Cyber Security

Financial Sector’s Cybersecurity:
A Regulatory Digest∗
August 2018
This Digest is intended to be a live, periodically updated compilation of recent laws, regulations,
guidelines and other significant documents on cybersecurity for the financial sector; it is,
therefore, organized in reverse chronological order, with the most recent document first. The
Digest is not meant to be comprehensive of everything published by all jurisdictions and
international bodies. The explanatory summaries are composed of text extracted from the
documents and includes links to the original documents or websites that contained them at the
time of including them in the Digest. A separate “Appendix” file includes an “Index by Concepts”
and a “Source Table.”
The Digest has been compiled and it is being maintained by Aquiles A. Almansi (Lead Financial
Sector Specialist, GFCEW), Yejin Carol Lee (Senior Financial Sector Specialist, GFCFS), and
Jiemin Ren (Consultant).
Financial Sector’s Cybersecurity: A Regulatory Digest
CONTENTS
TABLES .............................................................................................................................. 7
TABLE 1. Documents from Single Jurisdictions ......................................................................... 7
TABLE 2. Documents from the European Union...................................................................... 11
TABLE 3. Documents from Multilateral Institutions .............................................................. 11
INTRODUCTION ............................................................................................................ 13
DOCUMENTS .................................................................................................................. 15
(in reverse chronological order)...................................................................................... 15
1. ECB TIBER-EU Framework & Services Procurement Guidelines: (Aug 2018 &
May 2018) ....................................................................................................................................... 15
2. IIF Cloud Computing paper (Part 1) (Aug 2018) ............................................................. 15
3. NIST Small Business Cybersecurity Act (Aug 2018) ...................................................... 16
4. UK Minimum Cyber Security Standard (Jun 2018) ......................................................... 16
5. Canada’s updated Cyber Security Strategy (Jun 2018) ................................................. 17
6. FFIEC Joint Statement - Cyber Insurance and Its Potential Role in Risk
Management Programs (Apr 2018) ...................................................................................... 18
7. IIF Staff Paper on Addressing Cybersecurity Regulatory Fragmentation (Apr
2018) ................................................................................................................................................. 18
8. NIST Framework for Improving Critical Infrastructure Cybersecurity Version
1.1 (Apr 2018) ............................................................................................................................... 18
9. Swiss national strategy for protection against cyber risks (Apr 2018) .................. 19
10. Singapore Cybersecurity Act (Mar 2018) ........................................................................... 19
11. BaFin specifies BAIT (Feb 2018) ............................................................................................ 20
12. EBA Final Report – Guidelines on ICT Risk Assessment under the Supervisory
Review and Evaluation Process (SREP) (Jan 2018) ........................................................ 21
13. ECB (SSM) Cyber Incident Reporting Framework (2017) ........................................... 21
14. BaFin Banking Supervisory requirement for IT of banks (Nov 2017) .................... 21
15. DNB TIBER-NL Guidance 2.0 (Nov 2017) ........................................................................... 22
16. SFC Guidelines for Reducing and Mitigating Hacking Risks Associated with
Internet Trading (Oct 2017) .................................................................................................... 23
17. FSB Stocktake and Summary Report on Financial Sector Cybersecurity
Regulations, Guidance and Supervisory Practices (Oct 2017) ................................... 23
18. G-7 Follow-up guidance on Fundamental Elements for Effective Assessment of
Cybersecurity in the Financial Sector (Oct 2017)............................................................ 24
2
19. EC Legislative proposal on a Framework for Free Flow of Non-Personal Data in

the EU (Sep 2017) ........................................................................................................................ 25
20. EC Legislative proposal on ENISA and cybersecurity certification framework
(Sep 2017) ....................................................................................................................................... 26
21. AU - Banking Executive Accountability & Related Measures Bill (Sep 2017)....... 27
22. US NIST Cybersecurity Workforce Framework (Aug 2017) ....................................... 27
23. US SEC Cybersecurity Examination Initiative Risk Alert (Aug 2017) ...................... 27
24. FSI Insights: Regulatory approaches to enhance banks’ cyber-security
frameworks (Aug 2017) ............................................................................................................ 28
25. IMF WP- Cyber Risk, Market Failures, and Financial Stability (Aug 2017) ........... 28
26. SWIFT Customer Security Program (Jul/ May /April 2017) ....................................... 28
27. UK FCA Consultation - Individual Accountability Regime (Jul 2017) ...................... 29
28. ENISA Cyber Europe 2016: After Action Report (Jun 2017) ....................................... 29
29. Singapore Association of Banks’ Guidelines on control objectives and
procedures for outsourced service providers (Jun 2017)............................................ 30
30. People Republic of China Cyber-Security Law (Jun 2017) ........................................... 30
31. SAMA Cyber Security Framework (May 2017) ................................................................ 31
32. G7 - fundamental elements for effective cybersecurity assessment (May 2017)31
33. EBA ICT risk guidelines (May 2017) ..................................................................................... 32
34. EU Report on influence of tech on future of financial sector (May 2017) .............. 33
35. FFIEC Cybersecurity Assessment Tool (May 2017) ....................................................... 33
36. Report of India's Working Group for Setting up of a financial sector CERT (May
2017) ................................................................................................................................................. 34
37. SARB Guidance to banks on cyber resilience (May 2017) ........................................... 34
38. Australia’s Cyber Security Strategy First Annual Update (Apr 2017) ..................... 34
39. ASX 100 Cyber Health Check Survey Report (Apr 2017) ............................................. 34
40. IRDAI Guidelines on Information and Cyber Security for insurers (Apr 2017) .. 35
41. ESAs Report on main risks for the EU Financial System (Apr 2017) ....................... 35
42. AICPA SOC for Cybersecurity (Apr 2017) ........................................................................... 35
43. The International Strategy of Cooperation on Cyberspace of the People’s
Republic of China (Mar 2017) ................................................................................................. 36
44. NY cyber-security requirements for financial services companies (Mar 2017) . 36
45. EU Commission Consultation on the impact of FinTech (Mar 2017) ...................... 37
46. BaFin Consultation on bank regulatory requirements for IT systems (Mar 2017)
............................................................................................................................................................. 37
3
47. UK Open Banking Initiative (Mar 2017) .............................................................................. 38

48. CPMI report - DLT in payment clearing/settlement (Feb 2017) ............................... 38
49. US NIST draft updated Cybersecurity Framework (Jan 2017) ................................... 39
50. Turkey National Cyber Security Strategy and Action Plan (2016, 2013) ............... 39
51. UK National Cyber Security Strategy 2016-2021 (2016) ............................................. 39
52. UK CBEST Intelligence-Led Vulnerability Testing 2.0 (2016) .................................... 40
53. The National Cyberspace Security Strategy of the People’s Republic of China
(Dec 2016) ...................................................................................................................................... 41
54. UK Gov Cyber-Security Regulation and Incentives Review (Dec 2016) ................. 41
55. HKMA Enhanced Competency Framework on Cybersecurity (Dec 2016) ............ 42
56. SFC Circular on augmenting accountability of senior mgmt (Dec 2016) ............... 42
57. HKMA circular on Cybersecurity Fortification Initiative (Dec 2016) ...................... 42
58. G7 Fundamental Elements of Cybersecurity for Financial Sector (Oct 2016)...... 44
59. US FinCEN Advisory on FIs obligations on cyber-related events (Oct 2016) ....... 45
60. US FBAs ANPR for enhanced cybersecurity standards (Oct 2016) .......................... 45
61. SFC Review of cybersecurity of online & mobile trading systems (Oct 2016) ..... 46
62. MY SC Guidelines to Enhance Cyber resilience of Capital Mkt (Oct 2016) ............ 47
63. APRA Information Paper: 2015/16 Cyber Security Survey Results (Sep 2016) . 47
64. CSA Staff Notice on Cyber Security (Sep 2016) ................................................................ 48
65. IE CB Cross Industry Guidance on IT and Cybersecurity Risks (Sept 2016)......... 48
66. India Non-Banking Financial Company - Account Aggregators (Sep 2016) ......... 49
67. ENISA Strategies for Incident Response & Cyber Crisis Coop. (Aug 2016) ........... 49
68. MAS Guidelines on Outsourcing (Jul 2016)........................................................................ 50
69. EU Directive on Security of Network and Information Systems (Jul 2016) .......... 51
70. IDRBT Cyber Security Checklist (Jul 2016) ........................................................................ 51
71. RBI Circular to Establish Cyber Security Framework in Banks (Jun 2016) .......... 52
72. CPMI-IOSCO Guidance on cybersecurity (Jun 2016) ...................................................... 53
73. HKMA Circular Security controls related to Internet banking services (May
2016) ................................................................................................................................................. 53
74. Report on IOSCO’s Cyber Risk Coordination Efforts (Apr 2016) ............................... 54
75. Australia’s Cyber Security Strategy (Apr 2016) ............................................................... 54
76. EU General Data Protection Regulation (Apr 2016) ....................................................... 54
77. ASIC - Cyber resilience assessment report: ASX Group and Chi-X Australia Pty
Ltd (Mar 2016) .............................................................................................................................. 55
4
78. ISO/IEC - IT, Security Techniques, InfoSec Management Systems (Feb 2016).... 55
79. EU Payment Services Directive 2 (Jan 2016) .................................................................... 56
80. South Africa National Cybersecurity Policy Framework (Dec 2015) ...................... 57
81. France National Digital Security Strategy (Oct 2015) .................................................... 58
82. MAS Circular - Tech Risk and Cybersecurity Training for Board (Oct 2015) ....... 58
83. HKMA Supervisory Policy Manual, Risk Management of E-banking (Sep 2015) 58
84. Japan’s National Center of Incident Readiness and Strategy for Cybersecurity
(Sep 2015) ....................................................................................................................................... 58
85. MAS Circular on Early Detection of Cyber Intrusions (Aug 2015) ............................ 59
86. SEBI Cyber Security and Cyber Resilience framework of Stock Exchanges,
Clearing Corporation and Depositories (Jul 2015) ......................................................... 59
87. JFSA Policy Approaches to Strengthen Cyber Security in the Financial Sector (Jul
2015) ................................................................................................................................................. 59
88. APRA Information Paper: Outsourcing involving Shared Computing Services
(including Cloud) (Jul 2015) .................................................................................................... 60
89. UK FCA/PRA Senior Managers and Certification Regime (Jul 2015) ....................... 60
90. SFC Circular to all Licensed Corporations on Internet Trading (Jun 2015) .......... 61
91. SEC Investment Management Guidance Update on Cybersecurity Guidance (Apr
2015) ................................................................................................................................................. 62
92. Central Bank of Israel Directive on Cyber-Defense Management (Mar 2015) ..... 62
93. ASIC’s Report on Cyber Resilience (Mar 2015) ................................................................ 63
94. EBA Guidelines on Security of Internet Payments (Dec 2014) .................................. 63
95. Japan’s Basic Act on Cybersecurity (Nov 2014) ............................................................... 63
96. CODISE publishes new Guide (May 2014).......................................................................... 64
97. Russian banking system standard on information security maintenance (Apr
2014) ................................................................................................................................................. 64
98. MAS Notice on Technology Risk Management (Mar 2014) ......................................... 65
99. Spain National Cyber Security Strategy (Dec 2013) ....................................................... 65
100.Netherlands National Cyber Security Strategy (Oct 2013) .......................................... 65
101.OSFI Cyber Security Self-Assessment Guidance (Oct 2013) ........................................ 66
102.ASIC REGULATORY GUIDE 172: Australian market licences: Australian
operators (Sep 2013) .................................................................................................................. 66
103.ACPR guidance: risks associated with cloud computing (Jul 2013) ......................... 67
104.MAS Technology Risk Management Guideline (Jun 2013) .......................................... 67
5
105.APRA Prudential Practice Guide CPG 234 – Management of Security Risk in

Information and Information Technology (May 2013) ................................................. 68
106.PBOC Implementation guide for classified protection of information system of
financial industry (July 2012) ................................................................................................. 68
107.World Bank - General Principles for Credit Reporting (Sep 2011) .......................... 68
108.BCBS Principles for the Sound Management of Operational Risk (Jun 2011) ...... 69
109.FFIEC - Authentication in Internet Banking Environment, suppl. (Jun 2011) ..... 69
110.AICPA suite of SOC & Implementation Guidance (Apr 2010) ..................................... 70
111.CBRC Guidelines on the Risk Management of Commercial Banks’ Information
Technology (2009) ...................................................................................................................... 70
112.ENISA National Exercises Good Practice Guide (Dec 2009) ........................................ 70
113.ENISA Good Practice Guide on Incident Reporting (Dec 2009) ................................. 71
114.German Federal Office for Information Security Act (Aug 2009) ............................. 71
115.KR Electronic Financial Transactions Act and Enforcement Decree (Jan 2007) . 71
116.KR Regulation on Supervision of Electronic Financial Transactions (Jan 2007) 71
APPENDIX: INDEX by CONCEPTS ........................................................................... 73
6
TABLES
TABLE 1. Documents from Single Jurisdictions
(Alphabetical Order of Country followed by Date)

INSTITUTION DATE NAME
Australia Treasury Sep 2017 Draft Treasury Laws Amendment (Banking Executive
Accountability and Related Measures) Bill 2017
Australia Apr 2017 Australia’s Cyber Security Strategy First Annual
Update
Australian Securities Exchange Apr 2017 ASX 100 Cyber Health Check Survey Report
(ASX)
Australian Prudential Sep 2016 2015/16 Cyber Security Survey Results
Regulation Authority (APRA)
Australia Apr 2016 Australia’s Cyber Security Strategy
Australian Securities & Mar 2016 Cyber resilience assessment report: ASX Group and
Investment Commission (ASIC) Chi-X Australia Pty Ltd
APRA Jul 2015 Outsourcing involving Shared Computing Services
ASIC Mar 2015 ASIC Report on Cyber Resilience
ASIC Sep 2013 ASIC Regulatory Guide 172: Australian market

licences: Australian operators
APRA May 2013 APRA Prudential Practice Guide CPG 234 –
Management of Security Risk in Information and
Information Technology
Canada Jun 2018 National Cyber Security Strategy
Office of the Superintendent of Oct 2013 Cyber Security Self-Assessment Guidance

Financial Institutions (OSFI)
China Jun 2017 People Republic of China Cyber-Security Law
China Mar 2017 The International Strategy of Cooperation on

Cyberspace of the People’s Republic of China
China Dec 2016 The National Cyberspace Security Strategy of the
People’s Republic of China
China Banking Regulatory 2009 CBRC Guidelines on the Risk Management of
Commission (CBRC) Commercial Banks’ Information Technology
France Oct 2015 France National Digital Security Strategy
French Autorité de Contrôle Jul 2013 ACPR guidance: risks associated with cloud
Prudentiel et de Résolution computing
(ACPR)
German Federal Financial Feb 2018 BaFin specifies BAIT

Supervisory Authority (BaFin)
BaFin Nov 2017 BaFin Banking Supervisory requirement for IT of
banks
7

BaFin Mar 2017 BaFin consultation on Circular on bank regulatory
requirements for IT systems
Federal Office of Information Aug 2009 German Federal Office for Information Security Act
Security
Hong Kong Securities and Oct 2017 SFC Guidelines for Reducing and Mitigating Hacking
Futures Commission (HK SFC) Risks Associated with Internet Trading
HK SFC Dec 2016 HK SFC Circular on augmenting accountability of
senior management
Hong Kong Monetary Authority Dec 2016 HKMA Enhanced Competency Framework (ECF) on
(HKMA) Cybersecurity
HKMA Dec 2016 HKMA Circular on the Cyber-security Fortification
Initiative
HK SFC Oct 2016 HK SFC Review of cyber-security of online and
mobile trading systems
HKMA May 2016 HKMA Circular Security controls related to Internet
banking services
HKMA Sep 2015 HKMA Supervisory Policy Manual, Risk
Management of E-banking
HK SFC Jun 2015 SFC Circular to all Licensed Corporations on Internet
Trading
Indian computer emergency May 2017 Report of India's Working Group for Setting up of a
response team (CERT-In) financial sector CERT
Insurance Regulatory and Apr 2017 IRDAI Guidelines on Information and Cyber Security
Development Authority of India for insurers
(IRDAI)
Reserve Bank of India (RBI) Sep 2016 India Non-Banking Financial Company - Account
Aggregators
Institute for Development and Jul 2016 IDRBT Cyber Security Checklist
Research in Banking
Technology (IDRBT)
RBI Jun 2016 RBI Circular to Establish Cyber Security Framework
in Banks
Securities and Exchange Board Jul 2015 SEBI Cyber Security and Cyber Resilience
of India (SEBI) framework of Stock Exchanges, Clearing Corporation
and Depositories
Bank of Ireland Sep 2016 IE CB Cross Industry Guidance on IT and

Cybersecurity Risks
Bank of Israel Mar 2015 Central Bank of Israel Directive on Cyber-defense

Management
Italy May 2014 CODISE publishes new Guide
Japan’s National Center of Sep 2015 Japan’s National Center of Incident Readiness and
Incident Readiness and Strategy Strategy for Cybersecurity
for Cybersecurity
Japanese Financial Services Jul 2015 JFSA Policy Approaches to Strengthen Cyber
Agency (JFSA) Security in the Financial Sector
8

Japan No 2014 Japan’s Basic Act on Cybersecurity
Korea Jan 2007 Korea Electronic Financial Transactions Act and

Enforcement Decree
Korean Financial Services Jan 2007 Korea Regulation on Supervision of Electronic
Commission / Financial Financial Transactions
Supervisory Service
SC Malaysia Oct 2016 Malaysia Securities Commission Guidelines to

enhance cyber-resilience of the Capital Market
Netherlands Nov 2017 DNB TIBER-NL Guidance
Netherlands Oct 2013 Netherlands National Cyber Security Strategy
Russia Apr 2014 Russian banking system standard on information

security maintenance
Saudi Arabian Monetary May 2017 SAMA Cyber Security Framework

Authority (SAMA)
Singapore Mar 2018 Singapore Cybersecurity Act
Association of Banks in June 2017 Singapore Association of Banks’ Guidelines on

Singapore control objectives and procedures for outsourced
service providers
Monetary Authority of July 2016 MAS Guidelines on Outsourcing
Singapore (MAS)
MAS Oct 2015 MAS Circular on Technology risk and cyber-security
training for Board
MAS Aug 2015 MAS Circular on Early Detection of Cyber Intrusions
MAS Mar 2014 MAS Notice on Technology Risk Management
MAS Jun 2013 MAS Technology Risk Management Guideline
South African Reserve Bank May 2017 SARB Guidance to banks on cyber resilience
(SARB)
South African Ministry of State Dec 2015 South Africa National Cybersecurity Policy
Security Framework
Spain Dec 2013 National Cyber Security Strategy
Switzerland Apr 2018 Swiss national strategy for protection of Switzerland

against cyber risks
Turkey 2016, 2013 Turkey National Cyber Security Strategy and Action
Plan
9

UK June 2018 UK Minimum Cyber Security Standard
UK Financial Conduct Jul 2017 UK FCA Consultation on extending Individual

Authority (FCA) Accountability regime (SMCR)
UK Competition and Markets Mar 2017 UK Open Banking Initiative
Authority
UK 2016 UK National Cyber Security Strategy 2016-2021
UK Dec 2016 UK Government Cyber-security Regulation and

Incentives Review
Bank of England 2016 UK CBEST Intelligence-led cyber security
assessment 2.0
UK FCA & Prudential Jul 2015 UK FCA/PRA Senior Managers and Certification
Regulation Authority (PRA) Regime
US National Institute of Apr 2018 NIST Framework for Improving Critical

