Cyber resilience continues to be a top priority for the financial services industry and a key area of
attention for financial authorities. This is not surprising given that cyber incidents pose a significant
threat to the stability of the financial system and the global economy. The financial system performs a
number of key activities that support the real economy (eg deposit taking, lending, payments and
settlement services). Cyber incidents can disrupt the information and communication technologies that
support these activities and can lead to the misuse and abuse of data that such technologies process or
store. This is complicated by the fact that the cyber threat landscape keeps evolving and becoming more
complex amid continuous digitalisation, increased third-party dependencies and geopolitical tensions.
Moreover, the cost of cyber incidents has continuously and significantly increased over the years.
This paper updates Crisanto and Prenio (2017) by revisiting the cyber regulations in the
jurisdictions covered in that paper, as well as examining those issued in other jurisdictions. Aside
from cyber regulations in Hong Kong SAR, Singapore, the United Kingdom and the United States, which
the 2017 paper covered, this paper examines cyber regulations in Australia, Brazil, the European Union,
Israel, Kenya, Mexico, Peru, Philippines, Rwanda, Saudi Arabia and South Africa. The jurisdictions were
chosen to reflect cyber regulations in both advanced economies (AEs) and emerging market and
developing economies (EMDEs). This highlights the fact that since 2017 several jurisdictions – including
EMDEs – have put cyber regulations in place.
There remain two predominant approaches to the regulation of banks’ cyber resilience: the
first leverages existing related regulations and the second involves issuing comprehensive
regulations. The first approach takes as a starting point regulations on operational risk, information
security etc and add cyber-specific elements to them. Here, cyber risk is viewed as any other risk and thus
the general requirements for risk management, as well as the requirements on information security and
operational risks, also apply. This approach is more commonly observed in jurisdictions that already have
these related regulations firmly established. The second approach seeks to cover all aspects of
cybersecurity, from governance arrangements to operational procedures, in one comprehensive
regulation. In both approaches, to counter the risks that might result from having too much
prescriptiveness in cyber regulations, some regulations combine broad cyber resilience principles with a
set of baseline requirements. Regardless of the regulatory approach taken, the proportionality principle is
given due consideration in the application of cyber resilience frameworks.
Whether as part of related regulations or separate comprehensive ones, recent cyber
security policies have evolved and could be described as “second-generation” cyber regulations.
The “first generation” cyber regulations, which were issued mainly in AEs, focused on establishing a cyber
risk management approach and controls. Over the last few years, authorities, including those in EMDEs,
have issued new or additional cyber regulations. These second-generation regulations have a more
embedded “assume breach” mentality and hence are more aligned with operational resilience concepts.
As such, they focus on improving cyber resilience and providing financial institutions and authorities with
specific tools to achieve this.
1 Juan Carlos Crisanto ([email protected]) and Jermy Prenio ([email protected]), Bank for International
Settlements, Jefferson Umebara Pelegrini ([email protected]), Central Bank of Brazil. We are grateful to Kaspar
Köchli and Jatin Taneja for research assistance, and to Markus Grimpe and staff at covered authorities for helpful comments.
Esther Künzi and Theodora Mapfumo provided valuable administrative support.
Banks’ cyber security – a second generation of regulatory approaches 5
The “second-generation” regulations leverage existing policy approaches to provide
additional specific guidance to improve cyber resilience. Cyber security strategy, cyber incident
reporting, threat intelligence sharing and cyber resilience testing are still the primary focus of the newer
regulations. Managing cyber risks that could arise from connections with third-party service providers has
become a key element of the “second generation” cyber security framework. Moreover, there are now
more specific regulatory requirements on cyber incident response and recovery, as well as on incident
reporting and cyber resilience testing frameworks. In addition, regulatory requirements or expectations
relating to issues such as cyber resilience metrics and the availability of appropriate cyber security expertise
in banks have been introduced in a few jurisdictions.
Authorities in EMDEs tend to be more prescriptive in their cyber regulations. Cyber security
strategy, governance arrangements – including roles and responsibilities – and the nature and frequency
of cyber resilience testing are some of the areas where EMDE authorities provide prescriptive
requirements. This is approach seems to be connected to the need to strengthen the cyber resilience
culture across the financial sector, resource constraints and/or the lack of sufficient cyber security expertise
in these jurisdictions. Hence, EMDE authorities may see the need to be clearer in their expectations to
make sure banks’ boards and senior management invest in cyber security and banks’ staff know exactly
what they need to do.
International work has resulted in a convergence in cyber resilience regulations and
expectations in the financial sector, but more could be done in some areas. Work by the G7 Cyber
Expert Group (CEG) and the global standard-setting bodies (SSBs) on cyber resilience has facilitated
consistency in financial regulatory and supervisory expectations across jurisdictions. This is necessary given
the borderless nature of cyber crime and its potential impact on global financial stability. Another area
where there might be scope for convergence is the way in which authorities assess the cyber resilience of
supervised institutions. This could, for example, include aligning the assessment of adequacy of a firm’s
cyber security governance, workforce and cyber resilience metrics. Lastly, there might be scope to consider
an international framework for critical third-party providers, in particular cloud providers, given the
potential cross-border impact of a cyber incident in one of these providers.
6 Banks’ cyber security – a second generation of regulatory approaches
Section 1 – Introduction
1. Cyber risk2 is a significant threat to the stability of the financial system and the global
economy. The financial system performs a number of key activities that support the real economy (eg
deposit taking and lending, payments and settlement services). Cyber incidents3 have been shown to
disrupt these activities by affecting the information and communication technologies (ICT) that financial
firms extensively rely on and the data they process. Within the financial sector, banks typically have the
most public-facing products and services. Their multiple points of contact with outside parties result in
significant vulnerabilities to cyber attacks and could be used as entry points for attacks that can culminate
in relevant disruptions to the financial system.
2. The cyber threat landscape keeps evolving and becoming more complex amid continuous
digitalisation, increased third-party dependencies and geopolitical tensions. Interpol (2022) reports
ransomware, phishing, online scams and computer hacking as the highest cybercrime threats
globally.4 Moreover, the complexity of the cyber threat landscape has increased due to the strong impact
of geopolitics on cyber operations, especially since the Russia-Ukraine war began, with distributed denial
of service (DDoS) being used as a cyber warfare tool.5 There is also a resurgence of hacktivism with greater
technical sophistication and state support as well as an increase of deepfake-enabled fraud.6 With respect
to the increasing dependency of larger parts of the financial system on cloud providers, CrowdStrike (2023)
reports “a larger trend of eCrime and nation-state actors adopting knowledge and tradecraft to
increasingly exploit cloud environments”.
3. The cyber threat landscape is also characterised by a significant and continuous rise in the
cost of cyber incidents. Statista (2023) estimated the global cost of cyber crime in 2022 at $8.4 trillion
and expects this to go beyond $11 trillion in 2023. This reflects an annual increase of 30% in the cost of
cyber crime during the 2021-23 period.7 Moreover, the average cost of a data breach between 2020 and
2022 increased by 13%, with the financial industry scoring the second highest average cost after healthcare
at $6 million.8 According to Chainalysis (2022), 2022 was the biggest year ever for crypto hacking, with
$3.8 billion stolen from cryptocurrency businesses. Cyber insurance demand continues to outweigh supply
and that the cyber protection gap appears to be widening amid a market characterised by rising premiums,
narrowing coverage and tighter underwriting standards.
