The FSB agreed on the importance of having in place effective practices relating to a financial institution’s response to, and recovery from, a cyber incident. As such, a working group was established on Cyber Incident Response and Recovery (CIRR). The mandate of the CIRR is to develop a toolkit of effective practices to assist financial institutions, as well as for supervisors and other relevant authorities, in supporting financial institutions, before, during and after a cyber incident.
The toolkit is not intended to be an international standard nor a prescriptive approach for financial institutions or their supervisors. This project seeks to mitigate the implications of cyber incidents on financial stability, by taking into account their cross-border and cross-sectoral nature. It will also leverage on the shared experience and diversity of perspectives gathered in the course of this work.
As part of the process, the development of effective practices will incorporate a stocktake of publicly released guidance from national authorities and international bodies, a review of case studies on past cyber incidents and various engagements with external stakeholders. This progress report to the G20 summarizes the CIRR’s work to date and its workplan for developing effective practices for cyber incident response and recovery.
Enhancing cyber resilience is often characterized by a set of functions. The toolkit of effective practices will focus on the Respond and Recover functions. The Respond function involves the development and implementation of the appropriate activities following a detected cyber event. The Recover function involves the development and implementation of the appropriate activities to restore and maintain any capabilities or services that were impaired due to a cyber incident.
To take this project forward, the CIRR has preliminarily identified five components for the respective functions, which are broadly in line with existing standards on cyber security.
The development of the toolkit of effective practices relating to a financial institution’s response to, and recovery from, a cyber incident will be taken forward in two phases. The first phase of work will continue until October 2019 and focuses on identifying and developing effective practices. The second phase of work will likely commence during the last quarter of this year and will focus on drafting of the toolkit. It will subsequently involve a public consultation to be conducted in early 2020.