Standards and Technology Infrastructure Cybersecurity Version 1.1
(NIST)
US FFIEC Apr 2018 FFIEC Joint Statement - Cyber Insurance and Its
Potential Role in Risk Management Programs
US Federal Financial Apr 2018 FFIEC Joint Statement - Cyber Insurance and Its
Institutions Examination Potential Role in Risk Management Programs
Council (FFIEC)
US NIST Aug 2017 US NIST Cybersecurity Workforce Framework
US Securities and Exchange Aug 2017 US SEC Cybersecurity Examination Initiative Risk
Commission (SEC) Alert
US FFIEC May 2017 FFIEC Cybersecurity Assessment Tool
New York Department of Mar 2017 New York cyber-security requirements for financial
Financial Services services companies
US NIST Jan 2017 US NIST draft updated Framework for Improving
Critical Infrastructure Cyber-security
US Treasury Financial Crimes Oct 2016 US FinCEN Advisory on FIs obligations on cyber-
Enforcement Network related events and crimes
US Federal Banking Agencies Oct 2016 US Federal Banking Agencies ANPR for enhanced
cyber-security standards
US SEC Apr 2015 SEC Investment Management Guidance Update on
Cybersecurity Guidance
US FFIEC Jun 2011 FFIEC - Supplement to Authentication in an Internet
Banking Environment
10
TABLE 2. Documents from the European Union
European Central Bank Aug 2018; ECB TIBER-EU Framework & Services Procurement
(ECB) May 2018 Guidelines
European Banking Jan 2018 EBA Final Report -- Guidelines on ICT Risk Assessment
Authority (EBA) under the Supervisory Review and Evaluation Process
(SREP)
European Commission Sep 2017 EC Legislative proposal on a Framework for Free Flow of
(EC) Non-Personal Data in the EU
EC Sep 2017 EC Legislative proposal on ENISA and cybersecurity
certification framework
ECB 2017 ECB (SSM) Cyber Incident Reporting Framework (2017)
EU Agency for Network Jun 2017 ENISA Cyber Europe 2016: After Action Report
and Information Security
(ENISA)
EU Parliament May 2017 EU Parliament Report on influence of technology on future
of financial sector
ESAs (EBA, EIOPA, Apr 2017 ESAs Report on main risks for the EU Financial System
ESMA)
EC Mar 2017 EU Commission Consultation on the impact of FinTech
ENISA Aug 2016 ENISA Strategies for Incident Response and Cyber Crisis
Cooperation
EC Jul 2016 EU Directive on Security of Network and Information
Systems
EBA Jun 2016 EBA ICT risk guidelines
EC Apr 2016 EU General Data Protection Regulation
EC Jan 2016 EU Payment Services Directive 2
EBA Dec 2014 EBA Guidelines on Security of Internet Payments
ENISA Dec 2009 ENISA National Exercise Good Practice Guide
ENISA Dec 2009 ENISA Good Practice Guide on Incident Reporting
TABLE 3. Documents from Multilateral Institutions
IIF Aug-2018 IIF Cloud Computing paper (Part 1)
IIF Apr 2018 IIF Staff Paper on Addressing Cybersecurity Regulatory

Fragmentation
Financial Stability Board Oct 2017 FSB Stocktake and Summary Report on Financial Sector
Cybersecurity Regulations, Guidance and Supervisory
Practices
G7 Oct 2017 G-7 Follow-up guidance on Fundamental Elements for
Effective Assessment of Cybersecurity in the Financial
Sector
Financial Stability Institute Aug 2017 FSI Insights on policy implementation No 2: Regulatory
approaches to enhance banks’ cyber-security frameworks
IMF Aug 2017 IMF Working Paper - Cyber Risk, Market Failures, and
Financial Stability
11
SWIFT July/May/ SWIFT Customer Security Program

Apr 2017
G7 May 2017 G7 Fundamental elements for effective cybersecurity
assessment
American Institute of Apr 2017 AICPA SOC for Cybersecurity
Certified Public Accountants
(AICPA)
Committee on Payments and Feb 2017 CPMI Report – DLT in payment clearing and settlement
Market Infrastructures
(CPMI)
G7 Oct 2016 G7 fundamental elements of cybersecurity in the financial
sector
CPMI- International Jun 2016 CPMI-IOSCO Guidance on cyber-security
Organization of Securities
Commissions (IOSCO)
IOSCO Apr 2016 Report on IOSCO’s Cyber Risk Coordination Efforts
International Organization Feb 2016 ISO/IEC Standards on IT, Security Techniques, Information
for Standardization (ISO)/ Security Management Systems
International
Electrotechnical
Commission (IEC)
World Bank Group Sep 2011 World Bank Financial Infrastructure Series - General
Principles for Credit Reporting
Basel Committee on Banking Jun 2011 BCBS Principles for the Sound Management of Operational
Supervision Risk
AICPA Apr 2010 AICPA suite of SOC & Implementation Guidance
12
INTRODUCTION
This second edition of the Regulatory Digest on Financial Sector Cybersecurity compiled
by the Vienna-based World Bank’s Financial Sector Advisory Center (FinSAC) includes
twice as many entries as the first edition from October 2017. This substantial coverage
was possible thanks to the FSB’s Stocktake and Summary Report on Financial Sector
Cybersecurity Regulations, Guidance and Supervisory Practices, also published in
October 2017. Additionally, the following new publications have appeared so far in 2018:
 The European Central Bank (ECB) released in May the TIBER-EU Framework:
How to implement the European framework for Threat Intelligence-based Ethical
Red Teaming and published in August Services Procurement Guidelines
prescribing the use of specialist external threat intelligence (TI) and red team (RT)
providers with the highest level of skills, expertise and experience.
 The Institute of International Finance (IIF) published in August the first part of its
3-part series on Cloud technology in the financial services industry. It examines
the key opportunities and risks (and mitigants) of migrating to the cloud, as well
as the business and operational risks that arise from not doing so.
 The UK government released in June a “Minimum Cyber Security Standard,”
defining the measures that its Departments must implement to meet their National
Cyber Security Strategy obligations.
 The Federal Financial Institutions Examination Council (FFIEC) members
released a joint statement in April on cyber insurance and its potential role in risk
management programs.
 This Institute of International Finance (IIF) published “Addressing regulatory
fragmentation to support a cyber-resilient global financial services industry” in
April. This staff paper evaluates the regulatory approaches around the world,
identifies areas where regulatory fragmentation is occurring and discusses how a
consistent and coordinated global regulatory landscape could be designed to help
both reduce the current fragmentation and avoid creating new sources of it. The
paper also advocates for the Financial Stability Board to play a predominant role
in creating that regulatory landscape.
 The National Institute of Standards and Technology (NIST) released in April
version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity,
also known as the NIST Cybersecurity Framework. This often-referenced work
refines, clarifies, and enhances version 1.0 issued in 2014, incorporating two drafts
revised during 2017 and 2018. The NIST Small Business Cybersecurity Act also
became law in August 2018.
 Switzerland's Federal Council published in April the second national cybersecurity
strategy (NCS) covering 2018 to 2022. This strategy supports cooperation between
public authorities, the private sector, and operators of critical infrastructure to
13
ensure early identification of cyber threats, improve the resilience of critical

infrastructure and minimize cyber risks.
 Singapore adopted a Cybersecurity Act establishing a legal framework for the
oversight and maintenance of national cybersecurity. Its four key objectives are:
1) to strengthen the protection of Critical Information Infrastructure (CII) against
cyber-attacks, 2) to authorize the Cyber Security Agency (CSA) to prevent and
respond to threats and incidents, 3) to establish a framework for sharing
cybersecurity information, and 4) to establish a light-touch licensing framework
for providers of penetration testing and security operations center (SOC)
monitoring services.
 The German Federal Financial Supervisory Authority (BaFin) published a more
robust version of its supervisory requirements for IT in financial institutions
(BAIT, released in November 2017), directed at the management boards of such
companies.
 The European Banking Authority (EBA) published in January a final version of
its Guidelines on ICT Risk Assessment. These set out the requirements that
competent authorities should apply in their SREP assessment of risks to capital,
governance and ICT strategy, and ICT risk exposures and controls.
14
DOCUMENTS
(in reverse chronological order)
1. ECB TIBER-EU Framework & Services Procurement Guidelines: (Aug 2018 &
May 2018)
In May, ECB released a single Europe-wide framework for controlled cyber hacking to
test resilience of financial market entities called "TIBER-EU FRAMEWORK: How to
implement the European framework for Threat Intelligence-based Ethical Red Teaming".
A related Services Procurement Guideline followed in August.
"The TIBER-EU framework facilitates a harmonised European approach towards

intelligence-led tests which mimic the tactics, techniques and procedures of real hackers
who can be a genuine threat. TIBER-EU based tests simulate a cyber attack on an entity’s
critical functions and underlying systems, such as its people, processes and technologies.
This helps the entity to assess its protection, detection and response capabilities against
potential cyber attacks...”
The Framework is “designed for national and European authorities and entities that form
the core financial infrastructure, including entities with cross-border activities which fall
within the regulatory remit of several authorities. The framework can be used for any type
of financial sector entity, as well as entities in other sectors.
It is up to the relevant authorities and the entities themselves to determine if and when
TIBER-EU based tests are performed. Tests will be tailor-made and will not result in a
pass or fail – rather they will provide the tested entity with insight into its strengths and
weaknesses, and enable it to learn and evolve to a higher level of cyber maturity."
Given the risks to such tests, the ECB further published Services Procurement Guidelines:
“To ensure a controlled and safe test, one prescribed control is the use of specialist
external threat intelligence (TI) and red team (RT) providers, which have the highest level
of skills and expertise, and have the requisite experience in threat intelligence and red
team testing in the financial services industry...”
The Guidelines “set out the requirements and standards that must be met by TI and RT
providers to deliver recognised TIBER-EU tests; offer guiding principles and selection
criteria for entities, as they look to procure services from prospective providers; and
provide questions and agreement checklists that could be used when entities undertake
their due diligence and look to formalise the procurement process with the TI/RT
providers.”
2. IIF Cloud Computing paper (Part 1) (Aug 2018)
The Institute of International Finance (IIF) published the first part of its 3-part series on
Cloud technology in the financial services industry. “This paper examines the key
15
opportunities and risks (and mitigants) of migrating to cloud, as well as simultaneously

looking at the business and operational risks that arise for firms with not moving to cloud.
Given these business drivers, it observes that as financial institutions are defining their
strategy on cloud, the decisions are increasingly more in the order of “how,” rather than
merely in whether to pursue cloud.
The subsequent parts in this series will explore some of the hurdles (both regulatory and
non-regulatory in nature) to cloud adoption, with recommendations for how these can be
addressed, as well as analysis of the role of Cloud Services Providers (CSPs) for the
sector, including issues such as concentration risk and critical dependency.”
3. NIST Small Business Cybersecurity Act (Aug 2018)
The National Institute of Standards and Technology (NIST) Small Business Cybersecurity
Act introduced March 2017 became law in August 2018. The Act will be “… require the
Director of the National Institute of Standards and Technology to disseminate guidance
to help reduce small business cybersecurity risks …”
4. UK Minimum Cyber Security Standard (Jun 2018)
The UK government released a “UK Minimum Cyber Security Standard”, which “defines
the minimum security measures that Departments shall implement with regards to
protecting their information, technology and digital services to meet their [Security Policy
Framework] and National Cyber Security Strategy obligations.”
The Standard includes ten requirements of all Departments (including “organisations,
agencies, Arm’s Length Bodies and contractors”), split into five areas:
“IDENTIFY
1. Departments shall put in place appropriate cyber security governance processes.
2. Departments shall identify and catalogue sensitive information they hold.
3. Departments shall identify and catalogue the key operational services they provide.
4. The need for users to access sensitive information or key operational services shall
be understood and continually managed.
PROTECT
5. Access to sensitive information and key operational services shall only be
provided to identified, authenticated and authorised users or systems.
6. Systems which handle sensitive information or key operational services shall be
protected from exploitation of known vulnerabilities.
7. Highly privileged accounts should not be vulnerable to common cyber-attacks.
DETECT
8. Departments shall take steps to detect common cyber-attacks.
RESPOND
9. Departments shall have a defined, planned and tested response to cyber security
incidents that impact sensitive information or key operational services.
RECOVER
10. Departments shall have well defined and tested processes in place to ensure the
continuity of key operational services in the event of failure or compromise.”
16
As the first technical standard (which will be incorporated into the Government Functional
Standard for Security once published), the Minimum Cyber-security Standard references
the National Cyber Security Strategy (See coverage in Digest.)and the HMG Security
Policy Framework (SPF). The SPF, published in final version in May 2018, provides the
mandatory protective security outcomes that all Departments are required to achieve in
the following areas: Good Governance; Culture and Awareness; Risk Management;
Information; Technology and Services; Personnel Security; Physical Security; Preparing
for and Responding to Security Incidents. It details the Policy Priorities in three areas:
Information Security; Physical Security; and Personnel Security and National Security
Vetting. Further, it notes:
“HMG organisations will consult the full range of policy, advice and guidance provided
by the Cabinet Office, Centre for the Protection of National Infrastructure, National Cyber
Security Centre, and other sources of good practice to shape their business specific
approaches, mindful that:
 Government organisations know their own business best, including how local risks
should be managed to support operations and services.
 Permanent Secretaries/Heads of Department are accountable to Parliament for the
security of their organisations.
 An annual reporting process (the Security Risk Management Overview) will
ensure compliance and an appropriate level of commonality across government.”
5. Canada’s updated Cyber Security Strategy (Jun 2018)
Canada’s new National Cyber Security Strategy, published in June 2018, replaced the
2010 Strategy. Renewing its commitment to strong cyber security, it recognizes
“evolving threats, emerging opportunities, and the need for collaborative action” in three
thematic areas:
 “Security and Resilience: Through collaborative action with partners and

enhanced cyber security capabilities, we will better protect Canadians from
cybercrime, respond to evolving threats, and defend critical government and
private sector systems.
 Cyber Innovation: By supporting advanced research, fostering digital innovation,
and developing cyber skills and knowledge, the federal government will position
Canada as a global leader in cyber security.
 Leadership and Collaboration: The federal government, in close collaboration with
provinces, territories, and the private sector, will take a leadership role to advance
cyber security in Canada and will, in coordination with allies, work to shape the
international cyber security environment in Canada’s favour.”
The update comes after an online public consultation which was undertaken by the
Government in 2016, with a report published in January 2017. “… three ideas were
consistently raised as being important and relevant to cyber security in Canada: privacy,
17
collaboration, and using skilled cyber security personnel. Across the full range of
consultation topics, participants stressed the need to uphold all Canadians’ privacy rights,
the need for stakeholders to collaborate with one another (i.e., governments, private sector,
law enforcement, academia, non-profit organizations), and the need to rely on cyber
security experts. In addition to these three ideas that permeated the results, the
Government of Canada cyber security consultation yielded recommendations on specific
areas for action, needs and means, and barriers and constraints…” There was also an
Action Plan covering the years 2010-2015 stemming from the Strategy. (FSB-STi)
6. FFIEC Joint Statement - Cyber Insurance and Its Potential Role in Risk
Management Programs (Apr 2018)
The Federal Financial Institutions Examination Council (FFIEC) members released a

statement “to provide awareness of the potential role of cyber insurance in financial
institutions’ risk management programs”. It states that “while cyber insurance may be an
effective tool for mitigating financial risk associated with cyber incidents, it is not required
by the agencies. Purchasing cyber insurance does not remove the need for a sound control
environment.”
The statement suggests items to consider in the following areas while assessing cyber
insurance benefits: 1) Involving multiple stakeholders in the cyber insurance decision; 2)
Performing proper due diligence to understand available cyber insurance coverage; and
3) Evaluating cyber insurance in the annual insurance review and budgeting process.
7. IIF Staff Paper on Addressing Cybersecurity Regulatory Fragmentation (Apr
2018)
This Institute of International Finance (IIF) staff paper “Addressing regulatory

fragmentation to support a cyber-resilient global financial services industry” evaluates the
regulatory approaches in the cyber arena that are being introduced around the world,
identifies areas where regulatory fragmentation is occurring and discusses how a
consistent and coordinated global regulatory landscape could be designed to help both
reduce the current fragmentation and avoids creating new sources of it.
The paper also advocates for the Financial Stability Board “to play a predominant role in
creating that regulatory landscape, which should ideally be built around a principles-based
and risk-based global framework that would provide a common approach for all the cyber-
related areas where public and private incentives are aligned. In the cases where incentives
are not fully aligned, further regulations might be needed, but in that case, they should be
developed in coherence with the framework and in accordance with leading practices that
avoid creating fragmentation.”
8. NIST Framework for Improving Critical Infrastructure Cybersecurity Version
1.1 (Apr 2018)
The National Institute of Standards and Technology (NIST) released the final Version 1.1
of its “Framework for Improving Critical Infrastructure Cybersecurity” also known as the
NIST Cybersecurity Framework. This often-referenced work refines, clarifies, and
18
enhances Version 1.0, which was issued in February 2014 and incorporates two drafts
revised during 2017 and 2018.
The Framework is intended to be implemented by first-time and current Framework users,
with explicit objective to be compatible to Version 1.0 “with minimal or no disruption”.
It makes the following updates: “Clarified that terms like compliance can be confusing
and mean something very different to various Framework stakeholders; A new section on
self-assessment; Greatly expanded explanation of using Framework for Cyber Supply
Chain Risk Management purposes; Refinements to better account for authentication,
authorization, and identity proofing; Better explanation of the relationship between
Implementation Tiers and Profiles; and Consideration of Coordinated Vulnerability
Disclosure.”
9. Swiss national strategy for protection against cyber risks (Apr 2018)
In April 2018, the second national strategy for protection of Switzerland against cyber
risks (NCS) was published by the Federal Council covering 2018 to 2022. “It builds on
the first NCS implemented from 2012 to 2017; further develops it in line with
Switzerland's vulnerabilities, the significantly changed and intensified threat situation
since 2012, and the foreseeable future development thereof; and it supplements it with
further measures. It thus provides the strategic framework for improving prevention, early
identification, response, and resilience in all areas relevant to cyber risks.”
The strategic goals of the NCS is to support cooperation between public authorities, the
private sector and operators of critical infrastructure in order to ensure early identification
of cyber threats, improve the resilience of critical infrastructure and minimize cyber risks.
(FSB-STi)
10. Singapore Cybersecurity Act (Mar 2018)
Cyber Security Agency (CSA) of Singapore announced passing of the Government's