4. In the light of the above developments, it is unsurprising that cyber resilience10 continues
to be a top priority for the financial services industry. According to EY-IIF (2023), most chief risk officers
(CROs) consider cyber risk the top threat to the banking industry and “the most likely to result in a crisis
2 FSB (2018) defines cyber risk as as the combination of the probability of cyber incidents occurring and their impact.
3 FSB (2018) defines cyber incidents as events (whether resulting from malicious activity or not) that: (i) jeopardise the
confidentiality, integrity and availability of an information system or the information the system processes, stores or transmits;
or (ii) violate the security policies, security procedures or acceptable use policies.
4 Interpol (2022) also reported that those types of cyber crime are expected to increase in the next three to five years. Phishing
attacks related to cryptocurrency increased by over 250% year on year. See Interisle Consulting Group (2022).
5 See ENISA (2022).
6 See Moody’s Investor Service (2022).
7 Admittedly, this is lower in comparison with the 50-60% increase observed during the 2019-21 period at the height of the
global pandemic and lockdown.
8 See IBM (2022).
9 IAIS (2023).
10 As defined by FSB (2018), cyber resilience refers to an organisation’s the ability to continue to carry out its mission by
anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and
rapidly recovering from cyber incidents.
Banks’ cyber security – a second generation of regulatory approaches 7
or major operational disruption”. Despite the significant resources invested in enhancing cyber resilience,
CROs highlight two main challenges related to effectively managing cyber risk: (i) its inherent presence in
every line of business, in day-to-day operations and across extensive networks of partners, suppliers and
service providers on which banks increasingly depend; and (ii) the increasing sophistication of hacking
tools and techniques. As a result, CROs expect to pay the most attention to cyber risk in the next 12 months
and consider it the top strategic risk for the next three years. A more general aspiration highlighted by the
industry is to design more consistent and coordinated regulations across jurisdictions in a way that
enhances global cyber resilience and reduces regulatory fragmentation.11
5. Strengthening cyber resilience is also a key focus for the official sector, including central
banks and supervisory authorities. Cyber crime is widely regarded as a national defence priority and
several jurisdictions have put in place national policies or frameworks to strengthen the cybersecurity12 of
critical sectors and institutions.13 From the perspective of central banks’ own management of cyber risk,
many have notably increased their cyber security-related investments since 2020, giving priority to
technical security control and resiliency, and are collaborating within the framework provided by the BIS’
Cyber Resilience Coordination Centre (CRCC).
14 Moreover, the central banking community is developing
analytical frameworks to understand the channels through which cyber risk can grow from an operational
disruption into a systemic event.
15 Finally, an increasing number of jurisdictions have issued cyber-specific
guidelines for the financial sector and cyber resilience features prominently in the work-programmes of
global standard-setting bodies (SSBs) and other international bodies (see Section 2).
6. Cyber security is considered a top priority for banking supervisors worldwide. Within the
financial sector, bank authorities have been particularly active in coming up with regulatory and
supervisory frameworks to enhance the banking sector’s resilience to cyber attacks. This reflects the fact
that cyber security features prominently in the work programme of banking supervisors in both advanced
economies (AEs) and emerging markets and developing economies (EMDEs) (see Graph 1). This graph also
suggests that the top priority attached to cyber security and operational resilience more broadly is
correlated with supervisory work on digitalisation of the financial system and its impact on banking
business models. In Europe for example, the ECB Banking Supervision published its supervisory priorities
for 2023-25 in December 2022, that includes addressing deficiencies in operational resilience frameworks,
namely IT outsourcing and IT security/cyber risks.16
11 See IIF (2023).
12 According to FSB (2018), cyber security mainly refers to the preservation of confidentiality, integrity and availability of
information and/or information systems through the cyber medium.
13 For instance, Singapore’s Cybersecurity Strategy; Canada’s Cybersecurity Standard; the US Department of Homeland Security’s
different initiatives to protect US critical infrastructure; South Africa’s National Cybersecurity Policy Framework (NCPF); and
Critical Infrastructure Protection in France.
14 See Doerr (2022) and a description of CRCC activities in the BIS’s Annual Report 2021.
15 For example, ECB’s “Towards a framework for assessing systemic cyber risk” in its Financial Stability Review, November 2022;
European Systemic Risk Board, Systemic cyber risk, February 2020; US Office of Financial Research, Cybersecurity and financial
stability: risks and resilience, February 2017.
16 See ECB (2022).
8 Banks’ cyber security – a second generation of regulatory approaches
7. This paper updates Crisanto and Prenio (2017) by revisiting cyber security regulations in
jurisdictions covered in that paper, as well as examining those issued in other jurisdictions. Aside
from cyber security regulations in Hong Kong SAR, Singapore, the United Kingdom and the United States,
which the 2017 paper also covered, this paper examines cyber regulations in Australia, Brazil, the European
Union, Israel, Kenya, Mexico, Peru, the Philippines, Rwanda, Saudi Arabia and South Africa. The jurisdictions
were chosen to reflect cyber regulations in both AEs and EMDEs. This highlights the fact that since 2017,
a number of jurisdictions – including in EMDEs – have put in place or enhanced cyber regulations. It should
be noted, however, that based on an IMF survey of 51 EMDEs, 42% still lack a dedicated cybersecurity or
technology risk-management regulation.17 Section 2 provides the international context in which these
regulations have evolved. Section 3 describes the different approaches in the design of cyber regulations.
Section 4 presents the key cyber regulatory requirements. Section 5 concludes.
Section 2 – International regulatory initiatives
8. Cyber resilience features prominently in the work programme of SSBs. Given the borderless
nature of cyber crime and its potential impact to global financial stability, cyber resilience requires
international cooperation18 and has therefore featured prominently in the work programme of SSBs,
17 Adrian and Ferreira (2023).
18 According to FSB (2017a), cyber risk is one of the top three priority areas for international cooperation.
Main regulatory and supervisory priorities in BCBS and non-BCBS member
authorities in 2023 Graph 1
Note: Analysis based on public information and includes a total of 35 banking authorities: 22 BCBS-member authorities and 13 non-BCBS
Banks’ cyber security – a second generation of regulatory approaches 9
including the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), the
Committee on Payments and Market Infrastructures (CPMI), the International Association of Insurance
Supervisors (IAIS) and the International Organization of Securities Commissions (IOSCO). This work aims
to achieve greater convergence of cyber resilience approaches mainly through principles-based guidance
and practical toolkits. Convergence has been facilitated by the use of common language through the FSB’s
cyber lexicon, which was published in 2018 and updated in 2023.
9. The G7 Cyber Expert Group (G7 CEG) also plays an important role in enhancing cyber
resilience practices in the financial sector. The G7 CEG was set up in 2015 to identify the main cyber
security risks in the financial sector and propose actions to be taken in this area across G7 jurisdictions,
including on cyber security policy coordination.19 The G7 CEG recommendations aim to reflect policy
approaches, industry guidance, and best practices in place throughout its member jurisdictions. While
their primary focus is on private sector financial entities, they can be of help for financial authorities’ own
institutional work on cyber resilience and their efforts to promote this resilience across the financial sector.
That said, the G7 CEG recommendations are non-binding, non-prescriptive and designed to be tailored to
individual risk profiles and threat landscapes as well as to country-specific legal and regulatory
frameworks. Graph 2 provides a summary of the main SSB and G7 CEG work that is helping to facilitate
international convergence of cyber regulations in the financial system.
