The financial sector faces significant exposure to cyber risk given that it is information technology-intensive and highly interconnected through payment systems. Therefore, it is important for financial firms to strengthen their cyber resilience, which is defined by the Financial Stability Board (FSB) as “the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.
Regulators expect banks to account for business continuity and information confidentiality and integrity when dealing with third parties. Business continuity plans of critical third-party providers should align with the needs and policies of the bank. Confidentiality and integrity of information, on the other hand, are addressed in general data protection requirements and specific security requirements for safeguarding bank and customer information. Regulatory requirements for use of the cloud by banks may also apply. These include specific requirements on data location, data segregation, data use limitations, data security and treatment of data in the event of termination of a third-party arrangement.
Supervision of third-party dependencies relies on the ability of the authority to supervise these firms directly. When supervisors do not have oversight of third parties, one possible approach is to place the onus on banks to ensure that the third parties have the same security policies, procedures and controls that are expected of regulated firms. Another approach is to require service level agreements between banks and third parties to include a clause that allows supervisors to examine the latter’s systems. In contrast, when supervisors have oversight of third parties, they may opt to assess for themselves the soundness of their cybersecurity, particularly for those that provide the most critical services.
Cyber resilience metrics
Supervisors assess banks’ cybersecurity controls and their monitoring and surveillance of emerging threats. These assessments are based on banks’ adherence to existing industry standards. Supervisory assessments also include challenges to bank approaches to testing controls and the remediation of issues identified. Challenges can include the review of control testing reports, which may be part of a more formal testing programme. Such a programme could employ various testing methodologies and practices, such as vulnerability assessment, penetration testing and red team testing.
Supervisors are still developing metrics for measuring the quality of banks’ cyber resilience. Early metrics have focused on using information from reported incidents, surveys, testing activities and on-site inspections. There is recognition of the need to develop more forward-looking cyber resilience metrics.