Cybersecurity Act, which "establishes a legal framework for the oversight and
maintenance of national cybersecurity in Singapore.
Its four key objectives are to:
1. Strengthen the protection of Critical Information Infrastructure (CII) against cyber-

attacks… The Act provides a framework for the designation of CII, and provides CII
owners with clarity on their obligations to proactively protect the CII from cyber-
attacks… The CII sectors are: Energy, Water, Banking and Finance, Healthcare, Transport
(which includes Land, Maritime, and Aviation), Infocomm, Media, Security and
Emergency Services, and Government.
2. Authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act
empowers the Commissioner of Cybersecurity to investigate cybersecurity threats and
incidents to determine their impact and prevent further harm or cybersecurity incidents
19
from arising. The powers that may be exercised are calibrated according to the severity of
the cybersecurity threat or incident and measures required for response. This assures
Singaporeans that the Government can respond effectively to cybersecurity threats and
keep Singapore and Singaporeans safe.
3. Establish a framework for sharing cybersecurity information. The Act also facilitates
information sharing, which is critical as timely information helps the government and
owners of computer systems identify vulnerabilities and prevent cyber incidents more
effectively. The Act provides a framework for CSA to request information, and for the
protection and sharing of such information.
4. Establish a light-touch licensing framework for cybersecurity service providers. CSA

adopts a light-touch approach to license only two types of service providers currently,
namely penetration testing and managed security operations centre (SOC) monitoring.
These two services are prioritised because providers of such services have access to
sensitive information from their clients. They are also relatively mainstream in our market
and hence have a significant impact on the overall security landscape. The licensing
framework seeks to strike a balance between security needs and the development of a
vibrant cybersecurity ecosystem…
Part 1 introduces the fundamental concepts used in the Act and provides for the
application of the Act.
Part 2 provides for the administration of the Act and the appointment of a Commissioner
of Cybersecurity (Commissioner) and other officers for the purposes of the Act.
Part 3 provides for the designation of CII and the regulation of owners of CII with regard
to the cybersecurity of the CII.
Part 4 provides for the taking of measures to prevent, manage and respond to cybersecurity
threats and incidents in Singapore.
Part 5 provides for the licensing of providers of licensable cybersecurity services.
Part 6 contains general provisions."
11. BaFin specifies BAIT (Feb 2018)
The German Federal Financial Supervisory Authority (BaFin) published a more robust
version of its supervisory requirements for IT in financial institutions (BAIT, released in
November 2017; see coverage in Digest), setting up its requirements in a ‘modular’
format. It explains: “The BAIT have now become the cornerstone of IT supervision for
all credit and financial services institutions in Germany. The requirements are directed at
the management boards of such companies.
The objective of the BAIT is to create a comprehensible and flexible framework for the
management of IT resources, information risk and information security. They also aim to
contribute towards increasing awareness of IT risks throughout the institutions and in
relation to external service providers. Furthermore, they provide transparency about what
banking supervisors expect from the institutions with regard to the management and
monitoring of IT operations, including the user access management that this necessitates
20
as well as requirements for IT project management and application development. Overall,

the BAIT address those subject areas which BaFin has identified as particularly important
based on its experience of IT inspections."
12. EBA Final Report – Guidelines on ICT Risk Assessment under the Supervisory
Review and Evaluation Process (SREP) (Jan 2018)
European Banking Authority (EBA)’s Final Report of the Guidelines, published in May
2017 (see coverage in the Digest), went into application from 1January 2018. Authorities
indicated compliance by 13 November 2017 (compliance table).
“These Guidelines set out the requirements competent authorities should apply in their
assessment of ICT focusing on the general provisions and application of scoring as part
of the SREP assessment of risks to capital (Title 1), assessment of institutions’ governance
and strategy on ICT (Title 2); and assessment of institutions’ ICT risk exposures and
controls (Title 3).
In particular, Title 1 of these Guidelines explains how the assessment of ICT risk
contributes to the overall SREP assessment of an institution, noting that the assessment
of ICT risk would contribute (1) to the assessment of operational risk, which is assessed
as part of the assessment of risks to capital (Title 6 of the EBA SREP Guidelines), (2) the
assessment of institutions’ governance and strategy on ICT would feed into the
assessment of internal governance and institution-wide controls under Title 5 of the EBA
SREP Guidelines, and (3) the assessment of all aspects of ICT covered by these
Guidelines would also inform the business model analysis performed in accordance with
Title 4 of the EBA SREP Guidelines…”
13. ECB (SSM) Cyber Incident Reporting Framework (2017)
The European Central Bank (ECB) is finalizing a reporting framework for significant
cyber incidents which was piloted in 2016, with plans to be rolled out to all significant
institutions from the 19 euro area countries in the third quarter of 2017. “The reporting
framework for significant cyber incidents is designed to collect and store information on
cybercrime incidents that have an impact on significant institutions. This will require
incidents to be reported as soon as the banks detect them. The information will be used to
identify and monitor trends in cyber incidents affecting significant institutions and will
facilitate a fast reaction by the ECB in the event that a major incident affects one or more
significant banks…” A pilot exercise has resulted in improvements to the framework
including incident definitions, the reporting template, and the reporting instructions.
14. BaFin Banking Supervisory requirement for IT of banks (Nov 2017)
The German Federal Financial Supervisory Authority (BaFin) published circular 10/2017,
laying out a principles-based guidance for banking institutions, Bankaufsichtliche
Anforderungen an die Its (BAIT). The Circular is based on the German Banking Act and
the Minimum Requirement for Risk Management, which deals with banks’ operational
risk.
21
“This Circular provides a flexible and practical framework for institutions’ technical and
organisational resources on the basis of section 25a (1) of the German Banking Act
(Kreditwesengesetz) – in particular for IT resource management and IT risk management.
Moreover, it specifies the requirements laid down in section 25b of the Banking Act
(outsourcing of activities and processes)… This is without prejudice to the requirements
contained in the Minimum Requirements for Risk Management (Mindestanforderungen
an das Risikomanagement – MaRisk), which are fleshed out in this Circular.”
15. DNB TIBER-NL Guidance 2.0 (Nov 2017)
De Nederlandsche Bank (the Dutch Central Bank/DNB) published its guidance on how to
conduct a Threat Intelligence-based Ethical Red teaming: the TIBER-NL test. The DNB
was charged by the Dutch Financial Stability Committee to lead the implementation of
the TIBER-NL framework, a joint effort of all Dutch Financial Core Infrastructure (FCI)
institutions, which officially started on 30 June 2016.
“TIBER tests mimic potential attacks from real threat actors. The test mimics high level
threat groups only (organised crime groups / state proxy/ nation state attackers) and
thereby tests whether defensive measures taken are effective (capability assessment),
supplementing the present periodic information security audits (process assessments) by
e.g. supervisors and overseers. The tests also supplement current penetration tests and
vulnerability scans executed within FCI parties. Test scenarios will draw on current
commercially obtained threat intelligence that will where possible be enriched and
reviewed with Governmental Intelligence (GI). This testing method aims to determine,
and importantly serves to improve the capabilities of targeted institutions. The TIBER-
NL framework is intended to improve their cyber resilience and ultimately, the cyber
resilience of the FCI as a whole. TIBER-NL testing will be a recurrent exercise.
A TIBER test can therefore be defined as: the highest possible level of intelligence-based
red teaming exercise using the same Tactics, Techniques and Procedures (TTPs) as real
adversaries, against live critical production infrastructure, without the foreknowledge of
the organisation’s defending Blue Team (BT). As such, the BT is unaware of the TIBER-
NL test. The actual test consists of time boxed phases (recon, in, through, out). As a
consequence existing controls, prevention measures, and security detection and response
capabilities against advanced attacks can be tested throughout all phases of the attack. It
also helps identify weaknesses, errors or other security issues in a controlled manner.
The test phase is followed by full disclosure and a replay (that may include purple
teaming) between the Red Team and the Blue Team to identify gaps, address findings and
improve the response capability. During the test a White Team consisting of only the
smallest necessary number of the FI’s security and business experts will monitor the test
and intervene when needed, e.g. when the test seems to lead to critical impact (during a
test, business impact is allowed to a level agreed on beforehand, critical impact is not).
The White Team will be in close contact with the TIBER-NL Test Manager from DNB’s
TIBER-NL Cyber Sector Team (TCST), who convoys the TIBER-NL test process.
22
This guide has been developed by the TCST from the Dutch Central Bank in close
cooperation with all institutions from the Dutch FCI. It is meant to serve these TIBER-
NL participants and their cyber security service providers. It explains the key phases,
activities, deliverables and interactions involved in a TIBER-NL test.”
16. SFC Guidelines for Reducing and Mitigating Hacking Risks Associated with
Internet Trading (Oct 2017)
The Hong Kong Securities and Futures Commission (SFC), after a period of consultation,
published a Guideline for Licensed Companies setting out the baseline requirements to
reduce or mitigate hacking risks associated with internet trading.
The guideline is organized in three parts:
 Protection of clients’ internet trading accounts (two-factor authentication;

implementing a surveillance system; prompt notification to customers; data
encryption; stringent password and session time-out policies);
 Infrastructure security management (network segmentation; user access
management; remote access security; patch management; end-point protection;
prevention of unauthorized installations; physical security; system and data
backups; contingency planning for cybersecurity scenarios; and third party service
providers); and
 Cybersecurity management and supervision (Roles and responsibilities of
cybersecurity management; incident reporting; training for internal users; and alert
and reminder to clients).
Compliance with the Guidelines is required from 27 July 2018 (except for two-factor
authentication, to be effective in April 2018). (FSB-STi)
17. FSB Stocktake and Summary Report on Financial Sector Cybersecurity

Regulations, Guidance and Supervisory Practices (Oct 2017)
The Financial Stability Board (FSB), as tasked by the G20 meeting in Baden-Baden
(March 2017), published the results of a Stocktake and Summary Report on cybersecurity
regulations, guidance and supervisory practices (publicly issued) at the meeting of the
G20 Finance Ministers and Central Bank Governors in Washington DC.
“The reports are informed by the responses of [all 25] FSB member jurisdictions and
[nine] international bodies to a survey conducted by the FSB. The summary report also
sets out key themes raised in an FSB workshop in September that brought together public
and private sector participants to discuss cybersecurity in the financial sector.
FSB member jurisdictions have been active in addressing cybersecurity, with all member
jurisdictions having released regulations or guidance that address cybersecurity for the
financial sector. Findings of the FSB stocktake include:
23
 All FSB member jurisdictions report drawing upon a small body of previously
developed national or international guidance or standards when developing their
own regulatory or supervisory schemes for the financial sector.
 Two thirds of reported regulatory schemes take a targeted approach to
cybersecurity and/or information technology risk and one-third address
operational risk generally.
 Some elements commonly covered by regulatory schemes targeted to
cybersecurity include risk assessment, regulatory reporting, role of the board,
third-party interconnections, system access controls, incident recovery, testing and
training.
 Jurisdictions remain active in further developing their regulation and guidance.
Seventy-two per cent of jurisdictions report plans to issue new regulations,
guidance or supervisory practices that address cybersecurity for the financial
sector within the next year.
 International bodies also have been active in addressing cybersecurity for the
financial sector. There are a number of similarities across the international
guidance issued by different sectoral standard-setting bodies and other
international organisations. Many of the same topics are addressed, including
governance, risk analysis and assessment, information security, expertise and
training, incident response and recovery, communications and information
sharing, and oversight of interconnections.
Private sector participants at the workshop emphasised that effective cybersecurity

requires a strategic, forward-looking, fluid and proactive approach and noted the
importance of integrating security with business operations, as well as the importance of
governance and communication with a firm’s board. They expressed support for
principles-based, risk-based and proportional regulation, and also stressed the importance
of a globally consistent approach that avoids multiple, potentially conflicting regulatory
schemes.”
The FSB Stocktake document includes summaries of the FSB Cybersecurity Survey
responses, providing a concise reference for these 25 jurisdictions. This valuable
resource has enriched the current update of the Digest in its mirrored effort to collect
cybersecurity regulation and guidance for the financial sector. The documents owing
their coverage in the Digest to the FSB Cybersecurity Survey will be cited with the
notation “FSB-ST”.
18. G-7 Follow-up guidance on Fundamental Elements for Effective Assessment of

Cybersecurity in the Financial Sector (Oct 2017)
Building upon prior year’s guidance of the same title (see coverage in the Digest), the
finance ministers and central bank governors of the G-7 countries (Canada, France,
Germany, Italy, Japan, the United Kingdom, and the United States) released a follow-up
guidance.
Described as “nonbinding, high-level building blocks that provide the foundation for
private and public entities, as they develop their approach to cybersecurity, supported by
their risk management and culture”, the document specifically provides:
24
A) Five “desirable outcomes” based on the G7 Fundamental Elements, “encouraging

entities to continue developing their cybersecurity, and providing further
characteristics to assess the effectiveness of cybersecurity capabilities (the ‘what’)”.
They are:
1. The Fundamental Elements (G7FE) are in place.
2. Cybersecurity influences organizational decision-making.
3. There is an understanding that disruption will occur.
4. An adaptive cybersecurity approach is adopted.
5. There is a culture that drives secure behaviors.
B) Five “assessment components” which assessors can use to develop their approach to
assessing progress as entities build and enhance their cybersecurity. “Together, they
help the assessment by describing the effectiveness of cybersecurity assessments (the
‘how’).” They are:
1. Establish clear assessment objectives.
2. Set and communicate methodology and expectations.
3. Maintain a diverse toolkit and process for tool selection.
4. Report clear findings and concrete remedial actions.
5. Ensure assessments are reliable and fair.
19. EC Legislative proposal on a Framework for Free Flow of Non-Personal Data in
the EU (Sep 2017)
Pursuing the objectives set out in the European Commission’s Digital Single Market
Strategy, “the proposal aims to address the following issues:
 Improving the mobility of non-personal data across borders in the single market,
which is limited today in many Member States by localisation restrictions or legal
uncertainty in the market;
 Ensuring that the powers of competent authorities to request and receive access to
data for regulatory control purposes, such as for inspection and audit, remain
unaffected; and
 Making it easier for professional users of data storage or other processing services
to switch service providers and to port data, while not creating an excessive burden
on service providers or distorting the market.”
“This proposal focuses on provision of data hosting (storage) and other processing
services, and is coherent with existing legal instruments. The initiative pursues the
creation of an effective EU single market for such services. It is thus consistent with the
E-commerce Directive which aims at a comprehensive and effective EU single market for
the broader categories of information society services, and with the Services Directive
which furthers the deepening of the EU single market for services in a number of
sectors…”
25
20. EC Legislative proposal on ENISA and cybersecurity certification framework

(Sep 2017)
The European Commission published a Proposal for “Regulation of the European

Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing
Regulation (EU) 526/2013, and on Information and Communication Technology
cybersecurity certification (''Cybersecurity Act'')”.
As summarized in the “Communication on Resilience, Deterrence and Defence: Building

strong cybersecurity for the EU”, the proposal includes a permanent mandate of the
European Union Agency for Network and Information Security (ENISA, whose current
mandate is set to expire in June 2020) to be designated the “EU Cybersecurity Agency”,
giving it a stronger and more central role.
The proposal delineates scope of mandate for ENISA in the following areas: EU policy
development and implementation; capacity building (including contributing to the
establishment of Information Sharing and Analysis Centres (ISACS) in various sectors);
knowledge and information, awareness raising; research and innovation; operational
cooperation and crisis management (including pan-European cybersecurity exercises
(Cyber Europe – see coverage in Digest) to be run on an annual basis); the EU
cybersecurity “Blueprint”; and Market related tasks (standardisation, cybersecurity
certification).
The Communication summarizes the “Blueprint” as a document which is “to provide an

effective process for an operational response at Union and Member State level to a large-
scale cyber incident. The Blueprint presented in a Recommendation in this package
explains how cybersecurity is mainstreamed to existing Crisis Management mechanisms
at EU level and sets out the objectives and modes of cooperation between the Member
States as well as between Member States and relevant EU Institutions, services, agencies
and bodies when responding to large scale cybersecurity incidents and crises. The
Recommendation also requests Member States and EU institutions to establish an EU
Cybersecurity Crisis Response Framework to operationalise the Blueprint. The Blueprint
will be regularly tested in cyber and other crisis management exercises and updated as
necessary.”
The proposal includes a creation of a EU certification framework for ICT security

products: “The Framework would lay down the procedure for the creation of EU-wide
cybersecurity certification schemes, covering products, services and/or systems, which
adapt the level of assurance to the use involved (be it critical infrastructures or consumer
devices). It would bring clear benefits to businesses by avoiding the need to go through
several certification processes when trading across borders, thereby limiting administrative
and financial costs. The use of schemes developed under this Framework would also help
build consumers' confidence, with a certificate of conformity to inform and reassure
purchasers and users about the security properties of the products and services they buy and
use. This would make high standards for cybersecurity a source of competitive advantage.
The result would build increased resilience as ICT products and services would be formally
evaluated against a defined set of cybersecurity standards, which could be developed in
close connection with the broader ongoing work on ICT standards.
26
The Framework's schemes would be voluntary and would not create any immediate
regulatory obligations on vendors or service providers. The schemes would not contradict
any applicable legal requirements, such as the EU legislation on data protection.”
An EC website for the proposal includes the relevant documents including the proposal, an
annex, and related impact assessments.
21. AU - Banking Executive Accountability & Related Measures Bill (Sep 2017)
Australian Treasury released a Banking Executive Accountability and Related Measures

amendment bill for consultation. The Banking Executive Accountability Regime (BEAR)
was introduced earlier in the 2017-18 Budget announcement of the Treasury.
“This Bill amends the Banking Act 1959 to establish the Banking Executive Accountability
Regime (BEAR). The BEAR is a strengthened responsibility and accountability framework
for the most senior and influential directors and executives in authorized deposit-taking
institutions (ADI) groups. It requires them to conduct themselves with honesty and
integrity and to ensure the business activities for which they are responsible are carried out
effectively.” The BEAR provisions are due to apply from 1 July 2018. Consultation period
ended September 29.
22. US NIST Cybersecurity Workforce Framework (Aug 2017)
The US National Institute of Standards and Technology (NIST)’s National Initiative for
Cybersecurity Education (NICE) Cybersecurity Workforce Framework aims to provide
organizations with a common vocabulary when describing the role, area of specialty,
category of work, and the knowledge, skills, and abilities (KSA) of cybersecurity
professionals.
23. US SEC Cybersecurity Examination Initiative Risk Alert (Aug 2017)
The US Securities and Exchange Commission (SEC)’s Office of Compliance Inspections

and Examinations (OCIE) published its Risk Alert on its findings from Cybersecurity
Examinations (Cybersecurity 2 Initiative), as part of its Cybersecurity Examination
Initiative announced in 2014 after its Cybersecurity Roundtable. This second round
covered examinations conducted between September 2015 and June 2016 of 75 regulated
entities (registered broker-dealers, investment advisers, and investment companies).
The newly published Risk Alert reported mixed progress of the regulated entities. It noted:
The examinations focused on the firms’ written policies and procedures regarding
cybersecurity, including validating and testing that such policies and procedures were
implemented and followed. In addition, the staff sought to better understand how firms
managed their cybersecurity preparedness by focusing on the following areas: (1)
governance and risk assessment; (2) access rights and controls; (3) data loss prevention;
(4) vendor management; (5) training; and (6) incident response.
The Risk Alert announcing the OCIE Cybersecurity Initiative noted that the initiative is
designed to assess cybersecurity preparedness in the securities industry and to obtain
information about the industry’s recent experiences with certain types of cyber threats. As
27
part of this initiative, OCIE will conduct examinations of more than 50 registered broker-
dealers and registered investment advisers focused on the following: the entity’s
cybersecurity governance, identification and assessment of cybersecurity risks, protection
of networks and information, risks associated with remote customer access and funds
transfer requests, risks associated with vendors and other third parties, detection of
unauthorized activity, and experiences with certain cybersecurity threats.
24. FSI Insights: Regulatory approaches to enhance banks’ cyber-security

frameworks (Aug 2017)
In this FSI Insights on policy implementation No 2, after a discussion on the question of