10. SSBs generally emphasise the importance of cyber resilience as part of their efforts to
enhance the operational resilience of the financial sector. The dramatic growth of technology-related
threats and the Covid-19 pandemic brought to the forefront the need to enhance the ability of financial
institutions to deal with operational risk-related events that could cause significant disruptions in the
financial markets, including cyber incidents. With this aim, the BCBS issued Principles for Operational
Resilience in 202120 to facilitate banks’ ability to withstand, adapt to and recover from those severe adverse
events. A key element of the Principles is ensuring a resilient ICT framework, including cyber security, to
fully support and facilitate the delivery of the bank’s critical operations.21 The 2021 BCBS Newsletter on
cybersecurity not only highlights the interaction between operational resilience and cyber security but also
the need to align cyber risk management with widely accepted industry standards.22
11. The CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures (FMIs)
has become a key point of reference for the financial sector when designing a sound framework to
address cyber risk. This cyber guidance was published in 2016 with the purpose of supplementing the
2012 Principles for FMIs. As such, it sets out additional details related to the preparations and measures
that FMIs should undertake to enhance their cyber resilience capabilities.23 The cyber guidance focuses
on five cyber risk management categories: governance; identification; protection; detection; and response
and recovery. It also envisages three overarching components to be addressed across the cyber resilience
framework: testing; situational awareness; and learning and evolving. More recently, CPMI and IOSCO have
focused their attention on assessing the level of adoption of their guidance by financial market
infrastructures and the results have highlighted the challenges related to the development of adequate
response and recovery plans to deal with severe cyber incidents.
19 Additional G7 actions include information sharing, testing and incident response.
20 These Principles build on the Committee's Revisions to the principles for the sound management of operational risk, and draw
on previously issued principles on corporate governance for banks, as well as outsourcing, business continuity and relevant risk
management-related guidance (BCBS, 2021).
21 See Principle 7 – ICT Including cyber security.
22 In addition, building upon previous work, the IAIS released a draft “Issues paper on insurance sector operational resilience” in
2022 where the issue of insurer cyber resilience featured prominently.
23 The 2016 Cyber guidance provides supplemental information, primarily with respect to the following 2012 PFMI Principles:
governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality
(Principle 8), operational risk (Principle 17) and FMI links (Principle 20).
10 Banks’ cyber security – a second generation of regulatory approaches
12. The G7 CEG’s Fundamental elements of cyber security is another common point of
reference for developing and implementing a strong cyber resilience framework. This 2016 guidance
has played a pivotal role in providing financial institutions and authorities with building blocks to design
and implement sound cyber security policies and practices. These include eight fundamental elements
that rely on an appropriate cyber security strategy and framework; effective governance structure;
thorough evaluation of cyber risks and respective controls across the business; systematic monitoring of
processes to rapidly detect cyber incidents (eg testing and audit); timely incident response and recovery;
timely sharing of relevant information; and periodic update of fundamental elements in line with the
evolving threat landscape. To assess how effectively these elements are being implemented, the G7 CEG
issued tools in 2017 that describe desirable outcomes and components to evaluate progress in enhancing
13. With regards to specific components of cyber resilience, the FSB work has focused on cyber
incident response and recovery as well as on cyber incident reporting. In 2020, the FSB issued a final
report that provides a toolkit to guide financial institutions response to and recovery from a cyber incident
in a way that limit any related financial stability risks. Since this requires timely and accurate information
on cyber incidents, the FSB issued recommendations in 2023 to address impediments to achieving greater
convergence in cyber incident reporting, including proposing a concept for a common format for incident
reporting exchange (FIRE) to address operational challenges arising from reporting to multiple authorities
and to foster better communication.
14. The G7 CEG has provided additional guidance to assess the effectiveness of cyber resilience
measures and to address ransomware threats. In 2018, the G7 CEG further elaborated on its
fundamental elements of cyber security by providing financial sector firms with a guide for assessing their
resilience to malicious cyber incidents through simulation and a guide for financial sector authorities
considering the use of threat-led penetration testing (TLPT) within their jurisdictions. Moreover,
recognising the need for clearly defined and regularly rehearsed response and recovery procedures in case
of disruptive cyber events, the G-7 CEG developed tools in 2020 to guide the establishment of cyber
exercise programmes with internal and external stakeholders. These tools could also serve as guide for
establishing cyber exercise programmes across jurisdictions and sectors. Additionally, to deal with the
recent growth of ransomware threat in the financial sector, the G7 CEG issued key considerations in 2022
that are essential to address this threat.
15. Enhancing third-party cyber risk management has also been part of the work programme
of the G7 CEG and FSB. The use of third parties generally introduces additional cyber risks that need to
be well managed. In 2018, the G7 CEG issued the fundamental elements that needed to be considered
throughout the third-party cyber risk management life cycle not only within an individual entity but also
as part of the system-wide monitoring of cyber risk, including for the purposes of cross-sectoral
coordination. In 2022, the G7 CEG revised these fundamental elements to reflect the latest financial
industry developments, most notably the expanded reliance on ICT providers and the need to effectively
manage ICT supply chain-related cyber exposures. Complementing this work, the FSB’s work programme
for 2023 includes releasing a consultative document aimed at strengthening financial institutions’ ability
to manage third-party and outsourcing risk.
16. The IAIS (2023) reports that cyber insurance only covers a small proportion of the potential
economic cost resulting from cyber events. Insurers are not only exposed to cyber risks in their
operations but are also active takers of cyber risk through their cyber underwriting activities. Regarding
the latter, the 2020 IAIS Cyber Risk Underwriting Report concluded that cyber underwriting practices, while
serviceable, were not yet optimal, particularly due to challenges surrounding the measurement of risk
exposures and clarity of cyber insurance policies. In view of this, the report recommended proactive
supervisory attention to facilitate the monitoring, understanding and assessment of cyber risk
underwriting exposure and impact; as well as enhancing the corresponding supervisory expertise.
Banks’ cyber security – a second generation of regulatory approaches 11
17. More generally, SSBs have devoted resources to increase the mutual understanding of their
members of their individual efforts to strengthen cyber resilience. This has mainly taken the form of
stock-taking of cyber security regulations, guidance and supervisory practices. Examples of this work are
the 2017 FSB report Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory
Practices24, which was conducted with FSB member jurisdictions, and the 2018 BCBS report entitled Cyberresilience: range of practices, which describes and compares the range of regulatory and supervisory cyber
resilience practices across BCBS member jurisdictions. Another relevant example is the 2019 report from
the IOSCO Cyber Task Force. This report examines how IOSCO member jurisdictions are using
internationally recognised cyber frameworks and how these frameworks could help address any gaps
identified in IOSCO members’ current regimes rather than proposing any new guidance.
Section 3 – Design of cyber resilience regulations
18. There are two predominant approaches to the regulation of banks’ cyber resilience: the
first leverages existing related regulations, and the second involves issuing comprehensive cyber
regulations. In the first approach, existing related regulations (eg regulations on operational risk
management, IT risk management, outsourcing) are enhanced to include cyber-specific elements. This
approach views cyber risk as any other risk and thus the general requirements for risk management (eg
governance, setting of risk appetite), and the requirements on IT, information security and operational
risks, also apply. As a result, this approach facilitates strong alignment with regulatory expectations on
enterprise risk management and operational risk including operational resilience. This approach is more
commonly observed in jurisdictions (eg the United States and Europe) that already have established
regulations on operational risk management, business continuity, information security and/or information
24 FSB (2017b).
Main SSB and G7 CEG work that is facilitating the international convergence of
cyber regulations in the financial system Graph 2
12 Banks’ cyber security – a second generation of regulatory approaches
technology risk management. The second approach, on the other hand, seeks to cover all aspects of
cybersecurity, from governance arrangements to operational procedures, in one comprehensive
regulation. This is the case for example in México and in South Africa’s public consultation on Joint
Standard on Cybersecurity and Cyber Resilience Requirements.
