The Financial Stability Board (FSB) published a consultation report on Effective Practices for Cyber Incident Response and Recovery, which was sent to G20 Finance Ministers and Central Bank Governors recently. The toolkit of effective practices aims to assist financial institutions in their cyber incident response and recovery activities.
Cyber incidents pose a threat to the stability of the global financial system. In recent years, there have been a number of major cyber incidents that have significantly impacted financial institutions and the ecosystems in which they operate. A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.
Efficient and effective response to and recovery from a cyber incident by organisations in the financial ecosystem are essential to limiting any related financial stability risks. Such risks could arise, for example, from interconnected information technology systems between multiple financial institutions or between financial institutions and third-party service providers, from loss of confidence in a major financial institution or group of financial institutions, or from impacts on capital arising from losses due to the incident. The toolkit lists 46 effective practices, structured across seven components:
- Governance – frames how cyber incident and recovery is organised and managed.
- Preparation – to establish and maintain capabilities to respond to cyber incidents, and to restore critical functions, processes, activities, systems and data affected by cyber incidents to normal operations.
- Analysis – to ensure effective response and recovery activities, including forensic analysis, and to determine the severity, impact and root cause of the cyber incident to drive appropriate response and recovery activities.
- Mitigation – to prevent the aggravation of the situation and eradicates cyber threats in a timely manner to alleviate their impact on business operations and services.
- Restoration – to repair and restore systems or assets affected by a cyber incident to safely resume business-as-usual delivery of impacted services.
- Improvement – to establish processes to improve response and recovery capabilities through lessons learnt from past cyber incidents and from proactive tools, such as tabletop exercises, tests and drills.
- Coordination and communication – to coordinate with stakeholders to maintain good cyber situational awareness and enhances the cyber resilience of the ecosystem.