“developing specific regulations for cyber-risk”, the authors introduce “existing key
regulatory requirements relating to cyber-risk” and “supervisory frameworks and tools”,
to then make their “observations about the implementation of cyber-risk regulations by
the banking industry”, and finally closing with “some policy considerations”.
25. IMF WP- Cyber Risk, Market Failures, and Financial Stability (Aug 2017)
The IMF published Working Paper - Cyber Risk, Market Failures, and Financial Stability:
“This paper considers the properties of cyber risk, discusses why the private market can
fail to provide the socially optimal level of cybersecurity, and explore how systemic cyber
risk interacts with other financial stability risks. Furthermore, this study examines the
current regulatory frameworks and supervisory approaches, and identifies information
asymmetries and other inefficiencies that hamper the detection and management of
systemic cyber risk. The paper concludes discussing policy measures that can increase the
resilience of the financial system to systemic cyber risk.”
26. SWIFT Customer Security Program (Jul/ May /April 2017)
As part of its roll out of the SWIFT Customer Security Programme (CSP) requirement
announced in September 2016, SWIFT launched the KYC Registry Security Attestation
Application (KYC-SA) – “a central application for users to self-attest their level of
compliance with SWIFT’s Customer Security Controls Framework. The KYC-SA
application also enables users to securely exchange their security status information with
selected counterparties, supporting cyber risk management, transparency and business due
diligence.”
In April and May, SWIFT issued its new mandatory Customer Security Controls
Framework and published further details of the related attestation policy and process as
announced in September 2016 in the SWIFT Customer Security Controls Policy document.
SWIFT’s Customer Security Controls Framework is presented via three objectives (Secure
your Environment, Know and Limit Access, and Detect and Respond), eight principles
within those objectives, and 27 (16 mandatory and 11 advisory) controls organized under
those principles. These controls are intended to help customers to safeguard their local
environments and reinforce the security of the global financial community.
28
Customers will be required to provide an annual self-attestation against the mandatory

controls from Q2 2017, by December 31 2017. From January 2018, SWIFT will flag those
users that have not submitted a self-attestation on time to their regulators. As from January
2019 onwards, SWIFT’s reporting right will also cover users that have failed to self-attest
full compliance with all mandatory security controls in a timely manner or that connect
through a non-compliant service provider. Thereafter, SWIFT will provide ongoing
updates to local supervisory bodies.
Also in May, it launched the SWIFT Information Sharing and Analysis Centre, SWIFT
ISAC, global portal, a key part of its Customer Security Program to facilitate information
sharing among its community. “...existing intelligence bulletins will now be stored in the
SWIFT ISAC portal, in a readily readable and searchable format, aligned with standardised
templates... This information includes malware details such as file hashes and YARA rules,
Indicators of Compromise, as well as details on the Modus Operandi used by the cyber-
criminals. The information, which is particularly relevant to SWIFT customers, can also
be downloaded as PDF reports or as machine-readable files in OpenIOC format, an XML-
based file format that is commonly used by the cyber-security industry.”
There had been multiple incidents involving fraudulent transfers through the SWIFT
messaging system, although incidents stemmed from breaches within locally managed
infrastructure at the customer level and not that of SWIFT’s own network or software.
Documents are available through customer login at www.swift.com.
27. UK FCA Consultation - Individual Accountability Regime (Jul 2017)
The UK Financial Conduct Authority (FCA) commenced a consultation period for

CP17/25: Individual accountability - extending the Senior Managers and Certification
Regime to all FCA firms. Consultation period will close in November 2017, and a Policy
Statement is expected by Summer of 2018.
“The Senior Managers and Certification Regime (SM&CR) currently applies to deposit
takers and, following the Bank of England and Financial Services Act 2016, is now being
extended to FCA solo-regulated firms. It replaces the current Approved Persons Regime,
changing how individuals working in financial services are regulated... This consultation
paper sets out our proposed approach to the extension of the SM&CR as well as some
minor proposals relating to the existing banking regime.”
28. ENISA Cyber Europe 2016: After Action Report (Jun 2017)
European Union Agency for Network and Information Security (ENISA) published
“Cyber Europe 2016: After Action Report – Findings from a cyber crisis exercise in
Europe”. Cyber Europe 2016 was the fourth pan-European cyber crisis exercise organised
by ENISA. Over 1,000 participants working mostly in the ICT sector, from public and
private organisations from all 28 Member States of the European Union and two from the
European Free Trade Association (EFTA), joined in a programme of activities ranging
from training sessions and communication checks to technical competitions and
cooperation exercises.
29
Cyber Europe was launched in 2010 by ENISA, as a bi-annual exercise. The 5th iteration
“CE2018” will be focused on a scenario revolving around the Aviation industry. The 4th
in 2016 revolved around IT, telecommunications and cybersecurity industries, while the
prior exercises were not industry specific.
29. Singapore Association of Banks’ Guidelines on control objectives and procedures

for outsourced service providers (Jun 2017)
The Association of Banks in Singapore (ABS) published the version 1.1 of its “Guidelines
on control objectives and procedures for outsourced service providers” based on the MAS
Guidelines on Outsourcing (issued on 27 July 2016) and industry feedback. In July 2015,
it had first issued the earlier version 1.0 of the Issuance of initial Guidelines on control
objectives and procedures for outsourced service providers”
“…the Association of Banks in Singapore (“ABS”) has established these Guidelines on
Control Objectives and Procedures for the FIs’ Outsourced Service Providers (“OSPs”)
operating in Singapore. These Guidelines form the minimum/baseline controls that OSPs
which wish to service the FIs should have in place. However, FIs with specific needs
should continue to liaise with their OSPs on a bilateral basis to impose any additional
specific requirements...
By complying with the Guidelines, OSPs can assure the FIs that their controls are designed
and operating effectively to meet the control objectives that are relevant in the provision
of the outsourced services.
SCOPE: These Guidelines should be adopted by all OSPs in Singapore that undertake
material outsourcing arrangements for FIs in Singapore.”
(See related coverage in Digest)
30. People Republic of China Cyber-Security Law (Jun 2017)
The Cyber-security Law (unofficial English version) of the People’s Republic of China
(PRC) took effect on 1 June 2017 (published November 2016 (Official Chinese version)).
The law applies to everyone who operates networks in the PRC and will affect
multinational corporations. The Cyberspace Administration of China (CAC) has issued a
series of regulations implementing the law. The public has been asked for comments on
other proposed implementing rules, including measures affecting the transfer of personal
data outside the PRC.
The Cybersecurity Law is developed for the purposes of guaranteeing cybersecurity,

safeguarding cyberspace sovereignty, national security and public interest, protecting the
lawful rights and interests of citizens, legal persons and other organizations, and promoting
the sound development of economic and social informatization. “The Cybersecurity Law
applies with respect to the to the construction, operation, maintenance and usage of
networks and the supervision and management thereof. It provides, among other things,
that the State formulates cybersecurity strategy and policy; adopts measures to monitor,
defend against and deal with cybersecurity risks and attacks; actively launches international
30
exchange and cooperation in the areas of cyberspace governance, research and

development of network technologies, and attacking cybercrime.”
31. SAMA Cyber Security Framework (May 2017)
Saudi Arabian Monetary Authority (SAMA) published a Cyber Security Framework

document, applicable to all of the following institutions operating in Saudi Arabia: banks;
Insurance and/or Reinsurance Companies; Financing Companies; Credit Bureaus; and
The Financial Market Infrastructure.
"SAMA established a Cyber Security Framework (“the Framework”) to enable Financial

Institutions regulated by SAMA (“the Member Organizations”) to effectively identify and
address risks related to cyber security. To maintain the protection of information assets
and online services, the Member Organizations must adopt the Framework.
The objective of the Framework is as follows: 1. To create a common approach for

addressing cyber security within the Member Organizations. 2. To achieve an appropriate
maturity level of cyber security controls within the Member Organizations. 3. To ensure
cyber security risks are properly managed throughout the Member Organizations.
The Framework will be used to periodically assess the maturity level and evaluate the
effectiveness of the cyber security controls at Member Organizations, and to compare
these with other Member Organizations. The Framework is based on the SAMA
requirements and industry cyber security standards, such as NIST, ISF, ISO, BASEL and
PCI.
The Framework supersedes all previous issued SAMA circulars with regard to cyber
security." (FSB-STi)
The framework is part of the initiatives of SAMA's cybersecurity strategy (unavailable).
32. G7 - fundamental elements for effective cybersecurity assessment (May 2017)
The G7 Communique reflected the discussions on cyber-security at the G7 Meeting of

Finance Ministers and Central Banks’ Governors in Bari, Italy May 12-13, 2017.
On top of highlighting the importance of developing “common and shared practices to help
timely detection of vulnerabilities in the financial system” they raised the need for current
assessment approaches to be “enhanced and be complemented by practices that are tailored
to bolster cyber resilience, including regular cyber exercises and simulations as well as
consideration of how to most effectively leverage penetration tests” in response to rapidly
evolving nature of cyber risks.
Most importantly, the G7 Cyber Expert Group (G7 CEG) was mandated to develop a set
of high level and non-binding fundamental elements for effective assessment of
cybersecurity by October 2017.
They also specified the following areas for future further work:
31
“...task the G7 CEG to advance work on the third-party risks and the coordination with
other critical sectors....
...encourage international coordination and knowledge sharing.
...explore other issues of interest related with cybersecurity as directed and prioritised by
G7 Finance Ministers and Central Banks Governors.
...call on the International Organizations and governmental institutions in partnership with
the private sector to enhance sharing of cybersecurity information. Definitions, collection
methodologies and data sharing, when appropriate, should be coordinated and consistent
across countries and sectors, so that results are comparable. Sharing national experiences
and best practices among all stakeholders on optimal cybersecurity legislation or relevant
regulatory initiatives would be highly beneficial.”
The communique also informed that the G7 is following the development of a cyber
insurance market and the ongoing work by OECD, notably its report Supporting an
Effective Cyber Insurance Market.
33. EBA ICT risk guidelines (May 2017)
The EBA finalized its Guidelines on ICT Risk Assessment under the Supervisory Review
and Evaluation process (SREP).
The EBA launched a consultation on its draft Guidelines on the assessment of information
and communication technology (ICT) risk in the context of the supervisory review and
evaluation process (SREP). These draft Guidelines are addressed to competent authorities
and aim at promoting common procedures and methodologies for the assessment of ICT
risk.
The requirements to assess ICT risks consist of:
• ICT governance (risks at senior management level and management body level);
• ICT strategy and its alignment with an institution’s business strategy; and
• ICT risk exposures and controls.
These Guidelines build on existing references to ICT risk in the EBA SREP guidelines
providing the scope and methodology for the assessment of ICT risk within an institution
and are structured around three main parts:
• setting the context and scope of the ensuing assessment;

• addressing what competent authorities should expect to see about management of
ICT risks at senior management level and management body level, as well as the
assessment of an institution’s ICT strategy and its alignment with the business
strategy; and
• covering the assessment of the institution’s ICT risk exposures and the
effectiveness of controls.
The assessment contained in these guidelines feeds into the EBA SREP methodology more
generally, therefore, they should be read along with the EBA SREP Guidelines, which
32
continue to remain applicable as appropriate. The appendix lists and provides examples of
the different type of ICT risks.
34. EU Report on influence of tech on future of financial sector (May 2017)
The EU Parliament’s Committee on Economic and Monetary Affairs (ECON) published a

Report on the influence of technology on the future of the financial sector. The report calls
on the EU Commission to develop an action plan to enable new and innovative
technologies to develop in the framework of the Capital Markets Union and Digital Single
Market.
The report outlines key priorities such as:
• cyber-security and data protection;

• interoperability and passporting of fintech services within the EU;
• providing a level playing field for traditional companies and start-ups; and
• controlled experimentation with new technologies and fostering financial education
and IT skills.
35. FFIEC Cybersecurity Assessment Tool (May 2017)
The US Federal Financial Institutions Examination Council (FFIEC) members published

an updated Cybersecurity Assessment Tool (CAT), originally released in 2015. The CAT
remains “a voluntary tool that institution management may use to determine the
institution’s inherent risk and cybersecurity preparedness.”
From its Overview: “The content of the Assessment is consistent with the principles of the
FFIEC Information Technology Examination Handbook (IT Handbook) and the National
Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as
industry accepted cybersecurity practices. The Assessment provides institutions with a
repeatable and measurable process to inform management of their institution’s risks and
cybersecurity preparedness.”
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
The Inherent Risk Profile identifies the institution’s inherent risk before implementing
controls. The Cybersecurity Maturity includes domains, assessment factors, components,
and individual declarative statements across five maturity levels to identify specific
controls and practices that are in place. While management can determine the institution’s
maturity level in each domain, the Assessment is not designed to identify an overall
cybersecurity maturity level.
To complete the Assessment, management first assesses the institution’s inherent risk
profile based on five categories:
• Technologies and Connection Types

• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats
33
Management then evaluates the institution’s Cybersecurity Maturity level for each of five
domains:
• Cyber Risk Management and Oversight

• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience
FFIEC consists of the principals of the following: The Board of Governors of the Federal
Reserve System, Federal Deposit Insurance Corporation, National Credit Union
Administration, Office of the Comptroller of the Currency, Consumer Financial Protection
Bureau, and State Liaison Committee.
36. Report of India's Working Group for Setting up of a financial sector CERT (May
2017)
A working group, chaired by Indian computer emergency response team (CERT-In), set
up for the formulation of a CERT in the financial sector (CERT-Fin), released a report
with recommendations to India's Financial Stability & Development Council, chaired by
the Minister of Finance. (FSB-STi)
37. SARB Guidance to banks on cyber resilience (May 2017)
South African Reserve Bank (SARB) issued a Guidance Note on the applicability of the
CPMI-IOSCO Guidance on cyber resilience for FMIs to banks, controlling companies
and branches of foreign institutions. It specified that "This office will in future, as part of
its supervisory review and evaluation process, assess the adequacy of banks' policies,
processes and practices related to cyber risk and cyber resilience, based on, among other
things, the practices contained in the aforementioned CPMI-IOSCO guidance document...
As such, banks are requested to assess the adequacy and robustness of their current
policies, processes and practices against the CPMI-IOSCO cyber resilience guidance
principles." (FSB-STi)
38. Australia’s Cyber Security Strategy First Annual Update (Apr 2017)
First Annual Update for Australia’s four-year Cyber Security Strategy, published in April
2016 to cover up to 2020, reports on the status of “the Government’s promise of improving
the security of Australia’s online environment, and enabling innovation, growth and
prosperity.” It reports ‘strong progress’ against the 33 initiatives set out in 2016, and
highlights the “momentum and established a platform for more direct, deeper and richer
conversations between governments, business and the public.” (FSB-STi)
39. ASX 100 Cyber Health Check Survey Report (Apr 2017)
The Australian Securities Exchange (ASX) 100 Cyber Health Check, a voluntary survey
of the top100 listed companies in Australia (76 responded between November 2016 and
34
January 2017), is “the first attempt to gauge how the boards of Australia’s largest listed
companies view and manage their exposure to cyber risk. It is an industry-led initiative
that forms part of the Australian Government’s Cyber Security Strategy…
The report demonstrates a high level of risk awareness at the top levels of corporate
Australia and a commitment to take further action. The report also provides a framework
for all Australian businesses to better evaluate their own effectiveness in addressing cyber
risk and identifying opportunities to improve their cyber resilience.” (FSB-STi)
40. IRDAI Guidelines on Information and Cyber Security for insurers (Apr 2017)
Insurance Regulatory and Development Authority of India (IRDAI) issued a Circular with
a detailed control check list for the effective implementation of these guidelines.
With various timelines until end of March 2018, the IRDAI requires the following: 1)
Appointment/ designation a suitably qualified and experienced Senior Level Officer
exclusively as Chief Information Security Officer (CISO) who will be responsible for
articulating and enforcing the policies to protect their information assets and formation of
Information Security Committee (ISC); 2) Preparation of Gap Analysis report; 3)
Formulation of Cyber Crisis Management Plan; 4) Finalization of Board approved
Information and Cyber Security Policy; 5) Formulation of Information and Cyber
Security assurance programme (implementation plan / guidelines) in line with Board
approved Information and Cyber security policy; and 6) Completion of first
comprehensive Information and Cyber Security assurance audit. (FSB-STi)
41. ESAs Report on main risks for the EU Financial System (Apr 2017)
The Joint Committee of the European Supervisory Authorities (ESAs: EBA, EIOPA, and
ESMA) published its spring 2017 Report on risks and vulnerabilities in the European
Union’s financial system.
The report focuses on continued challenges highlighted in the August 2016 report, but also
highlights increasing challenges posed by rapid advances in information and
communication technologies (ICT), including cyber-risks.
The Report highlights among others the rising operational risks related to information and
communication technologies that are increasingly requiring supervisory attention.
The ESAs are responding to cyber-and IT-related risks by, e.g., drafting Guidelines on ICT
risk assessment for supervisors, assessing cyber-security capabilities of central
counterparties (CCPs) and assessing the potential accumulation of risk at insurers deriving
from newly developed cyber-security coverages.
42. AICPA SOC for Cybersecurity (Apr 2017)
The American Institute of Certified Public Accountants (AICPA) finalized the guidance
for Systems and Organization Controls (SOC) for Cybersecurity.
“In recognition of the needs of management and boards of directors of diverse

organizations, and for the benefit of the public interest, the American Institute of CPAs
35
(AICPA) has developed a cybersecurity risk management reporting framework. Using it,
organizations can communicate pertinent information regarding their cybersecurity risk-
management efforts and educate stakeholders about the systems, processes and controls
they have in place to detect, prevent and respond to breaches. The reporting framework
also enables a CPA to examine and report on the management-prepared cybersecurity
information, thereby increasing the confidence that stakeholders may place on an
organization’s initiatives. other words, this provides clear guidance for CPAs to provide
assurance on cybersecurity.”
“The AICPA determined that the entity reporting framework should be developed first....
The AICPA is in the process of revising the SOC 2 R guide for service organizations. Once
that project has been completed, the AICPA will develop a new supply-chain/vendor-risk
management guide to address the supply-chain level.”
43. The International Strategy of Cooperation on Cyberspace of the People’s

Republic of China (Mar 2017)
China released its first strategy on cyberspace cooperation regarding the virtual domain.
The International Strategy of Cooperation on Cyberspace (unofficial English version)
provides a comprehensive explanation of China's policy and position on cyber-related
international affairs as well as the basic principles, strategic goals and plan of action in its
external relations. It aims to guide China's participation in international exchange and
cooperation in cyberspace, and encourage the international community to come together
to enhance dialogue and cooperation and build a peaceful, secure, open, cooperative and
orderly cyberspace and a multilateral, democratic and transparent global Internet
governance system. (FSB-STi)
44. NY cyber-security requirements for financial services companies (Mar 2017)
The new Requirements on cyber-security from the New York Department of Financial
Services (NY DFS) took effect on 1 March 2017.
The regulation requires banks, insurance companies, and other financial services
institutions regulated by the NYDFS to establish and maintain a cyber-security program
designed to protect customer information as well as the information technology systems of
these regulated entities. The proposed requirements for regulated financial institutions
include, among others:
• Establishment of a cyber-security program;

• Adoption of a written cyber-security policy;
• Designation of a Chief Information Security Officer responsible for implementing,
overseeing and enforcing the new program and its policy;
• Annual penetration testing and bi-annual vulnerability assessments of an entity’s
information system;
• Maintenance of audit trails to detect and respond to Cyber-security events;
• Limitation and regular review of user access privileges;
• Encryption of Non-public information;
• Establishment of an incident response plan;
36
• Establishment of security policy for third party service provider.
This regulation requires each company to assess its specific risk profile and design a
program that addresses its risks in a robust fashion. Senior management must take this issue
seriously and be responsible for the organization’s cybersecurity program and file an
annual certification confirming compliance with these regulations. A regulated entity’s
cybersecurity program must ensure the safety and soundness of the institution and protect
its customers.
The first certification will be due in February 2018.
45. EU Commission Consultation on the impact of FinTech (Mar 2017)
The EU Commission (EC) launched a Consultation on technology and its impact on the
European financial services sector as part of its consumer financial services action plan.
The consultation is structured along four policy objectives:
• Fostering access to financial services for consumers and businesses;