19. In either approach, there is a risk that regulations could become too prescriptive or result
in inefficiencies. The risk exists that regulation becomes too prescriptive, so that it falls behind both the
constantly evolving threat from cyber risk and advances in cyber risk management. There is also a risk of
creating inefficiencies and silos. Comprehensive cyber regulations, in particular, might result in financial
institutions establishing governance and risk management frameworks for cyber risk and resilience that
are separate from their enterprise-wide frameworks.
20. To counter the risk of too much prescriptiveness, there is an emerging regulatory approach
that seeks to combine broad cyber resilience principles with a set of baseline requirements. This
approach focuses more on “what expectations to achieve” and less on “how to achieve them”.25 It supports
a regulatory framework that is flexible enough to be adapted to the dynamic and evolving nature of cyber
risk while having clear supervisory expectations with respect to the core aspects of governance and risk
management that aim to enhance cyber resilience. For example, the Australian Prudential Regulation
Authority (APRA) published the Prudential Practice Guide CPG 234 Information Security, providing detailed
expectations regarding the requirements established in Prudential Standard CPS 234 – Information
21. Finding the right level of prescription when developing cyber resilience regulations is
challenging. While prescriptive rules may be necessary in some areas, for example, by requiring banks’
boards to establish a cyber risk management framework and risk appetite, other areas are clearly less
suitable for specific rules and it is important to prevent regulations from falling behind both the constantly
evolving threat from cyber risk and advances in cyber risk management. For example, given the rate of
technological change, any regulation that prescribes the use of a specific technology is likely to become
rapidly outdated and ineffective.26 Mandating a specific recovery time is another example where
regulators need to be careful how banks go about implementing it. The aim is to prevent the lengthy
disruption of critical financial operations, but an excessively stringent and rigid recovery time may prove
counterproductive if this comes at the expense of banks’ ability to thoroughly check that all their systems
are no longer compromised. Regulations that are very prescriptive may also result in a compliance-based
approach to dealing with cyber risk.
22. Whether as part of related regulations or separate comprehensive ones, a distinction can
also be made between “older” (first generation) and “newer” (second generation) cyber
regulations. Authorities recognise that cyber risk management is constantly evolving. Hence, the focus of
the first generation and second generation of cyber regulations are somewhat different. The first
generation focused on establishing a cyber risk management approach and defining requirements on
typical security controls (eg, access controls and vulnerability analysis). The second generation goes one
step further, emphasising the need to develop capabilities (e.g., cyber incident management, cyber
incident reporting and third-party risk management) essential to ensure a financial institution’s cyber
resilience in an increasingly digital financial system. Authorities are also continuously thinking of ways to
improve their cyber regulations. They could, for example, focus on the establishment of business continuity
arrangements involving coordination between relevant financial institutions to respond to systemic crises
caused by cyber incidents.
25 See Wilson et al (2019).
26 See Gracie (2014).
Banks’ cyber security – a second generation of regulatory approaches 13
23. Regardless of the regulatory approach taken, the application of the proportionality
principle is given due consideration in the application of cyber resilience frameworks. Proportionality
is defined as the application of simplified prudential rules to smaller and less complex banks to avoid
excessive compliance costs without undermining key prudential safeguards.27 Translating this concept to
the cyber security world is challenging, given that exposure to cyber risk depends not only on a bank’ size
and complexity but also on how it uses technology and how it provides its products and services using
digital channels, as well as the level of financial sector interconnectedness. Authorities are aiming to
identify key aspects of cyber resilience governance and risk management that should apply to all
supervised firms regardless of traditional indicators used to group peer banks. At the same time, other
authorities such as the Peruvian Superintendency of Banks and Private Pension Funds apply a
proportionality framework in which systemically important banks are subject to heightened cyber
resilience requirements reflecting their potential financial stability risks. Table 1 provides a comparative
description of the first and second generation of cyber regulations.
24. Supervisory assessments of cyber security capabilities tend to use existing technical
standards for cyber and information security as a valuable point of reference. Jurisdictions take
industry standards into account when developing their regulatory and supervisory frameworks. Credible
technical standards provide essential knowledge of practices and controls for managing cyber and
technological risks. Examples of influential technical standards in the cyber/information security
• the US National Institute of Standards and Technology (NIST) Cyber security framework;
• the International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) standards – in particular the ISO/IEC 27000 series on information security
management, ISO 22301 on security and resilience and ISO 31000 on risk management;
• ISACA’s Control objectives for information technologies (COBIT) framework for IT governance
and management; and
• the Center for Internet Security (CIS) Controls.
27 See Castro Carvalho et al (2017).
14 Banks’ cyber security – a second generation of regulatory approaches
Section 4 – Key regulatory requirements for cyber resilience
25. As mentioned in Section 3, regulators in different jurisdictions have two broad ways of
communicating their cyber security requirements or expectations. Some regulators issue “all-in-one”
regulations that encompass all aspects of cyber security. Other regulators insert cyber security
requirements in various relevant regulations (eg, relating to IT, third party service providers). In both cases,
regulations share a high degree of commonality, which is expected given that these are based on
international regulatory and industry standards. This section discusses key regulatory requirements and
expectations – whether they are found in “all-in-one” regulations or inserted in relevant regulations – in
the areas of cyber security strategy and governance; cyber incident response and recovery; cyber incident
reporting and threat intelligence sharing; cyber resilience testing; cyber hygiene; third-party dependencies;
cyber security culture and awareness; cyber security workforce; and cyber resilience metrics.
Cybersecurity strategy and governance
26. An increasing number of regulators, particularly in EMDEs, require banks to develop
specific cyber security “strategies”.28 However, regulations may not explicitly call them strategies but
may refer to them as “policies”, “programmes” or “frameworks”. Such regulatory requirements typically
follow the cyber security framework advocated in CPMI-IOSCO (2016) involving identification, protection,
detection, and response and recovery (see Graph 2). More concretely, such strategies, policies,
programmes and frameworks include the following core elements:
28 This is in contrast to the findings of the BCBS, which is made up mostly of regulators in AEs, that only a few regulators require
banks to develop such strategies (BCBS, 2018).
Comparative description of the first and second generation of cyber
regulations. Table 1
Banks’ cyber security – a second generation of regulatory approaches 15
• mapping of exposure to cyber risk;
• defining action plans to address mapped cyber risks;
• allocating resources to implement action plans;
• defining and allocating roles and responsibilities;
• continuous review of the adequacy of controls;
• monitoring of the threat landscape;
• reporting to the board and senior management; and
• promoting cybersecurity awareness and culture.
27. The same regulators that require specific cyber security strategies also specify cyber
security governance arrangements. Such governance arrangements require the board to set and
approve the bank’s cyber security strategy, framework and policy, and oversee their implementation by
senior management. Senior management, on the other hand, are required to develop the bank’s cyber
security framework and policy in line with the overall strategy, implement the framework and policy and
monitor their effectiveness. Other regulations, particularly those in AEs, typically do not specify cyber
security governance arrangements. Presumably, these regulations consider that existing general risk
management frameworks, particularly those for information security or operational risk/resilience, already
cover the roles and responsibilities of the board and senior management when it comes to addressing
28. Regulatory guidance and requirements relating to cyber security roles and responsibilities
are common. While most regulators do not require banks to implement the “three lines of defence” risk
management model, regulations often require documented policies on the clear assignment of cyberrelated management responsibilities relating to identification, protection, detection, and response and
Cybersecurity framework Graph 3
Sources: Adapted from CPMI-IOSCO (2016) and Oliver Wyman’s approach as described in Mee and Morgan (2017)
16 Banks’ cyber security – a second generation of regulatory approaches
recovery. Board and senior management roles are emphasised. In some cases, regulatory guidance or
requirements include the designation of a unit, function or position that is responsible for the
implementation of cyber security within the bank.
