Recommendations

1

To design and implement a documented cybersecurity program or policy because of the reputational and monetary implications of cyber-attacks

2

Any cyber-security framework should be aligned with the overall operational risk and enterprise-wide risk management strategy. A successful cyber-attack is very likely to affect people, processes, and technology throughout a bank. Therefore, it would be particularly challenging if cybersecurity were managed through its own set of responsibilities, policies, and procedures within IT, inconsistent with the overall operational and enterprise-wide risk management framework. To mitigate this challenge, it is necessary to have “advance planning, cooperation, and communication between operational, risk, infrastructure and cyber-security teams

3

Cyber-security regulations should require banks to develop an effective control and response frameworks for cyber-risk. The equal focus on a response framework is particularly important given the inevitability of a cyber-attack. The effective execution of banks’ control and response policies throughout the bank should be regularly evaluated. Otherwise, there might be instances where bank-wide cyber policies are applied only in certain areas of the bank. In general, it would be worthwhile to assess whether a sound governance framework and clear accountabilities with regard to cyber-risk are established within the bank.

4

To be able to identify critical information assets. At the national level, government identifies critical infrastructure and firms to which national cyber-security frameworks apply

5

Cyber-event reporting regulatory. Reporting of cyber-events, subject to materiality (eg if the impact is deemed to be material enough to adversely impact the bank’s operations) or the event posing risk to a bank’s critical systems.

6

Certify the information security professionals used by bank for their cyber-security activities. One reason is the sensitive nature of these activities, given that the people involved will gain insights into a bank’s defenses. The problem, though, is not only about the limited availability of people with technical knowledge of cyber-security. A further problem is the limited cyber-security awareness of staff within banks, which itself could potentially open the way for a cyber-event

7

Raising cyber-security awareness among bank staff is an important component of a bank’s initiative to protect itself from cyber-risk

8

It is necessary to explore further collaboration with the industry in strengthening banks’ cyber-security, and to pursue greater cross-border cooperation and harmonization of practices. To create and promote platforms for intelligence-sharing, developing a pool of cyber-security professionals, and establishing guidelines on penetration testing. This could be a model that other jurisdictions could use, especially those with limited regulatory and supervisory resources, smaller banks, or a scarcity of cyber- and information security professionals.

 

In preparation of this material open-source information was used.