• Bringing down operational costs and increasing efficiency for the industry;
• Making the single market more competitive by lowering barriers to entry; and
• Balancing greater data sharing and transparency with data security and protection
needs.
The last of the four areas notes: “... important questions about personal data processing,
data management policies, data standardization, data sharing, security and ability to access
and supervise data from (licensed) providers of financial services should move to the
forefront of the policy agenda for FinTech. Mismanagement in these important areas can
cause loss of trust and disruption in the market that would require policy intervention.”
The consultation aims to gather information on the impact of innovative technology on the
financial sector to aid the EC in developing its policy approach and to help assess whether
the regulatory and supervisory framework promotes technological innovation.
Comments were accepted until 15 June 2017.
46. BaFin Consultation on bank regulatory requirements for IT systems (Mar 2017)
The German Federal Financial Supervisory Authority (BaFin) published (in German
language) a Draft Circular “Banking Supervision Requirements for IT” (BAIT).
The draft specifies BaFin’s minimum requirements for risk management (MaRisk) with
respect to the security of information technology. It highlights the IT security requirements
imposed by BaFin and the Bundesbank on institutions.
Furthermore, the circular helps increase institutions’ awareness of IT risks, including the
risks from third-party providers.
Comments were due by 5 May 2017.
37
(FSB-STi)
47. UK Open Banking Initiative (Mar 2017)
The UK Competition and Markets Authority (CMA) announced on-schedule release of

standardised data about UK banking products, branches and ATMs by the end of March,
by the nine banking institutions mandated by the CMA. The CMA will require the biggest
UK retail banks, to open access to transaction data by January 13, 2018, coinciding with
the EU Payment Systems Directive 2.
In early 2016, the Open Banking Working Group (OBWG) established by the UK Treasury,
published a manual, the Open Banking Standard, setting out a detailed framework of how
Open Banking Standard could be designed and delivered, with a time table for achieving
this. The Open Banking Initiative website explains that its “delivery is split between March
2017 and January 2018, with March 2017 being focused on Open Data, making available
information on ATMs, Branches, Personal Current Accounts, Business Current Accounts
(for SMEs) & SME Unsecured Lending and Commercial Credit Cards. January 2018 is
aligned to the upcoming European Regulation (Payment Services Directive 2), where
authorized third parties can be given consent by the account holder to access their Bank
accounts to extract statement information and to initiate payments, without having to use
the Banks Online services. It is envisaged that this capability will then lead to far reaching
innovative services being created by new entrants and technology companies.”
The OBWG includes nine Banks mandated by the CMA (Allied Irish Bank, Bank of
Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group,
Santander), as well as Challenger Banks, Fintechs, Third Parties, Consumer Groups and
other parties to define and develop the required Application Programmer Interfaces (APIs),
security and messaging standards that underpin Open Banking.
48. CPMI report - DLT in payment clearing/settlement (Feb 2017)
The BIS Committee on Payments and Market Infrastructures (CPMI) published a Report
on distributed ledger technology (DLT) in payment clearing and settlement. Distributed
ledgers, also known as blockchains, are ledgers of electronic transactions maintained by a
shared network of participants and not by a centralised entity.
The report provides an analytical framework for central banks and other authorities to
review and analyse the use of this technology for payment, clearing, and settlement. The
objective of the framework is to help understand the uses of DLT and, in doing so, identify
both the opportunities and challenges associated with this technology.
The framework presents the technology’s potential to provide operational efficiencies and
to make financial markets more robust and resilient. Enhanced operational resilience and
reliability are of particular interest to the authorities given the importance of protecting
against cyberthreats. It also contains a set of questions that should be useful when looking
at DLT arrangements.
It highlights that work is still needed to ensure that the legal underpinnings of DLT
arrangements are sound, governance structures are robust, technology solutions meet
38
industry needs, and that appropriate data controls are in place and satisfy regulatory
requirements.
49. US NIST draft updated Cybersecurity Framework (Jan 2017)
The US National Institute of Standards and Technology (NIST) issued in January 2017 a
draft update to the Framework for Improving Critical Infrastructure Cybersecurity—also
known as the Cybersecurity Framework. Providing new details on managing cyber-supply
chain risks, clarifying key terms, and introducing measurement methods for cyber-security.
The updated framework aims to further develop NIST’s voluntary guidance to
organizations on reducing cybersecurity risks.
The Cyber-Security Framework was published in February 2014 following a collaborative

process involving industry, academia and government agencies, as directed by a
presidential executive order. The original goal was to develop a voluntary framework to
help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as
bridges and the electric power grid, but the framework has been widely adopted by many
types of organizations across the country and around the world.
The 2017 draft, Version 1.1 incorporates feedback since the release of framework version
1.0, and integrates comments from the December 2015 Request for Information as well as
comments from attendees at the Cyber-security Framework Workshop 2016.
(See coverage of final in Digest)
50. Turkey National Cyber Security Strategy and Action Plan (2016, 2013)
Turkey published its National Cyber Security Strategy for the period 2016-2019 in 2016.
Two main objectives of the strategy are to strengthen the understanding of cyber security’s
role as an integral part of national security for all stakeholders, and to acquire the
competency that will allow taking administrative and technological precautions for
maintaining the absolute security of all systems and stakeholders in national cyber space.
Targets and sub actions are determined in the strategy, while ensuring and supervising
their implementation. This is an updated version of the National Cyber Security Strategy
and Action Plan for 2013-14, published in 2013. The strategy for 2013-2014 defines
cybersecurity risks and principles for maintenance of cybersecurity to be updated in a
coordinated way at the national level, taking into account the requests from the public and
private sector, and considering also the developing technology, changing conditions and
needs. (FSB-STi)
51. UK National Cyber Security Strategy 2016-2021 (2016)
Building on the achievements, objectives and judgements of the first five-year National
Cyber Security Strategy issued in 2011, the UK government issued a new National Cyber
Security Strategy document, with the following goals:
"DEFEND: We have the means to defend the UK against evolving cyber threats, to
respond effectively to incidents, to ensure UK networks, data and systems are protected
39
and resilient. Citizens, businesses and the public sector have the knowledge and ability to
defend themselves.
DETER: The UK will be a hard target for all forms of aggression in cyberspace. We detect,
understand, investigate and disrupt hostile action taken against us, pursuing and
prosecuting offenders. We have the means to take offensive action in cyberspace, should
we choose to do so.
DEVELOP: We have an innovative, growing cyber security industry, underpinned by

world leading scientific research and development. We have a self-sustaining pipeline of
talent providing the skills to meet our national needs across the public and private sectors.
Our cutting-edge analysis and expertise will enable the UK to meet and overcome future
threats and challenges." (FSB-STi)
52. UK CBEST Intelligence-Led Vulnerability Testing 2.0 (2016)
The Bank of England’s Sector Cyber-Team (SCT) published version 2.0 of its CBEST
“framework for intelligence-led penetration testing of systemically critical organizations”
for the CBEST engagement participants and service providers.
The CBEST framework was first launched in June 2014 by UK Financial Authorities,
headed by the Bank of England at the recommendation of the Financial Policy Committee
(FPC), which is “charged with taking action to remove or reduce systemic risks with a view
to protecting and enhancing the resilience of the UK financial system.”
CBEST is a voluntary cyber vulnerability assessment program made available to core

firms/FMIs of the UK financial system. The assessment operates within a framework and
includes a set of Key Performance Indicators (KPIs) for 1) threat intelligence and 2)
intrusion detection and incident response. Each include a section used by the BoE’s Sector
Cyber Team assessing “the provider’s ability to deliver CBEST services in accordance with
the framework agreement”, as well as a section conducted by the approved provider which
is an assessment of “the client firm’s capability surrounding use of either cyber threat
intelligence, intrusion detection, or incident response.” The completed KPIs, kept by the
SCT, help inform the cybersecurity assessment for the tested firm and an industry
understanding of the financial sector cybersecurity capability for the regulators as well as
the UK Financial Policy Committee (FPC).
CBEST tests are “built around the key potential attackers for a particular firm and the attack
types they would deploy,” making use of up-to-date threat intelligence direct from UK
Government agencies and accredited commercial providers.
CBEST program has also brought forth new accreditation standards for threat intelligence
providers and penetration testing providers, working with the Council for Registered
Ethical Security Testers (CREST).
Its resource components include the following:
40
1. Implementation Guide, which explains the key phases, activities, deliverables and
interactions involved in a CBEST assessment;
2. Services Assessment Guide, which provides background information, in the form

of a set of assessment criteria, that CBEST participants can use as they assess
prospective threat intelligence and penetration testing service providers approved
by the Council for Registered Ethical Security Testers (CREST); and
3. Understanding Cyber Threat Intelligence Operations, which defines best practice

standards for the production and consumption of threat intelligence... intended to
provide the CBEST programme with a foundation for defining and executing
intelligence-led cyber threat vulnerability tests in conjunction with accredited
providers of threat intelligence products and services. After establishing some
important terminology, this document presents an overview of the process
underpinning a best practice threat intelligence capability and the organisation,
roles and skills required for running it. It then discusses maturity models relating to
the production and consumption of threat intelligence.
53. The National Cyberspace Security Strategy of the People’s Republic of China
(Dec 2016)
The National Cyberspace Security Strategy (unofficial English version) of the People’s
Republic of China is formulated to elaborate China’s major standpoints concerning
cyberspace development and security, guide China’s cybersecurity work and safeguard
the country’s interests in the sovereignty, security and development of cyberspace. The
objective of the strategy is to promote peace, security, openness, cooperation and order in
cyberspace.
The four principles of the strategy are:
 Respecting and protecting sovereignty in cyberspace

 Peaceful use of cyberspace
 Governing cyberspace according to the law
 Comprehensively manage cybersecurity and development
Details of nine strategic tasks are also included in the strategy. (FSB-STi)
54. UK Gov Cyber-Security Regulation and Incentives Review (Dec 2016)
In December 2016, the UK Government published the Cyber-Security Regulation and

Incentives Review. During the year, as part of the Government’s 1.9 billion pounds
strategy to protect the UK in cyber-space, the Department for Digital, Culture, Media &
Sport (DCMS) conducted a review to consider whether there is a need for additional
regulation or incentives to boost cyber-risk management across the wider economy. The
review was conducted in close consultation with a wide range of businesses, industry
partners and stakeholders, and gathered evidence from a broad range of sources.
“The review shows that there is a strong justification for regulation to secure personal data,
as there is a clear public interest in protecting citizens from crime and other harm...
41
Government will therefore seek to improve cyber-risk management in the wider economy
through its implementation of the forthcoming General Data Protection Regulation
(GDPR). The breach reporting requirements and fines that can be issued under GDPR will
represent a significant call to action. These will be supplemented by a number of measures
to more clearly link data protection with cyber-security, including through closer working
between the Information Commissioner’s Office and the new National Cyber-Security
Centre.”
55. HKMA Enhanced Competency Framework on Cybersecurity (Dec 2016)
Hong Kong Monetary Authority (HKMA) and the banking industry released a Guide to
Enhanced Competency Framework (ECF) on Cybersecurity for the banking sector. "This
framework enables cybersecurity talent development and facilitates the building of
professional competencies and capabilities of those staff engaged in cybersecurity duties."
The Guide aims to provide details of the scope of application, qualification structure,
recognised certificates and continuing professional development requirements to equip
relevant staff with the right skills, knowledge and behaviour.... The HKMA will assess
the progress of implementation of the ECF on Cybersecurity by [authorized institutions]
and [their] effort in enhancing staff competence in this area during its on-going
supervisory process. (FSB-STi)
56. SFC Circular on augmenting accountability of senior mgmt (Dec 2016)
The Hong Kong Securities and Futures Commission (SFC) issued a Circular on enhancing
the accountability regime for senior management of licensed companies. The circular
specifies definition of senior management and their regulatory obligations and potential
legal liabilities. It specifies eight core functions of a licensed company for which it must
appoint at least one fit and proper person to be the managerin charge (MIC), and provides
guidance on selection of the MIC(s). It also brings in the roles and responsibilities of the
Board of Directors.
57. HKMA circular on Cybersecurity Fortification Initiative (Dec 2016)
The Hong Kong Monetary Authority (HKMA) issued in December 2016 a Circular to
authorized institutions to inform them of the implementation details of the Cybersecurity
Fortification Initiative (CFI). The CFI consists of three pillars:
• Pillar 1: Cyber-Resilience Assessment Framework (C-RAF):
The C-RAF is a tool to help authorized institutions evaluate their cyber resilience.
The assessment comprises three stages:
– Inherent Risk Assessment – This facilitates an AI to assess its level of inherent

cyber-security risk and categorize it into “low”, “medium” or “high” in
accordance with the outcome of the assessment;
– Maturity Assessment – This assists an AI in determining whether the actual

level of its cyber-resilience is commensurate with that of its inherent risk.
42
Where material gaps are identified, the AI is expected to formulate a plan to

enhance its maturity level; and
– Intelligence-led Cyber-Attack Simulation Testing (iCAST) – This is a test of

the AI’s cyber-resilience by simulating real-life cyber-attacks from adversaries,
making use of relevant cyber-intelligence. AIs with an inherent risk level
assessed to be “medium” or “high” are expected to conduct the iCAST within
a reasonable time.
The HKMA will adopt a phased approach to the implementation of the C-RAF as
follows:
– the first phase will cover around 30 authorized institutions including all major
retail banks, selected global banks and a few smaller authorized institutions –
the HKMA will inform these authorized institutions individually;
– the expected timeline for completing the C-RAF assessment under the first
phase is end-September 2017 for inherent risk assessment and maturity
assessment, and end-June 2018 for iCAST (if applicable); and
– depending on industry feedback and the experience gathered from the first
phase, the second phase will cover all the remaining authorized institutions.
They will be expected to complete the inherent risk assessment and the maturity
assessment by the end of 2018. The HKMA will consider the assessment results
of the second phase in determining a timeframe for the remaining authorized
institutions to complete the iCAST. Although authorized institutions covered
in the second phase are given a longer timeframe for implementation, they
should familiarize themselves with the C-RAF and take steps to strengthen their
cyber-resilience at an early stage where necessary.
• Pillar 2: Professional Development Programme (PDP):
The PDP, rolled out in December 2016, seeks to provide a local certification scheme
and training program for cybersecurity professionals. At the request of the industry,
the HKMA has adopted a list of professional qualifications, recommended by an
expert panel, which are equivalent to the certification provided under the PDP. A
person holding a PDP certification or an equivalent professional qualification may
perform the assessments and tests in relation to the different roles defined under the
C-RAF as set out in the Annex of the circular.
• Pillar 3: Cyber-Intelligence Sharing Platform (CISP):
The HKMA noted that all banks are expected to join the Cyber Intelligence Sharing
Platform. Banks were advised to start to make the necessary preparations including
system changes at an early stage.
The CISP is ready for access by banks with effect from December 2016.
43
58. G7 Fundamental Elements of Cybersecurity for Financial Sector (Oct 2016)
The G7 published its fundamental elements of cybersecurity for the financial sector to
“serve as the building blocks upon which an entity can design and implement its
cybersecurity strategy and operating framework, informed by its approach to risk
management and culture. The elements also provide steps in a dynamic process through
which the entity can systematically re-evaluate its cyber-security strategy and framework
as the operational and threat environment evolves. Public authorities within and across
jurisdictions can use the elements as well to guide their public policy, regulatory, and
supervisory efforts.”
The eight elements noted are:
1. Cybersecurity Strategy and Framework: Establish and maintain a cybersecurity

strategy and framework tailored to specific cyber risks and appropriately informed
by international, national, and industry standards and guidelines.;
2. Governance: Define and facilitate performance of roles and responsibilities for

personnel implementing, managing, and overseeing the effectiveness of the
cybersecurity strategy and framework to ensure accountability; and provide
adequate resources, appropriate authority, and access to the governing authority;
3. Risk and Control Assessment: Identify functions, activities, products, and

services—including interconnections, dependencies, and third parties—prioritize
their relative importance, and assess their respective cyber risks. Identify and
implement controls—including systems, policies, procedures, and training—to
protect against and manage those risks within the tolerance set by the governing
authority;
4. Monitoring: Establish systematic monitoring processes to rapidly detect cyber

incidents and periodically evaluate the effectiveness of identified controls,
including through network monitoring, testing, audits, and exercises;
5. Response: Timely (a) assess the nature, scope, and impact of a cyber incident; (b)
contain the incident and mitigate its impact; (c) notify internal and external
stakeholders (such as law enforcement, regulators, and other public authorities, as
well as shareholders, third-party service providers, and customers as appropriate);
and (d) coordinate joint response activities as needed;
6. Recovery: Resume operations responsibly, while allowing for continued

remediation, including by (a) eliminating harmful remnants of the incident; (b)
restoring systems and data to normal and confirming normal state; (c) identifying
and mitigating all vulnerabilities that were exploited; (d) remediating
vulnerabilities to prevent similar incidents; and (e) communicating appropriately
internally and externally;
7. Information Sharing: Engage in the timely sharing of reliable, actionable

cybersecurity information with internal and external stakeholders (including
entities and public authorities within and outside the financial sector) on threats,
44
vulnerabilities, incidents, and responses to enhance defenses, limit damage,

increase situational awareness, and broaden learning;
8. Continuous Learning: Review the cybersecurity strategy and framework regularly

and when events warrant—including its governance, risk and control assessment,
monitoring, response, recovery, and information sharing components—to address
changes in cyber risks, allocate resources, identify and remediate gaps, and
incorporate lessons learned.
59. US FinCEN Advisory on FIs obligations on cyber-related events (Oct 2016)
On 25 October 2016, the US Treasury Financial Crimes Enforcement Network (Fin-CEN)

issued an Advisory to assist financial institutions in understanding their Bank Secrecy Act
(BSA) obligations regarding cyber-events and cyber-enabled crime. This advisory also
highlights how BSA reporting helps U.S. authorities combat cyber events and cyber-
enabled crime.
Through this advisory FinCEN advises financial institutions on:
• Reporting cyber-enabled crime and cyber-events through Suspicious Activity

Reports (SARs);
• Including relevant and available cyber-related information (e.g., Internet Protocol

(IP) addresses with timestamps, virtual-wallet information, device identifiers) in
SARs;
• Collaborating between BSA/Anti-Money Laundering (AML) units and inhouse

cyber-security units to identify suspicious activity; and
• Sharing information, including cyber-related information, among financial

institutions to guard against and report money laundering, terrorism financing, and
cyber-enabled crime.
60. US FBAs ANPR for enhanced cybersecurity standards (Oct 2016)
On 19 October 2016, the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (the
Federal Banking Agencies) issued an Advanced Notice of Proposed Rulemaking to
establish enhanced cyber-security standards.
The proposed rules would apply to large institutions subject to the agencies’ jurisdiction,
including:
• US bank holding companies with total consolidated assets of USD 50 billion or

more;
• banks with total consolidated assets of USD 50 billion or more;
• the US operations of foreign banking organizations with total US assets of USD 50
billion or more, and
45
• nonbank financial companies supervised by the Federal Reserve per the DoddFrank
Act. (section 165).
While the ANPR is based on some existing regulatory guidance, it also adds some new and
more stringent requirements to covered entities. For example, it requires a very short two-
hour timeframe to recover critical systems from cyber-events. Improvements are proposed
in the following areas:
• Incident responses and cyber-resilience;

• Cyber-risk governance;
• Cyber-risk management;
• Internal and external dependency management.
Comments received are accessible here.
61. SFC Review of cybersecurity of online & mobile trading systems (Oct 2016)
The Hong Kong Securities and Futures Commission (SFC) launched a Review of cyber-
security, compliance and resilience of brokers’ internet/mobile trading systems. This
initiative follows several reports from securities brokers that the security of some
customers’ online and mobile trading accounts has been compromised and unauthorized
securities trading transactions have been conducted through these accounts.
Cybersecurity management is a priority for the SFC’s supervision of licensed corporations.