29. Designation of a person responsible for cyber security at the top level is increasingly
becoming mandatory. The exact position may not be specified in regulations, but it is common that this
position is required to be a C-level position (ie part of top management). In providing prominence to this
position, there also seems to be a thrust towards highlighting that cybersecurity is no longer just an area
of IT risk and business continuity management, but an explicit part of enterprise risk management of a
bank. The requirement to designate a chief information security officer (CISO) or equivalent seems to be
more common in EMDEs (eg Brazil, Kenya, Mexico, Philippines and Saudi Arabia), but it is also possible to
find examples in AEs such as the UK29. However, the lack of information security professionals in these
jurisdictions could pose challenges to the implementation of this requirement. This problem is not
exclusive to EMDEs. In fact, the New York State’s Department of Financial Services (DFSNY) cyber security
requirements for financial services companies, for example, allows the CISO to be employed by a thirdparty service provider of the bank (ie not an employee), subject to certain conditions. Presumably, this is
to anticipate the challenge that smaller institutions might face in hiring CISOs.
30. Regulators generally expect banks to be able to identify their critical operations30,
including supporting information assets. At the national level, governments identify critical
infrastructure and firms to which their national cyber security frameworks apply. Banks are expected to do
the same at their own level. Banks should be able to map their operations to their supporting assets and
be able to classify their operations according to their criticality and sensitivity to cyber risk. This makes it
possible to focus cyber security efforts on operationally sensitive and critical operations and information
assets. Ideally, the entire bank should be protected but, given limited resources, banks should be able to
deploy their resources in a targeted manner to maximise the benefits and ensure operational resilience.
Cyber incident response and recovery
31. Cyber incident management is certainly one of the pillars of a sound cyber resilience
framework. Incident management is a typical and well-established IT process. But the complexity and
high impact of cyber incidents have led almost all jurisdictions considered in the analysis to reinforce the
provisions in their regulations specifying that banks should establish processes and capabilities to properly
manage cyber incidents. A bank should be able to manage cyber incidents throughout their lifecycle. This
should include establishing classification criteria and escalation and reporting procedures. Some
jurisdictions stipulate that banks should also consider incidents that occurred at third party providers in
their cyber incident management framework.
32. Many regulators now require banks to develop cyber incident response and recovery
(CIRR) plans, in addition to the general incident management requirement. Considering that it is a
question of when, not if, banks will experience a cyber attack, supervised institutions are now generally
required to have response and recovery plans that allow them to promptly respond to a cyber incident,
mitigating its impact and facilitating the rapid recovery of bank’s operations.31 This “assume breach”
29 PRA (2021).
30 According to BCBS (2021a), the term critical operations is based on the Joint Forum’s 2006 high-level principles for business
continuity, encompasses critical functions as defined by the FSB “Recovery and resolution planning for systemically important
financial institutions” and is expanded to include activities, processes, services and their relevant supporting assets (people,
technology, information and facilities necessary for the delivery of critical operations) the disruption of which would be material
to the continued operation of the bank or its role in the financial system. Whether a particular operation is “critical” depends
on the nature of the bank and its role in the financial system.
31 This is different from the BCBS (2018) findings that most of such requirements were not specific to cyber incidents but related
to incidents in general.
Banks’ cyber security – a second generation of regulatory approaches 17
mentality has totally replaced the traditional concept of building a strong perimeter to ward off a cyber
attack. The new threat environment, characterised by multiple points of potential entry for attacks, has
reduced the effectiveness of the traditional security approach, which relies solely on marshalling all of an
institution’s security devices/detective capability to guard the perimeter. The assumption of breach
approach complements the traditional measures with intrusion detection techniques as well as response
measures (eg to prevent the extraction of critical data). Jurisdictions aiming at strengthening their cyber
resilience framework by introducing CIRR requirements are increasingly taking note of the FSB CIRR toolkit.
33. Regulators typically stress that CIRR plans should be tested and constantly reviewed to
ensure adequate response and recovery capabilities. Given the dynamics and increasing complexity of
cyber attacks, regulators expect banks to periodically assess the adequacy of their CIRR plans for managing
cyber incidents. Lessons learned from previous incidents are essential to improve CIRR plans, thus allowing
banks to properly respond to cyber attacks. The testing of CIRR plans is typically required in cyber resilience
regulations, as can be seen in APRA’s Prudential standard on information security and in the proposed Joint
standard on cybersecurity and cyber resilience requirements under public consultation in South Africa. In
the case of the proposed standard in South Africa, a financial institution must test all elements of its cyber
resilience capacity and security controls to determine the overall effectiveness, whether it is implemented
correctly, operating as intended and producing desired outcomes. Moreover, there are several examples
that show authorities and/or trade associations running sector-wide exercises to test financial institutions’
ability to respond and recover from disruptive event in a coordinated fashion (see Box 1)
34. Experience with cyber attacks shows the importance of coordinating cyber incident
management, crisis management and business continuity. Successful ransomware attacks are
examples of cyber incidents that can rapidly evolve into a crisis, given the potential to completely disrupt
a bank’s operations. Sound banking practices show the usefulness of defining and periodically reviewing
the criteria to be used to characterise crisis situations, thus allowing crisis management and business
continuity procedures to be adequately triggered in the case of incident escalation.
Cyber incident reporting and threat intelligence sharing
35. Cyber incident reporting and threat intelligence-sharing are valuable tools to increase
situational awareness of the cyber threat landscape. On one hand, reporting of cyber incidents is
important to assess the impact of successful incidents as well as to anticipate the likelihood of systemic
risk materialising (eg systemic implications of a ransomware infection in a critical financial market
infrastructure). On the other hand, threat intelligence-sharing constitutes an important source of
information about threats and vulnerabilities, allowing banks to assess the adequacy of their cyber security
36. The timely communication of material cyber incidents is common across regulations.
Although timeframes and materiality thresholds vary, many regulators establish requirements for cyber
incident reporting, including reporting of material cyber incidents as soon as possible, followed by a full
report at a later date. The timely notification of a material incident allows authorities to start monitoring
the impact of the incident on individual banks and on the financial system, while the full report is useful
for collecting threat intelligence information and a root cause analysis that could be shared with banks or
support supervisory activities. In some cases, intermediate reports may be required to provide updated
information on the occurrence. For example, the Monetary Authority of Singapore (MAS) requires the
incident to be reported within an hour of it occurring, and then a root cause and impact analysis to be
18 Banks’ cyber security – a second generation of regulatory approaches
submitted to the authority within 14 days of the discovery of the incident.32 However, when examining a
broader sample of 51 EMDEs, the IMF found that 54% lack a dedicated cyber incident reporting regime.
37. Although requirements vary across jurisdictions, a few authorities have begun to develop
their own threat intelligence-sharing initiatives. Regulators recognize the relevance of information
sharing on security issues for the development of a sound cyber resilience framework. Although there is
no common approach to threat intelligence-sharing, this is one of the key elements of the cyber resilience
framework of some jurisdictions, such as Brazil34, the EU and Saudi Arabia. Threat intelligence-sharing is a
practice that is still maturing. Some regulators are developing their own initiatives, such as the ECB’s Cyber
information and intelligence-sharing initiative (CIISI-EU). In Saudi Arabia, the Cyber threat intelligence (CTI)
principles describe best practices focused on producing, processing, and disseminating threat intelligence
to enhance the identification and mitigation of cyber threats relevant to the financial sector through
actionable threat intelligence. There are also industry-led initiatives, such as the Financial Services
Information Sharing and Analysis Center (FS-ISAC).
