G7 Fundamental Elements for Effective Assessment of Cybersecurity in the financial sector

The HM Treasury has published a guidance drafted by the G7 Cyber Expert Group entitled G7 Fundamental Elements for Effective Assessment of Cybersecurity in the financial sector. The guidance is part of a collection of documents, the so-called „G7 Fundamental Elements series“, provided by the Group to assist firms, supervisory authorities, and third-parties alike in their handling and monitoring of cyber security risks.
This particular guidance was obviously already developed in 2017, but not published by the UK government until now. It provides some basic high level advice to firms as to outcomes they shall seek in their implementation of cyber security measures and standards (the so-called desired outcomes). It also provides some fundamental guidance to national competent authorities as to the assessment of such measures and standards.
Desired outcomes by firms:
(1) Implementation of adequate measures: The firm has implemented adequate policies and procedures to identify, assess, and mitigate cyber security risks and has adopted corresponding corporate governance rules to ensure adequate oversight. It has also created an adequate response mechanism to any acute threats. Finally, it is fostering information exchange among staff members and provides continuous learning in this area to enhance the overall resilience of the firm.
(2) Cyber security influences organizational decision-making: Cyber security concerns are taken into account throughout an organization, from top level senior management, to low-level employees. Board Members have developed adequate polices and procedures to facilitate accountability, information sharing, and safeguarding in this context commensurate with a firm’s risk appetite and its corporate governance strategy. Furthermore, it is up to senior management to take any measures it deems appropriate to drive this issue throughout the firm.
(3) Disruptions will occur: Despite extensive measures, firms recognize that there is no 100% guarantee that no cyber security issues arise. However, they strike a right balance between the taking of appropriate steps to prevent any risks and the measures that may be taken if any incident has occurred. Therefore, they also have „contingency plans“ in place for such incidents and for the resumption of operations.
(4) The cyber security policy is adaptive: Following any incidents or following the testing of cyber security, companies revise their policies and procedures to incorporate any lessons learned from such experience. Firms continuously review their cyber security programs and incident response mechanisms to keep them up-to-date particularly with respect to technological development. Firms also strive for continuing learning and improvements in this area.
Finally, the Group also notes the significance of a corresponding corporate culture to drive secure behavior.
——————–
For the guidance provided to competent authorities as regards their assessment of cyber security measures and standards of supervised entities, please refer to the enclosed document.