Licensed corporations should critically review and enhance their controls to combat cyber-
attacks. This would involve:
• Strengthening threat, intelligence and vulnerability management to pro-actively

identify and remediate cyber-security vulnerabilities;
• Implementing reliable preventive, detective and monitoring measures to protect
sensitive information and trading systems;
• Being vigilant in monitoring unusual or questionable logins/transactions in client
accounts;
• Implementing effective user authentication and access controls to deter potential
hacking attempts; and
• Establishing an effective contingency plan which covers, among others, possible
cyber-attack scenarios where trade and position data are impacted.
Examples of good practices observed in the market place include (i) implementing client
data encryption; (ii) putting in place controls to detect internet protocol (IP) ranges used by
clients and abnormal buy/sell transactions; (iii) implementing two factor authentications in
conjunction with strong password requirements for client’s logon; and (iv) sending timely
trade confirmation to clients via SMS. A combination of these measures enables brokers
spot suspicious activities and mitigate against hacking risks. Where the security of accounts
is compromised, early detection enables brokers to send alert to clients to stop further
unauthorized trading.
The SFC review has three components:
46
• surveying a mix of small to medium sized brokers to assess relevant cybersecurity

features of brokers’ internet and mobile trading systems;
• onsite inspections of selected brokers for an in-depth review of their information
technology and other related management controls and an assessment of their
design and effectiveness in preventing and detecting cyber-attacks; and
• benchmarking the SFC’s regulatory requirements and market practice in Hong
Kong against other major financial services regulators and other relevant market
practices overseas and locally. The findings of the cyber-security review are
designed to assist the SFC’s policy formulation to improve overall resilience of the
markets.
62. MY SC Guidelines to Enhance Cyber resilience of Capital Mkt (Oct 2016)
Malaysia’s Securities Commission (SC) published on October 2016 new Guidelines on

Management of Cyber-risk to enhance cyber-resilience of the capital market by requiring
capital market entities to establish and implement effective governance measures to counter
cyber-risk and protect investors.
The Guidelines, among other requirements, clearly stipulate the roles and responsibilities
of the board and senior management in building cyber-resilience of a capital market entity.
The entity is required to identify a responsible person to be accountable for the effective
management of cyber-risk. The involvement of the board and senior management is
deemed important to ensure that the capital market entity puts adequate focus on cyber-risk
issues, determines risk tolerance and priorities, and allocates sufficient resources to cyber-
risk.
The Guidelines require regulated entities to have in place a risk management framework to
minimize cyber-threats, implement adequate measures to identify potential vulnerabilities
in their operating environment and ensure timely response and recovery in the event of a
cyber-breach.
Regulated entities are also required to report cyber-incidents to the SC to enhance

industry’s awareness on, and preparedness in dealing with, cyber-risk. The reporting is to
provide a platform for SC to collaborate with market entities and stakeholders to enhance
cyber-resilience on an ongoing basis.
These Guidelines are to be implemented in phases for entities based on, among others, size,
nature of activities, and market share.
63. APRA Information Paper: 2015/16 Cyber Security Survey Results (Sep 2016)
The Australian Prudential Regulation Authority’s (APRA) Information Paper informs on

the results of its 2015/16 Cyber Security Survey:
“As part of its activities to understand and assess industry preparedness for, and resilience
to, cyber attacks, APRA undertook a survey between October 2015 and March 2016 to
gather information on cyber security incidents and their management within APRA-
regulated sectors. Respondents to the survey included 37 regulated entities and four
47
significant service providers, covering all APRA-regulated industries, with the exception
of private health insurance…
The survey results, in conjunction with other supervisory information, confirm that APRA
regulated entities, not only the largest of these entities, need to operate on the assumption
that cyber attacks will occur and that such attacks will remain a constant challenge...”
(FSB-STi)
64. CSA Staff Notice on Cyber Security (Sep 2016)
The Canadian Securities Administrators (CSA – covering FMIs, trading venues, asset
managers, broker-dealers, and reporting issuers) issued a Staff Notice 11-332: Cyber
Security, updating a previous Staff Notice: “Since the 2013 Notice, the cyber security
landscape has evolved considerably, as cyber attacks have become more frequent,
complex and costly for organizations. Accordingly, the CSA is publishing this Notice on
cyber security in order to:
• further highlight the importance of cyber risks for Market Participants;

• inform stakeholders about recent and upcoming CSA initiatives;
• reference existing standards and work published, including work published by the
Investment Industry Regulatory Organization of Canada (IIROC), the Mutual
Fund Dealers Association of Canada (MFDA) and international regulatory
authorities and standard-setting bodies;
• communicate general expectations for Market Participants with respect to their
cyber security frameworks; and
• examine ways to coordinate communication and information sharing between
regulators and Market Participants.” (FSB-STi)
65. IE CB Cross Industry Guidance on IT and Cybersecurity Risks (Sept 2016)
The Central Bank of Ireland issued in September 2016 a Guidance on IT and cybersecurity
governance and risk management for financial services firms.
The document sets out the Central Bank’s observations from supervisory work in this area
and outlines guidance reflecting “the current thinking as to good practices that regulated
firms should use to inform the development of effective IT and cybersecurity governance
and risk management frameworks.”
Boards and Senior Management of regulated firms are expected to fully recognize their
responsibilities for these issues and to put them among their top priorities. The guidance
lists Central Bank expectations on key issues such as alignment of IT and business strategy,
outsourcing risk, change management, cyber-security, incident response, disaster recovery
and business continuity.
48
66. India Non-Banking Financial Company - Account Aggregators (Sep 2016)
The Reserve Bank of India produced final Directions providing a framework for the
registration and operation of “Account Aggregators” in India, requiring these operators to
register and be regulated by the RBI. It defines “Account Aggregators” as non-banking
financial companies that will collect and provide information on a customer’s financial
assets, in a consolidated, organized and retrievable manner to the customer or any other
person as per the instructions of the customer. The Directions prohibit Account
Aggregators from conducting any other business than that of aggregator, handling
transactions for customers, for example. It clearly sets out Data Security requirements,
including prohibiting request or storing of customer credentials.
67. ENISA Strategies for Incident Response & Cyber Crisis Coop. (Aug 2016)
This document from the European Union Agency for Network and Information Security
(ENISA) is an input for the Network and Information Security (NIS) Platform for the
discussion on incident response and cyber crisis coordination (by “WG2” – see below). It
briefly introduces what incident response is, who the main actors are, what baseline
capabilities these entities should possess in order to effectively combat cyberattacks, and
what challenges there may be that impede efficiency in incident response. The notion of
Computer Security Incident Response Teams (CSIRTs) as key players in incident response
is introduced. Descriptions of incident response mechanisms will be elaborated, taking into
account national-level cybersecurity strategies, cyber crisis coordination and management
covering both escalation and communication between CSIRTs and government bodies.
As part of the implementation of the cybersecurity Strategy of the EU, the NIS Platform
was created in 2013 to help European stakeholders carry out appropriate risk management,
establish good cybersecurity policies and processes and further adopt standards and
solutions that will improve the ability to create safer market conditions for the EU.
The expert work of the components of the NIS Platform was divided into Working Groups
(WGs), all dealing with their special field of expertise in cybersecurity:
• WG1 on risk management, including information assurance, risks metrics and

awareness raising;
• WG2 on information exchange and incident coordination, including incident
reporting and risks metrics for the purpose of information exchange;
• WG3 on secure ICT research and innovation.
Ongoing work by the WGs is a series of chapters to be adopted by the NIS Platform. The
chapters foreseen by the three WGs are:
1. Organizational structures and requirements;

2. Verification and auditing of requirements;
3. Voluntary information sharing;
4. Incident response;
5. Mandatory incident notification;
6. Data protection;
7. (Optional) Incentives for the uptake of good cybersecurity practices;
49
8. (Optional) Recommendations on research challenges and opportunities.
68. MAS Guidelines on Outsourcing (Jul 2016)
The Monetary Authority of Singapore (MAS) states “[t]hese Guidelines provide guidance
on sound practices on risk management of outsourcing arrangements... An institution
should ensure that outsourced services (whether provided by a service provider or its sub-
contractor) continue to be managed as if the services were still managed by the
institution.”
After describing an institution’s expected engagement with MAS on outsourcing,
including notification to MAS of adverse developments, the Guideline goes through the
following areas of risk management practices which institutions are obliged to implement:
Responsibility of the Board and Senior Management; Evaluation of Risks; Assessment of
Service Providers; Outsourcing Agreement; Confidentiality and Security; Business
Continuity Management; Monitoring and Control of Outsourcing Arrangements; Audit
and Inspection; Outsourcing Outside Singapore; Outsourcing with a Group; and
Outsourcing of Internal Audit to External Auditors.
The Guideline ends with a separate section on Cloud Computing/Service (CS), that “MAS
considers CS operated by service providers as a form of outsourcing… The types of risks
in CS that confront institutions are not distinct from that of other forms of outsourcing
arrangements. Institutions should perform the necessary due diligence and apply sound
governance and risk management practices articulated in this set of guidelines when
subscribing to CS….”
Its Annexes include a list of non-exhaustive examples of outsourcing arrangements to
which the guidelines apply and don’t apply, a guidance in assessing the materiality of an
outsourcing arrangement, and a template for a register of outsource entities of an
institution to be maintained for submission to MAS, at least annually or upon request.
The Guideline’s audit and inspection section specifies that “An institution’s outsourcing
arrangements should not interfere with the ability of the institution to effectively manage
its business activities or impede MAS in carrying out its supervisory functions and
objectives.” This specifically includes, not only that the outsourcing agreements should
include clauses that “allow the institution to conduct audits on the service provider and
its subcontractors, whether by its internal or external auditors, or by agents appointed by
the institution; and to obtain copies of any report and finding made on the service provider
and its sub-contractors,”, but that which also “allow MAS, or any agent appointed by
MAS, where necessary or expedient, to exercise the contractual rights of the institution
to: (i) access and inspect the service provider and its sub-contractors, and obtain records
and documents, of transactions, and information of the institution given to, stored at or
processed by the service provider and its sub-contractors; and (ii) access any report and
finding made on the service provider and its sub-contractors, whether produced by the
service provider’s and its sub-contractors’ internal or external auditors, or by agents
appointed by the service provider and its sub-contractors, in relation to the outsourcing
arrangement.”
50
69. EU Directive on Security of Network and Information Systems (Jul 2016)
This EU Directive on security of network and information systems sets out security
obligations for operators of essential services, including those in the banking and financial
sectors, and for digital service providers, such as online marketplaces, search engines and
cloud services.
Member States will be required to designate a national authority for dealing with cyber-
threats and to develop a national cyber-strategy among others.
I. General Provisions: “... describes the goals of the Directive, and its legislative
environment. It also gives formal definitions to terms that appear in the text.”
II. National Frameworks on the security of Network and Information Systems: “... lists
the different entities and legislative frameworks that each Member State will have to set
up in order to comply with the Directive. Each MS needs to adopt a national NIS strategy;
designate one or more national competent authorities, as well as a single point of contact
for cross-border cooperation; and set up at least one Computer Security Incident Response
Team (CSIRT). These teams need to cover certain sectors and services.”
III. Cooperation: “... defines two groups meant to improve NIS-related cooperation
between MS. The first is the Cooperation Network, composed of representatives of MS,
the Commission, and ENISA. This group is meant to focus on strategic issues. The second
group is the CSIRT Network, composed of representatives of MS’ CSIRT and CERT-EU,
with the Commission as observer and ENISA as Secretary and active support.”
IV. Security of the Network and Information Systems of Operators of Essential Ser-
vices: “... defines security requirements for and duties of operators of essential services.
These services are described in Annex 2 of the Directive.”
V. Security of the Network and Information Systems of Digital Service Providers: “...
defines security requirements for and duties of digital service providers. These providers
are described in Annex 3 of the Directive”
VI. Standardization and Voluntary Notification: “...encourages the use of EU or

international standards” and discusses handling of voluntary notifications.
VII. Final Provisions: “... covers all other aspects, like the details the timeline for
transposition of the Directive, or penalties”
The Directive entered into force on 8 August 2016 and needs to be transposed by 9 May
2018.
70. IDRBT Cyber Security Checklist (Jul 2016)
Institute for Development and Research in Banking Technology (IDRBT - established by

the Reserve Bank of India) published a Cyber Security Checklist.
51
Developed after an annual retreat of heads of public sector banks and officials of RBI, the
checklist was completed by a IDRBT group with members from banks, industry and
academia, to "help banks in identifying any gaps in cybersecurity systems", "help board
level subcommittees on risk management and information security on monitoring the
cyber defence preparedness of banks", and "likely to help banks preparing the cyber
security framework as required by the RBI Circular dated 2 Jun 2016."
The Checklist is organized into sections: 1) Enterprise Control; 2) IT Infrastructure

Security; 3) Endpoint Security: Hardening (Desktops; Mobiles; Tablets); 4) Security
Monitoring; and 5) Outsourcing Security (Optional). (FSB-STi)
71. RBI Circular to Establish Cyber Security Framework in Banks (Jun 2016)
The Reserve Bank of India (RBI) published a Circular outlining an urgent need to put in
place a robust cyber security/resilience framework at banks and to ensure adequate cyber-
security preparedness among banks on a continuous basis.
In it, RBI requires "Banks should immediately put in place a cyber-security policy
elucidating the strategy containing an appropriate approach to combat cyber threats given
the level of complexity of business and acceptable levels of risk, duly approved by their
board" to be confirmed in three months' time to RBI's Cyber Security and Information
Technology Examination (CSITE) Cell of Department of Banking Supervision.
Further, it states that Cyber Security Policy should be distinct and separate from the
broader IT policy / IS Security policy of a bank.
It mandates that a SOC (Security Operations Centre) be set up at the earliest, if not done
already, so it "ensures continuous surveillance and keeps itself regularly updated on the
latest nature of emerging cyber threats." An indicative configuration of a SOC "to monitor
and manage cyber risks in real time" is given in Annex 2.
It requires that the IT architecture be reviewed by the IT Sub Committee of the Board and
upgraded as necessary, and provides an indicative "minimum baseline cyber security and
resilience framework to be implemented by the banks" in Annex 1.
"A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should
be a part of the overall Board approved strategy. Considering the fact that cyber-risk is
different from many other risks, the traditional BCP/DR arrangements may not be
adequate and hence needs to be revisited keeping in view the nuances of the cyber-risk...
CCMP should address the following four aspects: (i) Detection (ii) Response (iii)
Recovery and (iv) Containment."
It urges banks to comprehensively address network and database security, ensure

protection of customer information, review organisational arrangements with a view to
security, and to develop Cyber security preparedness indicators used for comprehensive
testing through independent compliance checks and audits carried out by qualified and
competent professionals.
"It is reiterated that banks need to report all unusual cybersecurity incidents (whether they
were successful or were attempts which did not fructify) to the Reserve Bank. Banks are
52
also encouraged to actively participate in the activities of their CISOs’ Forum coordinated
by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of
Risks and Threats (IB-CART) set up by IDRBT.
It provides a cyber-incident reporting template (Annex 3) and announces that "it has been
decided to collect both summary level information as well as details on information
security incidents including cyber-incidents. Banks are required to report promptly the
incidents".
Further, an immediate assessment of gaps in preparedness to be reported to RBI.
Banks are required to take suitable steps in building awareness about the potential impact
of cyber-attacks among customers, employees, partners and vendors, and also to urgently
bring the Board of Directors and Top Management in banks up to speed on cyber-security
related aspects. (FSB-STi)
72. CPMI-IOSCO Guidance on cybersecurity (Jun 2016)
The Committee on Payments and Market Infrastructures (CPMI) and the International
Organization of Securities Commissions (IOSCO) have published a Guidance on cyber-
security which highlights the following points:
• Sound cyber-governance is key. Board and senior management attention is critical

to a successful cyber-resilience strategy;
• The ability to resume operations quickly and safely after a successful cyberattack
is paramount;
• Financial Market Infrastructures (FMI) should make use of good-quality threat
intelligence and rigorous testing;
• FMIs should aim to instill a culture of cyber-risk awareness and demonstrate
ongoing re-evaluation and improvement of their cyber-resilience at every level
within the organization; and
• Cyber-resilience cannot be achieved by an FMI alone; it is a collective endeavor of
the whole ecosystem.
73. HKMA Circular Security controls related to Internet banking services (May
2016)
Hong Kong Monetary Authority (HKMA), making reference to reports by banks

regarding security breaches in April, published a circular detailing additional ways
authorised institutions providing Internet banking services should "enhance their fraud
monitoring mechanisms so as to keep up with new and emerging threats and fraudulent
schemes." (FSB-STi)
53
74. Report on IOSCO’s Cyber Risk Coordination Efforts (Apr 2016)
International Organization of Securities Commissions (ISOSCO)’s report, covers the main

regulatory issues and challenges related to cyber security for relevant segments of securities
markets. For IOSCO member organizations, the report provides an overview of some of
the different regulatory approaches related to cybersecurity that IOSCO members have
implemented thus far, to serve as reference of potential tools available to regulators as they
consider appropriate policy responses. For market participants, the report outlines various
plans and measures participants have put in place to enhance cyber security in terms of
identification, protection, detection, response and recovery.
The report results from a board-level coordination effort led by the Quebec AMF
(Autoritédes marchés financiers) with assistance of the China Securities Regulatory
Commission and the Monetary Authority of Singapore, bringing together the contribution
of relevant IOSCO Policy committees and related stakeholders.
75. Australia’s Cyber Security Strategy (Apr 2016)
Australian Cyber Security Strategy lays out initiatives under five themes for action by the
Government to improve cyber security, up to the year 2020: 1) A national cyber
partnership; 2) Strong cyber defenses; 3) Global responsibility and influence; 4) Growth
and innovation; and 5) A cyber smart nation.
The initiatives are intended to be reviewed and updated annually, while the Strategy
document itself will be updated every four years. (FSB-STi)
76. EU General Data Protection Regulation (Apr 2016)
The EU General Data Protection Regulation, GDPR, was set into place in April 2016 and
will come into force in May 2018. The new EU Regulation repeals the Data Protection
Directive of 1995 and replaces local laws for data protection, bringing a single standard
among all EU member states.
Some important highlights of the regulation include the following issues of scope: 1)
responsibility of data protection, including demonstration of compliance (accountability
principle), now extends to data processor and not just the data controller (i.e. a supervisor
can supervise processors directly as well); 2) scope of the law follows the data – GDPR is
applicable to entities outside the EU if they are servicing EU member states; 3) includes
not just direct personal data but any derived data that can be either by itself or in
combination with other data be identified back to an individual.
Other important matters are:
• Data portability and “Right to be Forgotten” – individual’s right to their own data
and to have it be transported or deleted if certain conditions are met.
• Elevation of importance of data protection through imposing principles of “data
protection by design” and “data protection by default.”
• Required maintenance of a record of all processing activities
54
• Data breach notification to the supervisory authority within 72 hours (and to the
individuals in cases of high risk) unless it can “demonstrate that the breach is
unlikely to result in a risk to the rights and freedoms of natural persons.”
• Security measures, such as encryption and pseudonymisation, to be taken based on
risks for the individuals’ data compromise.
• Responsibility of carrying out Data Protection Impact Assessments to “evaluate, in
particular, the origin, nature, particularity and severity” of risk of data compromise,
to then take commensurate steps to mitigate, or report to the supervisory authority
prior to processing.
• Explicit details on administrative fines (except in Denmark and Estonia where legal
system prohibits) setting maximum figures based on categories.
77. ASIC - Cyber resilience assessment report: ASX Group and Chi-X Australia Pty
Ltd (Mar 2016)
This report by the Australian Securities & Investment Commission (ASIC) presents the
findings of the cyber resilience assessments of ASX Group and Chi-X Australia Pty Ltd.
It also provides some examples of emerging good practices implemented by a wider
sample of organisations operating in the Australian financial sector. (FSB-STi)
78. ISO/IEC - IT, Security Techniques, InfoSec Management Systems (Feb 2016)
The International Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC) maintain an expert committee dedicated to the
development of international management systems standards for information security,
otherwise known as the Information Security Management System (ISMS) family of
standards. Using the ISMS family of standards, organizations can develop and implement
a framework for managing the security of their information assets including financial
information, intellectual property, and employee details, or information entrusted to them
by customers or third parties. These standards can also be used to prepare for an
independent assessment of their ISMS applied to the protection of information. The ISMS
family consists of the following International Standards:
• ISO/IEC 27000, Information security management systems - Overview and

vocabulary
• ISO/IEC 27001, Information security management systems - Requirements
• ISO/IEC 27002, Code of practice for information security controls
• ISO/IEC 27003, Information security management system implementation

guidance
• ISO/IEC 27004, Information security management - Measurement
• ISO/IEC 27005, Information security risk management
55
• ISO/IEC 27006, Requirements for bodies providing audit and certification of

information security management systems
• ISO/IEC 27007, Guidelines for information security management systems auditing
• ISO/IEC TR 27008, Guidelines for auditors on information security controls
• ISO/IEC 27009, Sector-specific application of ISO/IEC 27001 -Requirements
• ISO/IEC 27010, Information security management for inter-sector and

interorganizational communications
• ISO/IEC 27011, Information security management guidelines for

telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and

ISO/IEC 20000-1
• ISO/IEC 27014, Governance of information security
• ISO/IEC TR 27015, Information security management guidelines for financial

services
• ISO/IEC TR 27016, Information security management - Organizational economics
• ISO/IEC 27017, Code of practice for information security controls based on