Cyber resilience testing
38. Regulators expect banks to undertake cyber resilience testing and to address identified
issues. The CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures, which has
provided a coherent approach to improving cyber resilience in financial institutions more broadly, called
for the establishment of a comprehensive cyber resilience framework that includes a testing programme
to validate the framework’s effectiveness. Such a testing programme could employ various testing
methodologies and practices, such as vulnerability assessment, penetration testing, tabletop simulations
39. In general, banking regulators do not specify the nature and frequency of testing. These
typically depend on a number of factors, including the size and complexity of a bank, the criticality and
sensitivity of its business services and information assets, and changes in the threat landscape.
Interestingly, some regulators in EMDEs tend to be more prescriptive. Common requirements in these
jurisdictions include annual penetration testing and bi-annual vulnerability assessments or systematic
scans of banks’ information systems. However, many EMDEs still do not mandate testing and cyber
exercises or provide further guidance.35
40. There is recognition of the importance of TLPT. A number of regulators in developed
economies have TLPT frameworks in place, although the objectives and implementation details may
differ.36 The frameworks apply typically to large or critical financial institutions, but authorities may have
the discretion to include other financial institutions such as banks deemed risky from a supervisory
perspective. The frameworks also differ in terms of whether threat intelligence and red team test providers
must be external to the financial institution, accredited and formally assessed.
41. Some regulators coordinate or participate in cyber exercises aimed at testing crisis events
that could disrupt the financial system or other critical national infrastructures. Given the greater
complexity of financial services and the increasing interconnection between financial institutions, some
jurisdictions are leveraging the testing capabilities of banks and other relevant players by introducing
scenarios and developing plans to respond to major disruptions of the financial system (eg unavailability
of critical payment systems). Although not commonly covered by regulatory or supervisory activities, these
32 MAS (2013).
33 Adrian and Ferreira (2023).
34 BCB (2021), Cyber security policy, February 2021.
35 Adrian and Ferreira (2023).
36 See Kleijmeer et al (2019).
Banks’ cyber security – a second generation of regulatory approaches 19
initiatives contribute to the development of controls and practices to mitigate potential systemic crises
(see Box 1). In the same way, it is worth mentioning that some national cyber exercises involve different
sectors that could be impacted by disruptive cyber incidents, such as energy, telecommunications and
Cyber testing and exercises
Testing is certainly one of the key elements when designing a sound cyber resilience framework. Cyber threats are
constantly evolving, new software vulnerabilities are discovered every day, and cyber attacks are getting increasingly
complex. It is well understood that financial institutions’ cyber resilience needs to be periodically tested to ensure
implemented security controls and capabilities are still adequate to properly manage cyber risk and mitigate the
impact of cyber incidents.
Penetration testing and vulnerability analysis are useful tools to discover the security weaknesses of IT
solutions and services. The use of code analysis tools and the implementation of development, security and operations
(DevSecOps) are examples of practices and procedures that can be considered for the provision of secure IT solutions
and services. But there are circumstances in which the implemented controls are not sufficient to ensure a secure
environment (for instance, in the occurrence of zero-day vulnerabilities). Thus, security teams need to have the
capabilities to respond to and recover from cyber incidents. Kleijmeer et al (2019) provided an overview of red teaming
requirements in a number of jurisdictions, discussing their characteristics and the conditions necessary for their
implementation. Some jurisdictions already require the implementation of red teaming, at least for relevant financial
institutions, for example, CBEST from the Bank of England and Prudential Regulation Authority (PRA), Australia’s Cyber
operational resilience intelligence-led exercises framework (CORIE)®, the European framework for threat intelligencebased ethical red-teaming (TIBER-EU), and Saudi Arabia’s Financial entities ethical red-teaming framework (FEER).
Despite the development of initiatives to improve the cyber security framework of financial institutions,
additional actions may be necessary to ensure financial stability. The financial sector’s business processes are
becoming more and more distributed, resulting in the increased interconnection of different stakeholders. Moreover,
new innovative projects, such as new solutions for cross-border payments, reinforce the importance of discussing the
implications and risks arising from these new distributed arrangements as a cyber incident at one financial institution
can affect other institutions and have implications for financial stability.
Typically, system-wide cyber exercises include tabletop simulations used to test crisis management and
communication protocols in the event of systemic cyber incidents. These exercises are very useful for testing
established contingency and communication plans, and for identifying situations that require coordination between
different institutions or even between different critical sectors (for example, coordination between the financial sector
and the telecommunications sector). The Hamilton Series is an example of a tabletop exercise coordinated by the FSISAC and the US Treasury. It resulted in Sheltered Harbor, an initiative that includes a standard for critical customer
account data backups designed to “protect customers, financial institutions, and public confidence in the financial
system if a catastrophic event like a cyber attack causes an institution’s critical systems to fail”. SIMEX, a high-profile
biannual sector-wide simulation exercise coordinated by PRA and Bank of England, is another initiative designed to
validate the effectiveness of the sector framework for responding to severe but plausible sector-wide operational
With the proliferation of increasingly distributed business processes, system-wide cyber exercises can
become an essential tool for financial stability. These exercises can make it possible to test crisis scenarios with
implications for financial stability and thus to identify mitigating actions that require coordination between the
different relevant players. In addition, these exercises can support the establishment of contingency arrangements
that can be implemented to strengthen the financial system’s operational resilience.
20 Banks’ cyber security – a second generation of regulatory approaches
42. Since a number of successful cyber attacks are the result of routine weaknesses in the basic
maintenance and security of hardware and software, it is unsurprising that cyber hygiene is a key
element of cyber regulations of banks as well as in national cyber security strategies. Regulators
have added cyber hygiene requirements to their regimes. For instance, in the US, supervisory expectations
for an effective cyber security posture include basic cyber hygiene, such as IT asset management,
vulnerability management, and patch management.37 In Singapore, banks (and other financial institutions)
need to comply with cyber hygiene requirements related to securing accounts with full privileges and
unrestricted access; applying periodic security patching; establishing baseline security standards;
deploying network security devices; implementing anti-malware measures; and strengthening user
Third party dependencies
43. Third parties are widely used by banks to provide services, systems and IT solutions that
support banks’ operations. Traditionally, third parties refer to the providers of outsourced activities. In
the cyber security context, third parties can be defined in a much broader sense to include products and
services that are typically not considered as outsourced (eg power supply, telecommunication lines,
hardware, software) as well as interconnected counterparties (eg payment and settlement systems, trading
platforms, central securities depositories and central counterparties). These third parties may hold or may
be able to access non-public information of banks and their customers. In addition, cyber security
vulnerabilities in these third parties could become channels of attack on banks. The security capabilities of
third-party service providers are therefore critical elements of any cyber security framework.
44. In most cases, regulators use outsourcing regulations to address third party dependencies.
Outsourcing regulations typically require either prior notification or authorisation of material outsourcing
activities, the maintenance of an inventory of outsourced functions and submission of reports on
measurements of service level agreements (SLAs) and the appropriate performance of controls. Some
outsourcing regulations also require sub-outsourcing activities to be visible to regulated entities so that
they can manage the associated risks. In addition, outsourcing regulations generally require that banks
develop management- and/or board-approved outsourcing and contractual frameworks that defines
banks’ outsourcing policies and governance and set out the respective obligations of the institution and
the service provider in an outsourcing agreement.
