The Financial Stability Board (“FSB”) has published a consultation report on Effective practices for cyber incident response and recovery, which is a toolkit of 46 effective practices that organisations have adopted for cyber incident response and recovery (“CIRR”).
The toolkit has been developed by the FSB to assist financial institutions in their CIRR activities before, during and after a cyber incident, with the aim of reducing financial stability risks. The FSB believes the toolkit may also assist national authorities in the regulation and supervision of cyber risk within the financial services sector. The consultation closes on 20 July 2020 and the FSB plans to publish the final toolkit in October 2020.
The toolkit is not designed to constitute standards for financial institutions or their regulators, nor is it a prescriptive recommendation of any particular approach. Rather, the effective practices are intended by the FSB to serve as a ‘toolkit’ of options, not to be applied in a one-size-fits-all manner (because not all practices are applicable to every organisation or in every cyber incident). The toolkit is structured across seven components: (1) governance, (2) preparation, (3) analysis, (4) mitigation, (5) restoration, (6) improvement, and (7) coordination and communication. We have summarised these in this article.
The CIRR components
1. Governance
The toolkit states that CIRR objectives and priorities should be communicated and understood through an organisation-wide governance framework. Organisations should clearly define the roles, responsibilities and accountabilities for various CIRR activities to one or more named individuals. The toolkit suggests a multidisciplinary incident co-ordination team, including an Incident Owner, Media Spokesperson and Independent Observers. The toolkit emphasises the importance of board level and senior management responsibility. It indicates that the FSB considers it is good practice for a ‘top-down’ approach, with the board taking ultimate responsibility for overseeing CIRR activities and empowering senior managers to make decisions and take actions. In this way, a culture may be created where staff are encouraged to report or escalate cyber incidents.
2. Preparation
The preparation component describes methods for establishing and maintaining capabilities to respond to cyber incidents, and to restore critical functions, systems and data affected by cyber incidents to normal operations. The toolkit recommends having written policies that describe the functions of the CIRR processes and a clear communication strategy for effective prioritisation and so that any required regulatory and statutory notifications are identified. The policies can be supplemented with plans and playbooks, which can be built around cyber scenarios and subject to stress testing (with such tests involving relevant authorities and third-party service providers). The toolkit suggests the use of technology solutions, such as vulnerabilities detection software and automated patching solutions, and the use of third-party cyber services providers to augment in-house capabilities. It also proposes that organisations pursue a vendor and product ‘diversification strategy’ to reduce over-dependency and create resilience in the event, for example, that a primary supplier is unavailable.
3. Analysis
For effective analysis, institutions could develop a cyber incident taxonomy for classifying cyber incidents, along with a pre-determined severity assessment framework to gauge seriousness. The toolkit provides some examples of these. It also suggests that organisations could collect and analyse system and transaction logs to support forensic investigation of incidents and should use trusted information sources (internal and external) for threat and root cause analysis, as well as to gather intelligence or recommendations on potential threats.
4. Mitigation
The toolkit highlights four mitigation practices:
(a) Containment – using measures, process and technologies to prevent further damage.
(b) Business continuity measures – invoking business continuity plans, for example, to facilitate the processing of critical transactions and resume critical operations, based on a pre-defined prioritisation process.
(c) Isolation – using a process to decide whether to shut down or isolate all or a substantial part of an institution’s systems and networks, rather than maintaining their business service operations.
(d) Eradication – removing all materials and artefacts introduced by the attacker (which may involve patching and closing system and network vulnerabilities).
5. Restoration
The toolkit sets out a number of activities that institutions should consider taking to restore systems and resume business as usual following a cyber incident. These include: prioritising restoration activities; monitoring restoration of comprised IT assets; validating restored assets before returning the systems to normal business operations, and having a ‘golden source’ of backup data in a significantly different IT environment to be used to restore data.
6. Improvement
The toolkit describes several practices for organisations to improve their response and recovery capabilities, including learning from past incidents as well as using proactive tools (such as CIRR exercises). These practices include: conducting exercises, tests and drills to validate the capability of resources and the robustness of CIRR plans and procedures; cross-sectoral and cross-border crisis management and contingency exercises to enhance coordination where a cyber incident may have a systemic impact on the financial sector; use of technological aids (such as sandboxes to test effectiveness of CIRR systems); using external events and sources (such as reports, information sharing, trend and threat analysis) to improve CIRR practices; participation in industry-wide initiatives to promote collaboration; post incident analysis to assess whether the actions taken were effective, and using lessons learnt to develop remedial actions, such as controls and procedures to improve future CIRR activities.
7. Coordination and communication
This component describes a number of coordination and communication practices that organisations can implement in order to maintain good cyber ‘situational awareness’ and enhance cyber resilience of the financial sector ‘ecosystem’. This includes: timely escalation to decision-makers in order to accelerate actions; providing regular updates with actionable messages; engaging in cross-border coordination with relevant authorities (where feasible); trusted information sharing on cyber incidents, effective cyber security strategies and risk management practices; using trusted communication channels, and timely cyber incident reporting of useful information to relevant authorities.
Operational resilience
The FSB’s consultation document is being published at a time when regulators and lawmakers are focussed on strengthening operational resilience within the financial services sector. Cyber incidents pose a threat to the stability of the global financial system and are being taken seriously by supervisory bodies. The FSB’s toolkit follows publications in November and December 2019 dealing with IT security and risk in the financial services sector: the EBA Guidelines on ICT and security risk management and the EIOPA draft Guidelines on information and communication technology (ICT) security and governance. In addition, the European Commission launched a consultation in December 2019 on a Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure, which looks at options for enhancing cyber resilience in the financial sector. A summary of these European initiatives is available here.
In the UK, the Bank of England, FCA and PRA published coordinated consultation papers in December 2019 on new requirements to build operational resilience of firms (the Bank of England, FCA and PRA consultation on operational resilience is due to close on 1 October 2020). The activities set out in the FSB toolkit are, in many respects, consistent with the approaches put forward in the Bank of England, FCA and PRA consultation proposals, which require firms to (for example): identify the people, processes, technology, facilities and information that support important business services; to identify risk areas; set impact tolerances; test tolerances through plausible disruption scenarios; conduct lessons learned exercises, and develop communications plans. The FSB toolkit and the Bank of England, FCA and PRA consultation proposal are also similar in that they emphasise that cyber risk management and incident response (in the case of the FSB toolkit) and operational resilience (in the case of the consultation proposals) are a board and senior manager-level responsibility.
Article co-authored by Kiran Jassal.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.