ISO/IEC 27002 for cloud services
• ISO/IEC 27018, Code of practice for protection of personally identifiable

information (PII) in public clouds acting as PII processors
• ISO/IEC 27019, Information security management guidelines based on ISO/IEC

27002 for process control systems specific to the energy utility industry
79. EU Payment Services Directive 2 (Jan 2016)
The Directive (PSD2) revises the PSD, adopted in 2007, “provides legal foundation for
further development of a better integrated internal market for electronic payments within
the EU”. It takes into account new market entrants offering services, specifically “account
information services” (which allow a payment service user to have an overview of their
financial situation at any time) and “payment initiation services” (which allow consumers
to pay via credit transfer from accounts without intermediaries).
This is made possible as banks will be required to open up customer data via a standard set
of Application Programming Interfaces (APIs). It enhances consumer rights, including
removal of surcharges for use of credit or debit card, reduced liability for non-authorized
payments, and unconditional refund right for euro direct debits. It enhances to role of the
EBA to develop a public central register of authorized payment institutions undated by
national authorities, to resolve disputes from national authorities, develop regulatory
56
technical standards on strong customer authentication and secure communication channels

for all payment service providers, and to develop cooperation and information exchange
between the supervisory authorities.
Countries are to incorporate it into national laws by Jan 13, 2018.
80. South Africa National Cybersecurity Policy Framework (Dec 2015)
The South African Ministry of State Security published a National Cybersecurity Policy
Framework document, establishing the following:
"a) The development and implementation of a Government led, coherent and integrated
cybersecurity approach to address cybersecurity threats;
b) Establishing a dedicated policy, strategy and decision making body to be known as the
JCPS to identify and prioritise areas of intervention and focussed attention regarding
Cybersecurity related threats. The Cybersecurity Response Committee will be chaired by
the State Security Agency (SSA) and will be a situated at the SSA
c) The capability to effectively coordinate departmental resources in the achievement of

common Cybersecurity safety and security objectives (including the planning, response
coordination and monitoring and evaluation);
d) Fighting cybercrime effectively through the promotion of coordinated approaches and

planning and the creation of required staffing and infrastructure;
e) Coordination of the promotion of Cybersecurity measures by all role players (State,

public, private sector, and civil society and special interest groups) in relation to
Cybersecurity threats, through interaction with and in conjunction with the Hub (to be
established within the Department of Telecommunications and Postal Services);
f) Strengthening of intelligence collection, investigation, prosecution and judicial

processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber
warfare;
g) Ensuring of the protection of national critical information infrastructure;
h) The promotion of a Cybersecurity culture and compliance with minimum security

standards;
i) The establishment of public-private partnerships for national and action plans in line
with the NCPF; and
j) Ensuring a comprehensive legal framework governing cyberspace."
(FSB-STi)
57
81. France National Digital Security Strategy (Oct 2015)
The French government published a revised National Digital Security Strategy which set
out five objectives: 1) Fundamental interests, defence and security of State information
systems and critical infrastructures, major cybersecurity crisis; 2) Digital trust, privacy,
personal data, cybermalevolence; 3) Awareness raising, initial training, continuing
education; 4) Environment of digital technology businesses, industrial policy, export and
internationalization; and 5) Europe, digital strategic autonomy, cyberspace stability. (FSB-
STi)
82. MAS Circular - Tech Risk and Cybersecurity Training for Board (Oct 2015)
The Monetary Authority of Singapore’s Circular No. SRD TR 03/2015 on Technology

Risk and Cyber Security Training for Board establishes that the board of directors and the
senior management of a financial institution are responsible for the oversight of technology
risks and cyber security. The Board needs to endorse the organization’s IT strategy and risk
tolerance, and ensure that management focus, expertise and resources are brought to bear.
The board also needs to ensure an appropriate accountability structure and organizational
risk culture is in place to support effective implementation of the organization’s cyber
resilience program. MAS expects the Board to be regularly apprised on salient technology
and cyber risk developments, and the financial institution should have a comprehensive
technology risk and cybersecurity training program for the Board.
83. HKMA Supervisory Policy Manual, Risk Management of E-banking (Sep 2015)
Hong Kong Monetary Authority (HKMA) released a guidance note for authorized
institutions, a Supervisory Policy Manual titled "Risk Management for E-banking, defined
as "financial services (which could be transactional, enquiry or payment services)
provided to personal or business customers and delivered over the Internet, wireless
networks, automatic teller machines (ATMs), fixed telephone networks or other electronic
terminals or devices." Specifically referenced are (i) Internet banking; (ii) contactless
mobile payments; (iii) financial services delivered through self-service terminals; and (iv)
phone banking.
It provides guidance in following sections: Major risks inherent in e-banking; Risk

governance of e-banking; Customer security; System and network security for Internet
banking; Controls related to services offered via Internet banking or the Internet; Security
controls in respect of specific e-banking channels; Fraud and incident management; and
System availability and business continuity management. (FSB-STi)
84. Japan’s National Center of Incident Readiness and Strategy for Cybersecurity
(Sep 2015)
The Japanese government published a Cybersecurity Strategy document under the care of
the National Center of Incident Readiness and Strategy for Cybersecurity formulated
pursuant to the Basic Act that prescribes the Government’s responsibility to establish the
Cybersecurity Strategy. The strategy outlines the basic directions of Japan’s
58
cybersecurity policies for the coming three years approximately “…to ensure a free, fair,
and secure cyberspace; and subsequently contribute to improving socio-economic vitality
and sustainable development, building a society where people can live safe and secure
lives, and ensuring peace and stability of the international community and national
security.”
The National Center of Incident Readiness and Strategy for Cybersecurity conducts a
cross-sectoral cybersecurity exercise for 13 critical infrastructures, including the financial
sector. (FSB-STi)
85. MAS Circular on Early Detection of Cyber Intrusions (Aug 2015)
The Monetary Authority of Singapore’s Circular No. SRD TR 01/2015 requires that
financial institutions not only secure their perimeters from a potential breach, but also have
robust capabilities to promptly detect any cyber intrusions so as to enable swift containment
and recovery. It considers important that financial institutions maintain a keen sense of
situational awareness by continuously enhancing their technical and internal control
processes to monitor and detect intrusions in their networks, systems, servers, network
devices and endpoints.
86. SEBI Cyber Security and Cyber Resilience framework of Stock Exchanges,
Clearing Corporation and Depositories (Jul 2015)
Securities and Exchange Board of India (SEBI) published a framework regarding cyber
security and cyber resilience that Market Infrastructure Institutions would be required to
comply with in six months' time. The document specifies that "Cyber security framework
include measures, tools and processes that are intended to prevent cyber attacks and
improve cyber resilience. Cyber Resilience is an organisation’s ability to prepare and
respond to a cyber attack and to continue operation during, and recover from, a cyber
attack." The Framework content is organized in the following sections: 1) Governance;
2) Identify; 3) Protection; 4) Monitoring and Detection; 5) Response and Recovery; 6)
Sharing of Information; 7) Training; and 8) Periodic Audit. (FSB-STi)
87. JFSA Policy Approaches to Strengthen Cyber Security in the Financial Sector
(Jul 2015)
The Japanese Financial Services Agency (JFSA) published policy approaches that address
cybersecurity for the financial sector in July 2015. The JFSA has been conducting the
supervision and inspection regarding cyber security management as a part of system risk
control. Given that the threat of cyber attacks is a significant risk for the stability of the
financial system, it is necessary to enhance the resilience of the financial system by
strengthening the cyber security of not only each financial institution but the financial
industry as a whole.
The JFSA will address the five policies below to contribute to strengthening cyber
security in the financial sector from the financial regulator’s perspective:
59
1. Constructive dialogue with financial institutions and grasp of their current

condition regarding cyber security
2. Improvement of the information sharing framework among financial institutions
3. Continuous implementation of industry-wide cyber security exercises
4. Cybersecurity human resource development in financial sector
5. Arrangement of cyber security initiatives in the JFSA
In addition, the JFS A conducted industry-wide exercises for the first time in October
2016. A year later, the JFSA conducted a more inclusive industry-wide exercise (Delta
Wall II) to upgrade capability of small and medium-sized financial institutions and to
encourage large financial institutions to utilize more sophisticated evaluation methods to
further improve their capability to address cyber security risks. (FSB-STi)
88. APRA Information Paper: Outsourcing involving Shared Computing Services

(including Cloud) (Jul 2015)
Australian Prudential Regulation Authority (APRA) released an Information Paper

focusing on ‘shared computing services’ (arrangements involving the sharing of IT assets
with other parties (whether labelled cloud or otherwise)) with the following introduction:
“…Prudential Standard CPS 231 Outsourcing (CPS 231) and Prudential Standard SPS
231 Outsourcing (SPS 231) include requirements relating to the risk management of
outsourcing arrangements. In November 2010, APRA wrote to all regulated entities
highlighting key prudential concerns that should be addressed when outsourcing includes
the use of cloud computing services. More recently, APRA has observed an increase in
the volume, materiality and complexity of outsourcing arrangements involving shared
computing services (including cloud) submitted to APRA under the consultation and
notification requirements of CPS 231 and SPS 231. APRA’s review of these arrangements
has identified some areas of weakness, reflecting risk management and mitigation
techniques that are yet to fully mature in this area. Further guidance may therefore be
beneficial.
This Information Paper outlines prudential considerations and key principles that could
be considered when contemplating the use of shared computing services. This Information
Paper is relevant for a broad audience including senior management, risk management,
technical specialists and Internal Audit. Finally, APRA has a number of existing
prudential standards and practice guides that are pertinent to shared computing services.
This Information Paper applies the concepts included in those standards and guides…”
(FSB-STi)
89. UK FCA/PRA Senior Managers and Certification Regime (Jul 2015)
The UK Financial Conduct Authority (FCA)/ Prudential Regulation Authority (PRA)

published final rules for a new regulatory framework “Senior Managers and Certification
Regime (SMR)”, which replaced the Approved Persons Regime (APR) for banks, building
60
societies, credit unions and dual-regulated (FCA and PRA regulated) investment firms,
effective March 2016:
“While the Senior Managers Regime will ensure that senior managers can be held
accountable for any misconduct that falls within their areas of responsibilities, the new
Certification Regime and Conduct Rules aim to hold individuals working at all levels in
banking to appropriate standards of conduct ...
• The Senior Managers Regime focuses on individuals who hold key roles and
responsibilities in relevant firms. Preparations for the new regime will involve
allocating and mapping out responsibilities and preparing Statements of
Responsibilities for individuals carrying out Senior Management Functions
(SMFs). While individuals who fall under this regime will continue to be
preapproved by regulators, firms will also be legally required to ensure that they
have procedures in place to assess their fitness and propriety before applying for
approval and at least annually afterwards.
• The Certification Regime applies to other staff who could pose a risk of significant
harm to the firm or any of its customers (for example, staff who give investment
advice or submit to benchmarks). These staff will not be preapproved by regulators
and firms’ preparations will need to include putting in place procedures for
assessing for themselves the fitness and propriety of staff, for which they will be
accountable to the regulators. These preparations will be important not only when
recruiting for roles that come under the Certification Regime but when reassessing
each year the fitness and propriety of staff who are subject to the regime.
• The Conduct Rules set out a basic standard for behavior that all those covered by
the new regimes will be expected meet. Firms’ preparations will need to include
ensuring that staff who will be subject to the new rules are aware of the conduct
rules and how they apply to them. Individuals subject to either the SMR or the
Certification Regime will be subject to Conduct Rules from the commencement of
the new regime on 7th March 2016, while firms will have a year after
commencement to prepare for the wider application of the Conduct Rules to other
staff.”
90. SFC Circular to all Licensed Corporations on Internet Trading (Jun 2015)
Hong Kong Securities and Futures Commission (SFC) launched a self-assessment

checklist (MS Excel based) on its website for Licensed Companies (LCs) with internet
trading. The Circular explains:
"The Checklist provides guidance for [Licensed Companies (LCs)] to conduct regular
self-assessment of their internet trading systems, network infrastructure, related policies,
procedures and practices in order to identify areas that require improvement and, where
needed, enhance the same so to ensure compliance with the relevant electronic trading
requirements.
Given the potential impact to investors and to market integrity, LCs providing internet
trading services to clients are expected to closely monitor the integrity, reliability, security
61
and capacity of the internet trading systems and maintain sufficient resources to cope with
any increase in business volume transacted through their internet trading systems. LCs
are also expected to complete the Checklist as part of their regular review of their internet
trading systems and rectify deficiencies (if any) as soon as practicable." (FSB-STi)
91. SEC Investment Management Guidance Update on Cybersecurity Guidance

(Apr 2015)
The U.S. Securities and Exchange Commission (SEC) issued a guidance note on
cybersecurity: "Registered investment companies (“funds”) and registered investment
advisers (“advisers”) may wish to consider in addressing cybersecurity risk, including the
following, to the extent they are relevant:
Conduct a periodic assessment of: (1) the nature, sensitivity and location of information
that the firm collects, processes and/or stores, and the technology systems it uses; (2)
internal and external cybersecurity threats to and vulnerabilities of the firm’s information
and technology systems; (3) security controls and processes currently in place; (4) the
impact should the information or technology systems become compromised; and (5) the
effectiveness of the governance structure for the management of cybersecurity risk. An
effective assessment would assist in identifying potential cybersecurity threats and
vulnerabilities so as to better prioritize and mitigate risk.
Create a strategy that is designed to prevent, detect and respond to cybersecurity threats.
Such a strategy could include: (1) controlling access to various systems and data via
management of user credentials, authentication and authorization methods, firewalls
and/or perimeter defenses, tiered access to sensitive information and network resources,
network segregation, and system hardening; (2) data encryption; (3) protecting against the
loss or exfiltration of sensitive data by restricting the use of removable storage media and
deploying software that monitors technology systems for unauthorized intrusions, the loss
or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and
(5) the development of an incident response plan. Routine testing of strategies could also
enhance the effectiveness of any strategy.
Implement the strategy through written policies and procedures and training that provide
guidance to officers and employees concerning applicable threats and measures to
prevent, detect and respond to such threats, and that monitor compliance with
cybersecurity policies and procedures. Firms may also wish to educate investors and
clients about how to reduce their exposure to cyber security threats concerning their
accounts.” (FSB-STi)
92. Central Bank of Israel Directive on Cyber-Defense Management (Mar 2015)
The Central Bank of Israel issued a Directive on Cyber-Defense Management. This

Directive contains regulatory provisions of the Banking Supervision Department’s
requirements and expectations regarding the management of cyber defense. The Directive
prescribes a structured but flexible framework for cyber-risk management, while allowing
the banking corporation to exercise discretion in its implementation. This form of
62
regulatory approach is intended to enable the banking corporation to adapt its defense
system in a dynamic manner to the changing cyber-threat landscape. Therefore, the
Directive defines principles for cyber-defense, rather than specifying a strict “list of
controls”. The expectation is that the banking corporation shall adopt these principles while
establishing a cyber-defense array in accordance with the scope and the nature of its
business activity, and its risk profile.
93. ASIC’s Report on Cyber Resilience (Mar 2015)
The Australian Securities & Investment Commission’s (ASIC) report “Cyber resilience:
health check” is intended to help regulated entities improve their cyber resilience by
increasing awareness of cyber risks, encouraging collaboration between industry and
government, and identifying opportunities to improve cyber resilience. It also aims to
identify how cyber risks should be addressed as part of current legal and compliance
obligations relevant to ASIC’s jurisdiction.
94. EBA Guidelines on Security of Internet Payments (Dec 2014)
The European Banking Authority (EBA)’s Guidelines on Security of Internet Payments

was published, with implementation date 1 August 2015. The implementation of any
potentially more stringent requirements necessary under the Payment Systems Directive 2
was intended to occur at a later stage, by the date set in the PSD 2.
The Guidelines encompass the following:
1. General control and security environment: Governance; Risk Assessment; Incident

Monitoring and Reporting; Risk Control and Mitigation; and Traceability.
2. Specific control and security measures for internet payments: Initial customer
identification, information; Strong customer authentication; Enrolment for, and
provision of, authentication tools and/or software delivered to the customer; Log-
in attempts, session time out, validity of authentication; Transaction monitoring;
and Protection of sensitive payment data.
3. Customer awareness, education, and communication including Notifications,
setting of limits; and Customer access to information on the status of payment
initiation and execution.
95. Japan’s Basic Act on Cybersecurity (Nov 2014)
Japan adopted the Basic Act on Cybersecurity in November 2014. The purpose of this Act
is to promote cybersecurity, given the intensification of threats on a worldwide scale, and
the need to ensure the free flow of. In addition to requiring the national and local
governments to take measures to boost cybersecurity, the law obligates businesses related
to infrastructure and cyber-businesses to take voluntary measures to enhance
cybersecurity and cooperate with the government on implementation of relevant
measures. The government provides support for cybersecurity measures for infrastructure
businesses.
63
The Cybersecurity Strategic Headquarters are established under the Cabinet. “The
promotion of the Cybersecurity policy must be required to be carried out in consideration
of the basic principles of the Basic Act on the Formation of an Advanced Information and
Telecommunications Network Society.” (FSB-STi)
96. CODISE publishes new Guide (May 2014)
Italy's CODISE (the acronym of the Italian “continuità di servizio” (business continuity),
created in 2003, is responsible for crisis management coordination in the Italian financial
marketplace. It is chaired by the Banca d'Italia and includes representatives of Italian
Securities Commission (CONSOB) and the systemically important financial institutions.
CODISE's objectives, its roles, responsibilities and activities are described in the newly
published guide. "It serves to purpose to facilitate the exchange of information, the
adoption of the necessary measures to deal with events that may put at risk the system
business continuity, the smooth functioning of financial infrastructures and the public
confidence in money. Interventions are defined according to the type of event, its extent
and its potential impacts on the financial system.
CODISE plans and executes simulations to check the adequacy of its procedures, while
allowing participants to test their internal procedures for business continuity management.
It is also a forum for analysis and discussion among its participants on the evolution of
business continuity threats, risk prevention and control measures including cyber
security." (FSB-STi)
97. Russian banking system standard on information security maintenance (Apr

2014)
Bank of Russia published a standard on information security maintenance for Russian

banking system organisations. "The main aims of the standardisation of information
security maintenance in Russian banking system organisations include:
 To develop and strengthen the Russian banking system;

 To increase confidence in the Russian banking system;
 To maintain the stability of Russian banking system organisations and thereby the
stability of the Russian banking system as a whole;
 To achieve adequacy of protective measures to actual information security threats;
 To prevent and/or reduce damage from information security incidents.
The main objectives of standardisation for information security provision for Russian
banking system organisations include:
 To establish uniform requirements for information security maintenance in

Russian banking system organisations;
64
 To improve the effectiveness of information security maintenance and support

measures in Russian banking system organisations.” (FSB-STi)
98. MAS Notice on Technology Risk Management (Mar 2014)
Notice CMG-N02 of the Monetary Authority of Singapore (MAS) requires regulated

financial institutions to: a) make all reasonable effort to maintain high availability for
critical systems; b) establish a recovery time objective of not more than 4 hours for each
critical system; c) notify the Authority as soon as possible, but not later than 1 hour, upon
the discovery of a relevant incident; d) submit within 14 days a root cause and impact
analysis report to the Authority; and e) implement IT controls to protect customer
information from unauthorized access or disclosure.
This Notice applies to all: (a) approved exchanges; (b) licensed trade repositories; (c)
approved clearing houses; (c) recognized clearing houses which are incorporated in
Singapore; (d) holders of a capital markets services license; (e) recognized market
operators which are incorporated in Singapore; and (f) persons who are approved under
section 289 of the Act to act as a trustee of a collective investment scheme which is
authorized under section 286 of the Securities and Futures Act and constituted as a unit
trust.
99. Spain National Cyber Security Strategy (Dec 2013)
Spain published a National Cyber Security Strategy that establishes the guiding principles
of cybersecurity, namely:
 National leadership and the coordination of efforts;