45. Regulations stress the importance of aligning business continuity as well as information
confidentiality and integrity when dealing with third parties. Business continuity plans of critical third
party providers (and their subcontractors) should be aligned with the needs and policies of the bank in
terms of business continuity and security. Data confidentiality and integrity are especially emphasised
when it comes to third parties providing data processing services. This issue is addressed in general data
protection requirements, contractual terms that are required to include a confidentiality agreement, and
security requirements for safeguarding the data of a bank and its customers.
46. Many jurisdictions have specific regulatory requirements for the use of the cloud by banks.
These range from requiring information transferred to the cloud to be subject to a contractual clause on
data confidentiality and security to more specific requirements. Examples of specific requirements include
those relating to data location (eg restricting the transfer of data abroad, the requirement that the location
of at least one data center for cloud computing services be in the country or region), data segregation,
37 Board of Governors of the Federal Reserve System, Supervision and Regulation Report , November 2021.
38 MAS Notice # 655, Notice on Cyber Hygiene to Banks in Singapore, Banking Act (Cap.19), 6 August 2019.
Banks’ cyber security – a second generation of regulatory approaches 21
data use limitations (eg requiring explicit client consent for data handling by third parties), treatment of
data in case of an exit from the third party agreement, and the right to audit.
47. More recently, at least a couple of jurisdictions have been moving towards having
oversight frameworks for critical third parties. Financial institutions’ increased reliance on technology
and the additional complexity and interconnections that technology has brought to the financial
ecosystem pose operational risks not only for individual institutions but also for the financial system. This
is especially true for the increasing use of cloud services, in which disruption could lead to severe
consequences for the national and international financial system. This is largely because cloud services are
provided by only a handful of technology companies, which operate globally. This highlights that the
current approach of relying on financial institutions to manage the risks arising from third party services
may not be sufficient (see Box 2), and that this may need to be complemented with an oversight framework
for critical third parties.39 The EU has already approved its Digital Operational Resilience Act (DORA), which
provides for this oversight framework. In the UK, the Bank of England and the Financial Conduct Authority
(the UK regulators) jointly issued a discussion paper on the same issue, following the issuance of a policy
statement by the UK HM Treasury. Feedback on the discussion paper will feed into a consultation paper
that is expected to be published after the relevant primary legislation giving the UK regulators oversight
of critical third parties (currently before the UK Parliament) is adopted. These are in addition to jurisdictions
that already have inspection powers over third parties, either through formal requirements (eg Singapore
and the US) or voluntary engagements (eg Australia).40
39 Prenio and Restoy (2022).
40 BCBS (2018).
22 Banks’ cyber security – a second generation of regulatory approaches
41 Monitoring controls include dashboards and logging capabilities offered by CSPs and financial institutions’ own customised,
compatible solutions to monitor operational performance and security threats.
42 For example, NIST SP 500-291 Cloud computing standards roadmap or SP 500-332 Cloud federation reference architecture.
43 See CRI (2022).
44 One of the most common kinds of third-party service provider audits is the SOC2 reports, conducted in accordance with the
American Institute of Certified Public Accountants standards for assessing service organisations. SOC2 reports involve an
evaluation of the security, availability, processing integrity, confidentiality, or privacy of information and systems across an
entire entity, a particular subsidiary or operating unit, or a particular function. The SOC2 report can be a type I report, a point
in time assessment largely based on documented controls, or type II report, a sustained observation of a period in time.
Typically, CSPs will offer options within the contract that will allow the financial institutions to receive SOC reports or additional
reports or evidence for an additional fee.
Cloud computing and cyber resilience
Adoption of public cloud services in the financial sector has rapidly increased over the last decade (US Treasury 2023).
Financial institutions (FIs) have various motivations for using cloud services, including enhanced cyber security
capabilities. FIs expect to benefit from increased resilience to cyber incidents through the use of multiple data centres
from the same cloud service provider (CSP) and access to state-of-the-art security technology in cloud services (eg
broader use of encryption and superior built-in logging capabilities).
Cloud services are generally deployed using a “shared responsibility” model. This involves a division of
responsibilities between CSPs and FIs concerning “security-of-the-cloud” (CSP) and “security-in-the-cloud” (FIs).
Although this division of responsibilities varies depending on the chosen service, CSPs generally commit to maintain
a security baseline and resilience controls for the purchased cloud service while FIs are typically responsible for the
design and configuration of and access to the cloud services, including the respective security controls. The cloud
service contract reflecting the “shared responsibility” model generally includes cyber security as a critical component
of the evaluation, development and testing application of the cloud services and outlines the division of cyber
resilience tasks between FIs and CSPs (eg threat detection, incident response, patching).
FIs face various challenges with the implementation of the “shared responsibility” model. Some of them are
connected with the misconfiguration of cloud services, which has resulted in a variety of cyber incidents. In most cases,
these are due to a lack of skilled staff able to develop sound architecture for cloud applications, as well as to the
complexity involved in deploying and securing certain cloud service offerings. Another group of challenges relates to
a lack of understanding of CSPs’ cyber security capabilities based on available information (eg lack of information
regarding cyber security incidents and testing results). A third type of challenges relates to the weak bargaining power
of smaller financial institutions in negotiating contracts with CSPs.
In spite of the “shared responsibility” model, financial authorities deem FIs as ultimately responsible for
managing their cloud services risks, including those related to operational resilience and cyber risks. Recent practices
in the financial sector show that FIs are seeking to fulfil this expectation while overcoming challenges mentioned
above by: (1) implementing risk-based assessments of CSPs and their service in light of FIs’ risk appetite, risk
management framework and regulatory expectations; (2) establishing security, resilience and monitoring controls41,
generally following well established industry standards such as those outlined by NIST42 and the Cyber Risk Institute
(CRI)43; and (3) auditing or testing operational or security capabilities offered by CSPs. It is becoming increasingly
common practice for cloud service contracts to allow FIs’ own internal auditors, regulators and/or third parties to
conduct these audits and/or test security controls. Some FIs rely on third-party assurance reviews, such as service
organisation controls (SOC) reviews44, penetration tests, and vulnerability assessments, to understand CSP’s control
environment. Other FIs are combining their resources to conduct or hire auditors to conduct “pooled” audits and
certifications or are considering doing so.
Banks’ cyber security – a second generation of regulatory approaches 23
Cyber security culture and awareness
48. Banking regulators emphasise the importance of disseminating a cyber security culture to
banks’ staff, third-party providers, clients and users. Regulators highlight the responsibility of the
board and senior management to promote a cyber security culture, which is typically supported by training
programmes suitable for different target audiences (staff, providers, clients etc). In the US, a supervised
institution with a strong security culture generally integrates its information security programme into its
line of business, support functions, third-party management and new initiatives. The Brazilian regulation45
requires banks to establish mechanisms for dissemination of a cyber security culture within the institution,
including the provision of information to clients and users regarding precautions when using financial
products and services.
49. Most regulators establish cyber security awareness and training requirements. According to
Ponemon Institute (2022), negligent employees or contractors are a major source of cyber security
incidents.46 In light of this, most regulations require cyber security awareness programmes for staff,
contractors and service providers of the supervised institution. These programmes aim to reinforce the
cyber security culture of the institution. They generally take the form of periodic training and are envisaged
to cover at least the existing cyber threat landscape, the institution’s information security policies and
procedures, and the individual’s cyber security responsibilities. Some regulators, such as the Saudi Arabian
Monetary Authority (SAMA), require institutions to measure the effectiveness of their awareness
programmes and to foster their customers’ awareness as part of these programmes. Other regulators, such
as the Bank of Israel, require institutions to foster their service providers awareness too and to review their
programmes periodically according to the cyber threat landscape and corresponding risk assessment.
