On October 11, 2016, the finance ministers and central bank governors of the Group of 7 (G-7) countries announced the publication of the Fundamental Elements of Cybersecurity for the Financial Sector, a non-binding guidance document for financial sector entities.  The publication  describes eight fundamental “elements” of effective cybersecurity risk management to guide public and private sector entities in designing cyber security programs based on their specific risk profile and culture.  The goal of the G-7 is to provide a common framework for the financial sector to develop security programs that will “help bolster the overall cybersecurity and resiliency of the international financial system.”

The eight elements describe the core components of a comprehensive cybersecurity program, while leaving the strategic and operational details to each entity.  The publication is not intended to serve as a binding, one-size-fits-all set of requirements; rather, it describes high-level programmatic “building blocks” that each entity can customize to its own security strategy and operating structure.  Each entity should tailor its application of the elements based on an evaluation of its “operational and threat landscape, role in the sector, and legal and regulatory requirements,” and be informed by its specific “approach to risk-management and culture.”

A summary of the actions that entities can take for each of the eight elements is provided below.

 

  • Cybersecurity Strategy and Framework: Entities should establish and maintain a cybersecurity strategy and framework that is—
    • Tailored to the “nature, size, complexity, risk profile, and culture” of the specific entity; and
    • Informed by international, national, and industry standards and guidance.

 

  • Governance: Effective governance structures for cybersecurity strategy and framework consist of—
    • Defining the roles and facilitating the responsibilities of personnel responsible for the cybersecurity strategy and framework;
    • Providing relevant personnel with the appropriate authority to accomplish their job functions;
    • Allocating adequate resources to the program;
    • Establishing the cyber risk tolerance for the entity; and
    • Ensuring proper oversight of related cybersecurity programs.

 

  • Risk and Control Assessment: Adequate risk management and risk assessment, while based on the entity’s particular risk tolerance, should include—
    • Identifying cyber risks associated with key entity functions, activities, products, and services—including interconnections, dependencies, and third party risks;
    • Prioritizing the identified functions and activities by relative importance and potential impact of risk; and
    • Implementing controls, including systems, policies, procedures and training, to avoid and mitigate identified cyber risks.

 

  • Monitoring: Establish monitoring and regular assessment programs that—
    • Are designed to detect cyber incidents rapidly;
    • Include “network monitoring, testing, audits, and exercises” to evaluate effectiveness of controls;
    • Can be used to enhance or remediate controls as necessary; and
    • Are conducted by personnel independent from the function that manages and implements the cybersecurity program.

 

  • Response: An incident response plan should provide clear guidance and be designed to allow an entity to complete the following crucial functions—
    • Assess the nature, scope, and impact of a cyber incident;
    • Contain and mitigate the incident;
    • Notify relevant stakeholders; and
    • Coordinate any necessary joint response with other entities.

 

  • Recovery: Entities should establish recovery plans to “resume operations responsibly, while allowing for continued remediation” by—
    • Eradicating harmful remnants of the incident from systems;
    • Restoring systems and data to normal;
    • Identifying and mitigating all exploited vulnerabilities;
    • Remediating vulnerabilities to prevent similar incidents; and
    • Communicating appropriately, both internally and externally.

 

  • Information Sharing: Entities should consider sharing information promptly after an incident to deepen collective sector-wide understanding of exploits and mitigate the risk of potential broader disruption of the financial system.  Information sharing should—
    • Be timely, reliable, actionable and technical;
    • Identify threat indicators, vulnerabilities, and methodologies used in exploits; and
    • Be directed at assisting financial sector stakeholders, as well as non-financial sector public and private entities, in enhancing defenses, limiting damage, increasing situational awareness, and broadening learning.
    • The guidance also asks entities to identify and address any impediments to or concerns with information sharing.

 

  • Continuous Learning:  An entity should periodically (or as needed) review and update its cybersecurity strategy and framework.  Updates should—
    • Address changes in risk, such as emerging vulnerabilities and changes in financial sector products, services, or technical developments; and
    • Incorporate lessons learned from recent cyber incidents.