel managing and overseeing the cyber security strategy and framework to ensure accountability. The G7 Cyber Expert Group also notes the need for adequate resources, appropriate authority and access to governing authority.
- Risk and control assessment: identifying and evaluating the risks posed to your business by cyber threats and implementing controls to protect against and manage those risks.
- Monitoring: monitoring and regularly evaluating the controls put in place – these should ensure that any cyber incidents are detected quickly.
- Response: preparing and implementing an incident response policy and other controls to facilitate effective cyber incident response.
- Recovery: recovery of operations once operational stability and integrity are assured should be based on the prioritisation of critical economic and other functions but should also allow for continued remediation.
- Information sharing: timely sharing of cyber security information with internal and external stakeholders to deepen understanding throughout the sector of how cyber attackers many exploit the financial services sector.
- Continuous learning: reviewing your cyber security strategy and framework regularly and after cyber incidents to ensure that it maintains relevance with the developing cyber landscape.
Action required for financial sector organisations
The publishing of these principles should encourage financial sector bodies to review and update measures they have in place to mitigate and reduce cyber incidents and also amend policies designed to deal with the aftermath of cyber incidents.
These principles are intended to be a building block upon which such entities’ procedures are based and organisations will need to tailor their strategies and frameworks depending on the markets in which they operate, their risk analysis, culture and approach to risk management. Consequently, such measures should be company specific, factoring in the particular nature of the entity and the type of the cyber threats it encounters.
The fundamental principles are a timely reminder for the financial sector of the need to ensure robust cyber security measures to protect the stability and integrity of operations. The increasing sophistication of cyber-attacks and the impact these could have on a financial institution, ranging from a complete paralysis of operations to the loss of customer data and funds, highlight the need for a proactive response from the sector.