Cyber security workforce
50. Regulators expect banks to allocate adequate resources to implement their cyber security
framework. Although drawing up expectations regarding cyber security expertise is quite challenging,
given that different banks are likely to have different needs related to cyber security staff, many regulators
stess that the implementation of a sound cyber security framework depends on the allocation of adequate
resources, including human resources with the necessary skills to implement the cyber security strategy.
Hong Kong is unique in that it has established the Enhanced competency framework on cybersecurity
(ECF-C), which sets out the common core competences required of cyber security practitioners in the Hong
Kong banking industry. While the ECF-C is not mandatory, banks are encouraged to adopt it in order for
the banking industry to; (i) develop a sustainable talent pool of cyber security practitioners; and (ii) raise
and maintain the professional competence of cyber security practitioners.47 It is also worth noting
Carnegie’s efforts to develop capacity with the launch in 2019 of a “Cyber resilience capacity-building
toolbox for financial organizations” together with several partner organisations.
51. On the regulatory and supervisory side, there is also a need to ensure that they have the
requisite resources to implement cyber security regulations. Coming up with cyber regulations is the
easy part because these are mainly based on international standards, but enforcing these regulations is
the real challenge. Supervisory staff should be able to properly assess whether banks are following the
45 BCB (2021).
46 This Ponemon Institute report includes survey responses from over 1,000 IT professionals worldwide, all of which have
experienced a recent cybersecurity incident due to an insider threat. This report concludes that, over the past two years, insider
threats have increased "dramatically", with 56% of insider-related incidents caused by a negligent employee.
47 HKMA (2016).
48 See FinCyber Project (2019). Carnegie’s partners in this initiative include the IMF, SWIFT, FS-ISAC, Standard Chartered, the Cyber
Readiness Institute, and the Global Cyber Alliance. A new version of the tool was launched in 2021.
24 Banks’ cyber security – a second generation of regulatory approaches
spirit of the regulations and not merely doing a box-ticking exercise This entails attracting and retaining
staff with relevant cyber expertise which is another challenge for the regulatory community. To mitigate
these challenges, regulators are using various approaches such as developing internal talent through
professional development requirements (eg MAS and Bank of Italy) and centralising their risk specialists,
including cyber risk experts, in single units (eg Bank of England).
49 However, based on an IMF survey, 68%
of authorities in 51 EMDEs lack a specialised risk unit in their supervision department.50
Cyber resilience metrics
52. Regulators do not typically require banks to submit or monitor specific cyber resilience
metrics. The few regulators that do so have very high-level requirements. Typically, such requirements ask
banks to define metrics that indicate the effectiveness of their cyber security practices or to highlight the
information assets that have the highest risk exposure.
53. Where it exists, the requirement to define metrics and indicators forms part of reporting,
monitoring, controlling and incident management activities. APRA, for example, provides practical
guidance to its banks on what types of quantitative and qualitative information would give boards and
senior management a clearer picture of their cyber security.51 For example, the guidance states that results
of control testing activities and security events detected could be some of the information that could be
provided to the board and senior management. The BSP, on the other, hand, requires banks to define
metrics or indicators of possible compromise to enhance fraud detection and monitoring capabilities and
facilitate regulatory cyber incident reporting. This could include access to a highly sensitive system beyond
office hours and failed log-in attempts of privilege user accounts.52
54. Examples of metrics mentioned in existing regulations only provide broad information on
banks’ approaches to building and ensuring cyber security and resilience. This shows that the
development of cyber resilience metrics for supervisory purposes is still at an early stage. The nature of
cyber risk, however, makes a backward-looking approach to cyber resilience metrics ineffective. Cyber
threat players are dynamic and continuously adapt to responses and protective measures. There is thus
an increasing recognition of the need for forward-looking indicators as direct and indirect metrics of cyber
security and resilience.
Section 5 – Conclusion
55. Banking regulations relating to cyber security and cyber resilience have matured and are
now well established in several jurisdictions. The regulations relating to cyber security and cyber
resilience covered in Crisanto and Prenio (2017) were quite new. These regulations existed only in a few
jurisdictions – mainly in Aes – and focused on establishing a cyber risk management approach and
controls. Six years hence, many jurisdictions, including EMDEs, already have cyber-related regulations in
place. Many of these newer regulations (or second-generation cyber regulations) focus on improving cyber
resilience capabilities and providing financial institutions and authorities with tools to manage cyber risks
adequately. Nonetheless, a material number of EMDEs still do not have relevant regulations.
49 Mauer and Nelson (2020).
50 Adrian and Ferreira (2023).
51 Attachment H of APRA (2019).
52 Appendix 75 of the BSP’s Manual of Regulations for Banks.
Banks’ cyber security – a second generation of regulatory approaches 25
56. Regulators are adding specific requirements or expectations on some areas or add new
elements in their cyber regulations. There are now more specific regulatory requirements on cyber
incident response and recovery, as well as on third-party management and oversight, incident reporting
and testing frameworks. A few jurisdictions have also introduced requirements or expectations for cyber
security workforce and cyber resilience metrics. However, cyber security strategy, cyber incident reporting,
threat intelligence-sharing, third party dependencies and cyber resilience testing are still the primary focus
of these regulations.
57. Cyber regulations in EMDEs tend to be more prescriptive. This is especially the case when it
comes to cyber security strategy, governance arrangements – including roles and responsibilities – and
the nature and frequency of cyber resilience testing. Banking regulators in EMDEs perhaps see the need
to strengthen cyber resilience culture across the financial sector and/or to be clearer and more specific in
their expectations given the resource constraints and limited supply of skills and expertise in their
jurisdictions. This way, banks’ boards, senior management and staff have concrete guidance to follow in
enhancing cyber security of their institutions.
58. There is a need to guard against a compliance-based approach to dealing with cyber
security. Too much prescriptiveness may result in a tick-box approach to cyber security. Putting cyber
regulations in place should not be viewed as a tick-box exercise either. It should be complemented by
appropriate supervisory resources to ensure effective implementation and enforcement. There is scope
therefore for international organisations and financial authorities in Aes to support supervisory capacity
building efforts in EMDEs, particularly in the area of cyber security. After all, cyber threats know no
59. International work (eg by the SSBs and the G7) has facilitated a helpful level of cyber
resilience convergence in the financial sector, but more work is needed. No single firm or regulator
can successfully tackle cyber risk alone. Moreover, the cross-border nature of cyber risk requires a
reasonable degree of alignment in national regulatory expectations. The work by the G7 CEG and the SSBs
on cyber resilience has made financial regulatory and supervisory expectations more consistent across
different jurisdictions and is therefore a step in the right direction. In particular, the FSB’s proposal for
greater convergence in cyber incident reporting is an important development since it tries to reconcile
differing jurisdictional requirements that only burdens supervised institutions rather than help address
these incidents. Going forward, there might be scope to align the ways in which authorities assess the
cyber resilience of supervised institutions. This could, for example, include aligning the assessment of
adequacy of a firm’s cyber security governance, workforce and cyber resilience metrics. Moreover, given
the potential cross-border implications for the financial system of a cyber incident at one critical thirdparty provider, particularly a cloud provider, there might be scope to consider an international oversight
framework for such providers.