 Shared responsibility;
 Proportionality, rationality and efficiency; and
 International cooperation.
The overall objective of the strategy is to ensure that “Spain makes secure use of
information and telecommunication systems, strengthening cyber attack prevention,
defence, detection, analysis, investigation, recovery and response capabilities.” To
achieve this, the strategy lays down specific objectives, action lines and establishes the
organizational structure under the direction of the Prime Minister. (FSB-STi)
100. Netherlands National Cyber Security Strategy (Oct 2013)
Building on the first Strategy (2011), which appointed the Cyber Security Council (which
provides requested and unrequested advice to the government, and also has as task
ensuring the performance of the National Cyber Security Strategy (NCSS)), the Dutch
Ministry of Security and Justice published its NCSS2.
The NCSS2 outlines the government's commitments, over the period into 2016, to the
following five strategic objectives, that the Netherlands: 1) is resilient to cyber attacks and
protects its vital interests in the digital domain; 2) tackles cyber crime; 3) invests in secure
65
ICT products and services that protect privacy; 4) builds coalitions for freedom, security
and peace in the digital domain; and 5) has sufficient cyber security knowledge and skills
and invests in ICT innovation."
The strategy includes strengthening of its National Cyber Security Centre (NCSC),
instituting “a stronger structure for confidential information-sharing and analysis.
Furthermore, the NCSC assumes the role of expert authority, providing advice to private
and public parties involved, both when asked and at its own initiative. Finally, based on
its own detection capability and its triage role in crises, the NCSC develops into Security
Operations Centre (SOC) in addition to its role as a Computer Emergency Response Team
(CERT)." (FSB-STi)
101. OSFI Cyber Security Self-Assessment Guidance (Oct 2013)
Canada’s Office of the Superintendent of Financial Institutions (OSFI – covering banks,

insurance companies, federally regulated trust and loan companies, and federally
regulated cooperative credit associations) published “the annexed cyber security self-
assessment guidance to assist federally regulated financial institutions (FRFIs) in their
self-assessment activities. FRFIs are encouraged to use this template or similar
assessment tools to assess their current level of preparedness, and to develop and maintain
effective cyber security practices.
OSFI does not currently plan to establish specific guidance for the control and
management of cyber risk. Notwithstanding, and in line with its enhanced focus on cyber
security as highlighted in its Plan and Priorities for 2013-2016, OSFI may request
institutions to complete the template or otherwise emphasize cyber security practices
during future supervisory assessments…
This self-assessment template sets out desirable properties and characteristics of cyber
security practices that could be considered by a FRFI when assessing the adequacy of its
cyber security framework and when planning enhancements to its framework.”
The assessment asks the institutions to rate their level of implementation ‘maturity’ in six
areas: 1. Organization and Resources; 2. Cyber Risk and Control Assessment; 3.
Situational Awareness; 4. Threat and Vulnerability Risk Management; 5. Cyber Security
Incident Management; and 6. Cyber Security Governance. (FSB-STi)
102. ASIC REGULATORY GUIDE 172: Australian market licences: Australian

operators (Sep 2013)
This guide by the Australian Securities & Investment Commission (ASIC) includes an
addendum on market licensee systems and controls from November 2012. “The guide
outlines [ASIC’s] role in and approach to financial market regulation under the
Corporations Act 2001. It deals with financial markets operating in Australia, with
particular focus on Australian operators…” (FSB-STi)
66
ASIC also has a report titled “Cyber Resilience: Health Check” of March 2015. AISC has
under its jurisdiction FMIs, trading venues, banks, insurance companies, broker-dealers,
asset managers, and pension funds.
103. ACPR guidance: risks associated with cloud computing (Jul 2013)
The French Autorité de Contrôle Prudentiel et de Résolution (ACPR - Prudential

Supervisory Authority) published an analyses and syntheses paper on the risks associated
with cloud computing. Gathering information from banks and insurance companies
through a survey by the Secrétariat général de l’Autorité de contrôle prudentiel (SGACP
– General Secretariat of the Prudential Supervisory Authority), the analyses largely
pointed to a need to define cloud computing, that it posed a greater risk than conventional
IT outsourcing, and that there were varied opinions on the economic aspects and use of
cloud computing. Accordingly, ACPR noted: “These good practices form part of the
broader framework defined for the supervision of outsourced services, including
conventional outsourcing. The expectations of the ACP in terms of governance of
decisions, risk analysis, contractual elements, monitoring and the internal control of cloud
computing services are therefore similar to those currently in force in prudential
supervision.”
Specifically, ACPR noted following areas in which it is “encouraging the companies it

supervises to take suitable risk management measures in respect of the following aspects:
- Legal: by enforcing a mandatory contractual framework for cloud computing

services;
- Technical: by encrypting data during transport and storage (in the absence of
anonymisation);
- Supervision of the service provider: by ensuring audit capability and the right for
the ACP to conduct audits;
- Continuity of the service: by ensuring that the expectations of the client company
can be formalised in service contracts;
- Reversibility of the service: by defining the conditions of reversibility when
subscribing to the service;
- Integration and architecture of information systems: by adapting the organisation
and governance of information systems to the use of cloud computing.” (FSB-STi)
104. MAS Technology Risk Management Guideline (Jun 2013)
The Monetary Authority of Singapore (MAS) published a Guideline to "set out risk
management principles and best practice standards to guide the FIs in the following: a.
Establishing a sound and robust technology risk management framework; b.
Strengthening system security, reliability, resiliency, and recoverability; and c. Deploying
strong authentication to protect customer data, transactions and systems." (FSB-STi)
The Guideline is organized into sections: 1) Oversight of technology risk by board of

directors and senior management; 2) Technology risk management framework; 3)
67
Management of IT outsourcing risks; 4) Acquisition and development of Information

Systems; 5) IT service management; 6) Systems reliability, availability and recoverability;
7) Operational infrastructure security management; 8) Data centres protection and
controls; 9) Access controls; 10) Online financial services; 11) Payment card security
(ATMs, credit and debit cards); and 12) IT Audit.
105. APRA Prudential Practice Guide CPG 234 – Management of Security Risk
in Information and Information Technology (May 2013)
Australian Prudential Regulation Authority (APRA)’s jurisdiction encompasses banks,

insurance companies, and pension funds. These prudential practice guides (PPGs) are not
requirements but “provide guidance on APRA’s view of sound practice in particular areas.
PPGs frequently discuss statutory requirements from legislation, regulations or APRA’s
prudential standards…”
This PPG aims to assist regulated institutions in the management of security risk in
information and information technology (IT). It is designed to provide guidance to senior
management, risk management and IT security specialists (management and operational).
The PPG targets areas where APRA continues to identify weaknesses as part of its
ongoing supervisory activities. The PPG does not seek to provide an all-encompassing
framework, or to replace or endorse existing industry standards and guidelines.
Subject to meeting APRA’s prudential requirements, regulated institutions have the

flexibility to manage security risk in IT in a manner best suited to achieving their business
objectives. Not all of the practices outlined in this prudential practice guide will be
relevant for every regulated institution and some aspects may vary depending upon the
size, complexity and risk profile of the institution” (FSB-STi).
106. PBOC Implementation guide for classified protection of information system

of financial industry (July 2012)
The People’s Bank of China issued an “Implementation guide for classified protection of
information system of financial industry” (part of unofficial English version) in July 2012.
It is meant for use by the departments of financial institution (including its affiliates), e.g.
system planning and development (service and technology), application development,
system operation, security management, system use, internal supervision and audit. It
also may serve as basis for supervision, inspection, and guidance for information security
functions. (FSB-STi)
107. World Bank - General Principles for Credit Reporting (Sep 2011)
World Bank Financial Infrastructure Series - General Principles for Credit Reporting
Abstract: “This report describes the nature of credit reporting elements which are crucial
for understanding credit reporting and to ensuring that credit reporting systems are safe,
efficient and reliable. It intends to provide an international agreed framework in the form
of international standards for credit reporting systems’ policy and oversight. The Principles
68
for credit reporting are deliberately expressed in a general way to ensure that they can be
useful in all countries and that they will be durable. These principles are not intended for
use as a blueprint for the design or operation of any specific system, but rather suggest the
key characteristics that should be satisfied by different systems and the infrastructure used
to support them to achieve a stated common purpose, namely expanded access and
coverage, fair conditions, and safe and efficient service for borrowers and lenders. Section
two provides a brief overview of the market for credit information sharing and credit
reporting activities and then analyzes in some detail the key considerations underlying
credit reporting. Section three outlines the general principles and related roles. Section four
proposes a framework for the effective oversight of credit reporting systems.”
108. BCBS Principles for the Sound Management of Operational Risk (Jun 2011)
Basel Committee on Banking Supervision (BCBS)’s Principles for the Sound Management
of Operational Risk and the Role of Supervision updates and replaces the 2003 Sound
Practices for the Management and Supervision of Operational Risk. This document
incorporates the evolution of sound practice and details eleven principles of sound
operational risk management covering (1) governance, (2) risk management environment
and (3) the role of disclosure.
It covers fundamental principles of operational risk management: first, for the Board of
Directors to establish a strong risk management culture, maintaining a framework for
operational risk management fully integrated into the bank’s overall risk management
processes. Under Governance, it details the role of Board of Directors and Senior
Management. Risk Management Environment section includes risk Identification and
Assessment, regular Monitoring and Reporting, strong Control and Mitigation practices.
The principles also speak to Business Resiliency and Continuity plans, as well as public
disclosures to allow stakeholders’ assessment of operational risk management.
Of relevance to cyber issues is Technology Risk and Outsourcing, specifically that Senior
management needs to ensure that staff responsible for managing operational risk coordinate
and communicate effectively with those responsible for outsourcing arrangements. The
Control and Mitigation section includes the requirement to have an integrated approach to
identifying, measuring, monitoring and managing technology risks. Further, it details that
“the board and senior management are responsible for understanding the operational risks
associated with outsourcing arrangements and ensuring that effective risk management
policies and practices are in place to manage the risk in outsourcing activities” and
delineates activities that outsourcing policies and risk management should encompass.
109. FFIEC - Authentication in Internet Banking Environment, suppl. (Jun 2011)
The US FFIEC released a Supplementary update to the Authentication in an Internet

Banking Environment Guidance of 2005. “The Supplement reiterates and reinforces the
expectations described in the 2005 Guidance that financial institutions should perform
periodic risk assessments considering new and evolving threats to online accounts and
adjust their customer authentication, layered security, and other controls as appropriate in
response to identified risks. It establishes minimum control expectations for certain online
banking activities and identifies controls that are less effective in the current environment.
69
It also identifies certain specific minimum elements that should be part of an institution’s
customer awareness and education program.” “Financial institutions should use this
guidance when evaluating and implementing authentication systems and practices whether
they are provided internally or by a service provider. Although this guidance is focused on
the risks and risk management techniques associated with the Internet delivery channel, the
principles are applicable to all forms of electronic banking activities.”
New guidance took effect January 2012 for examiners to formally assess institutions
against these enhanced expectations.
110. AICPA suite of SOC & Implementation Guidance (Apr 2010)
System and Organization Controls (SOC) is a suite of service offerings (independent audit
reports) that Certified Public Accountants may provide in connection with system level
controls of a service organization or entity-level controls of other organizations. They are
independent attestations of an organization’s operating environment, similar to the ISO
certifications, a well-recognized audit regime that covers both financial and security
aspects.
The SOC report series include:
• SOC 1: Reporting on Controls at a Service Organization;

• SOC 2: Reporting on Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality, or Privacy;
• SOC 3: Trust Services Principles, Criteria, and Illustrations for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
111. CBRC Guidelines on the Risk Management of Commercial Banks’

Information Technology (2009)
The China Banking Regulatory Commission (CBRC) released regulatory Guidelines on

the Risk Management of Commercial banks’ Information Technology, which apply to all
the commercial banks legally incorporated within the territory of the People’s Republic
of China, and “may apply to other banking institutions including policy banks, rural
cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan
companies, financial asset management companies, trust and investment companies,
finance firms, financial leasing companies, automobile financial companies and money
brokers”. The Guideline covers IT governance, IT risk management, information
security, application system development, test and maintenance, IT operation, business
continuity management, outsourcing, internal audit, external audit, and supplementary
provisions. (FSB-STi)
112. ENISA National Exercises Good Practice Guide (Dec 2009)
The European Union Agency for Network and Information Security (ENISA) guide was
released “to assist authorities in Member States to better understand the complexities of
exercises and help them prepare local and national ones. This guide was prepared by
70
interviewing experts on exercises throughout the EU and beyond with the aim to identify
good practices that were already applied and proved to be effective.”
“The guide examines these practices by first giving an introduction to the subject of
exercises, then reviewing the life-cycle of an exercise (identifying, planning, conducting,
and evaluating) systematically. Also, the roles of the involved stakeholders are presented.
Throughout the guide, good practices are highlighted for easy identification.”
113. ENISA Good Practice Guide on Incident Reporting (Dec 2009)
Given strong commitment by the EU institutions and the Member States to the resilience
of public communications networks, the European Union Agency for Network and
Information Security (ENISA) was asked to help Member States and EU institutions to
identify good practices in incident reporting schemes. This document addresses many of
the issues that Member States will face as they debate, take stock, establish, launch, develop
and harmonize their incident reporting systems at national level. The report discusses
schemes for reporting incidents that may harm or threaten the resilience and security of
public eCommunication networks. It examines the whole lifecycle of a reporting scheme,
from the first steps in designing the scheme, through engaging the constituency’s
cooperation, setting the reporting procedures, and then management and improvement of
the scheme.
114. German Federal Office for Information Security Act (Aug 2009)
The Act established a Federal Office of Information Security to be overseen by the Federal
Ministry of the Interior, to perform specific tasks to promote security of information
technology and to be the central clearinghouse for cooperation among federal authorities
in matters related to the security of information technology. (FSB-STi)
115. KR Electronic Financial Transactions Act and Enforcement Decree (Jan

2007)
The South Korean Electronic Financial Transactions Act was enacted in January 2007. The
Act (last amended May 2013) and Enforcement Decree (last amended March 2014) is for
“ensuring the security and reliability of electronic financial transactions by clarifying their
legal relations and to promoting financial conveniences for people and developing the
national economy by creating a foundation for the sound development of electronic
financial industry.” It provides the legal grounds for the financial sector regulators to
conduct supervision and examination of financial institutions and electronic financial
business operators. According to the Act and other related regulations, Financial
Institutions (FIs) should adopt comprehensive measures to better cope with cyber threats
and manage related risks.
116. KR Regulation on Supervision of Electronic Financial Transactions (Jan

2007)
The South Korean Regulation on Supervision of Electronic Financial Transactions, last

amended on June 30, 2016, prescribes to the Financial Services Commission, as the body
delegated in the Electronic Financial Transactions Act, the matters under its authority that
71
are “required for securing the safety of the information technology sector of an institution
subject to examination by the Financial Supervisory Service under other Acts and
subordinate statutes.” It addresses “Rights and Obligations of Parties to Electronic
Financial Transactions”; “Securing the Safety of Electronic Financial Transactions and
Protecting Users”; “Licensing, Registration and Operation of Electronic Financial Affairs”;
and “Supervision of Electronic Financial Affairs”. It includes explanatory Tables on
“Standards for Computing the Number of IT Personnel and Information Protection
Personnel”; “Standards for IT Sector and Information Protection Budgets”; “Specific
Limits on Use of Means of Electronic Payment”; “Prerequisites for Major Investors”;
“Financial Companies Subject to Evaluation of IT Sector Operation”; and “Types of Assets
with Low Investment Risk”.
72
APPENDIX: INDEX by CONCEPTS
Please see separate “Source Table” file, tab labeled: “Appendix: Index by Concepts”.
i“FSB-ST” denotes those items mentioned in the “FSB Stocktake on Financial Sector Cybersecurity
Regulations, Guidance and Supervisory Practices”. See coverage in Digest.
73

Cyber Security

Uploaded by

Copyright:

Available Formats

Cyber Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What are the main sections/contents of this document?

What are the main sections/contents of this document?

Financial Sector’s Cybersecurity:

19. EC Legislative proposal on a Framework for Free Flow of Non-Personal Data in

47. UK Open Banking Initiative (Mar 2017) .............................................................................. 38

105.APRA Prudential Practice Guide CPG 234 – Management of Security Risk in

(Alphabetical Order of Country followed by Date)

ASIC Mar 2015 ASIC Report on Cyber Resilience

ASIC Sep 2013 ASIC Regulatory Guide 172: Australian market

Canada Jun 2018 National Cyber Security Strategy

Office of the Superintendent of Oct 2013 Cyber Security Self-Assessment Guidance

China Jun 2017 People Republic of China Cyber-Security Law

China Mar 2017 The International Strategy of Cooperation on

France Oct 2015 France National Digital Security Strategy

German Federal Financial Feb 2018 BaFin specifies BAIT

INSTITUTION DATE NAME

Bank of Ireland Sep 2016 IE CB Cross Industry Guidance on IT and

Bank of Israel Mar 2015 Central Bank of Israel Directive on Cyber-defense

Italy May 2014 CODISE publishes new Guide

INSTITUTION DATE NAME

Korea Jan 2007 Korea Electronic Financial Transactions Act and

SC Malaysia Oct 2016 Malaysia Securities Commission Guidelines to

Netherlands Nov 2017 DNB TIBER-NL Guidance

Netherlands Oct 2013 Netherlands National Cyber Security Strategy

Russia Apr 2014 Russian banking system standard on information

Saudi Arabian Monetary May 2017 SAMA Cyber Security Framework

Singapore Mar 2018 Singapore Cybersecurity Act

Association of Banks in June 2017 Singapore Association of Banks’ Guidelines on

MAS Mar 2014 MAS Notice on Technology Risk Management

MAS Jun 2013 MAS Technology Risk Management Guideline

Spain Dec 2013 National Cyber Security Strategy

Switzerland Apr 2018 Swiss national strategy for protection of Switzerland

INSTITUTION DATE NAME

UK Financial Conduct Jul 2017 UK FCA Consultation on extending Individual

UK Dec 2016 UK Government Cyber-security Regulation and

US National Institute of Apr 2018 NIST Framework for Improving Critical

TABLE 2. Documents from the European Union

INSTITUTION DATE NAME

TABLE 3. Documents from Multilateral Institutions

INSTITUTION DATE NAME

IIF Aug-2018 IIF Cloud Computing paper (Part 1)

IIF Apr 2018 IIF Staff Paper on Addressing Cybersecurity Regulatory

INSTITUTION DATE NAME

SWIFT July/May/ SWIFT Customer Security Program

ensure early identification of cyber threats, improve the resilience of critical

"The TIBER-EU framework facilitates a harmonised European approach towards

2. IIF Cloud Computing paper (Part 1) (Aug 2018)

opportunities and risks (and mitigants) of migrating to cloud, as well as simultaneously

 “Security and Resilience: Through collaborative action with partners and

The Federal Financial Institutions Examination Council (FFIEC) members released a

This Institute of International Finance (IIF) staff paper “Addressing regulatory

10. Singapore Cybersecurity Act (Mar 2018)

Cyber Security Agency (CSA) of Singapore announced passing of the Government's

Its four key objectives are to:

1. Strengthen the protection of Critical Information Infrastructure (CII) against cyber-

4. Establish a light-touch licensing framework for cybersecurity service providers. CSA

11. BaFin specifies BAIT (Feb 2018)