December 7, 2021

Volume XI, Number 341


December 06, 2021

Subscribe to Latest Legal News and Analysis

G-7 Publishes Fundamental Elements of Cybersecurity for Financial Sector

On October 11, 2016, the finance ministers and central bank governors of the Group of 7 (G-7) countries announced the publication of the Fundamental Elements of Cybersecurity for the Financial Sector, a non-binding guidance document for financial sector entities. The publication describes eight fundamental “elements” of effective cybersecurity risk management to guide public and private sector entities in designing cyber security programs based on their specific risk profile and culture.  The goal of the G-7 is to provide a common framework for the financial sector to develop security programs that will “help bolster the overall cybersecurity and resiliency of the international financial system.”

The eight elements describe the core components of a comprehensive cybersecurity program, while leaving the strategic and operational details to each entity.  The publication is not intended to serve as a binding, one-size-fits-all set of requirements; rather, it describes high-level programmatic “building blocks” that each entity can customize to its own security strategy and operating structure.  Each entity should tailor its application of the elements based on an evaluation of its “operational and threat landscape, role in the sector, and legal and regulatory requirements,” and be informed by its specific “approach to risk-management and culture.”

A summary of the actions that entities can take for each of the eight elements is provided below.

  • Cybersecurity Strategy and Framework: Entities should establish and maintain a cybersecurity strategy and framework that is—

    • Tailored to the “nature, size, complexity, risk profile, and culture” of the specific entity; and

    • Informed by international, national, and industry standards and guidance.

  • Governance: Effective governance structures for cybersecurity strategy and framework consist of—

    • Defining the roles and facilitating the responsibilities of personnel responsible for the cybersecurity strategy and framework;

    • Providing relevant personnel with the appropriate authority to accomplish their job functions;

    • Allocating adequate resources to the program;

    • Establishing the cyber risk tolerance for the entity; and

    • Ensuring proper oversight of related cybersecurity programs.

  • Risk and Control Assessment: Adequate risk management and risk assessment, while based on the entity’s particular risk tolerance, should include—

    • Identifying cyber risks associated with key entity functions, activities, products, and services—including interconnections, dependencies, and third party risks;

    • Prioritizing the identified functions and activities by relative importance and potential impact of risk; and

    • Implementing controls, including systems, policies, procedures and training, to avoid and mitigate identified cyber risks.

  • Monitoring: Establish monitoring and regular assessment programs that—

    • Are designed to detect cyber incidents rapidly;

    • Include “network monitoring, testing, audits, and exercises” to evaluate effectiveness of controls;

    • Can be used to enhance or remediate controls as necessary; and

    • Are conducted by personnel independent from the function that manages and implements the cybersecurity program.

  • Response: An incident response plan should provide clear guidance and be designed to allow an entity to complete the following crucial functions—

    • Assess the nature, scope, and impact of a cyber incident;

    • Contain and mitigate the incident;

    • Notify relevant stakeholders; and

    • Coordinate any necessary joint response with other entities.

  • Recovery: Entities should establish recovery plans to “resume operations responsibly, while allowing for continued remediation” by—

    • Eradicating harmful remnants of the incident from systems;

    • Restoring systems and data to normal;

    • Identifying and mitigating all exploited vulnerabilities;

    • Remediating vulnerabilities to prevent similar incidents; and

    • Communicating appropriately, both internally and externally.

  • Information Sharing: Entities should consider sharing information promptly after an incident to deepen collective sector-wide understanding of exploits and mitigate the risk of potential broader disruption of the financial system.  Information sharing should—

    • Be timely, reliable, actionable and technical;

    • Identify threat indicators, vulnerabilities, and methodologies used in exploits; and

    • Be directed at assisting financial sector stakeholders, as well as non-financial sector public and private entities, in enhancing defenses, limiting damage, increasing situational awareness, and broadening learning.

    • The guidance also asks entities to identify and address any impediments to or concerns with information sharing.

  • Continuous Learning:  An entity should periodically (or as needed) review and update its cybersecurity strategy and framework.  Updates should—

    • Address changes in risk, such as emerging vulnerabilities and changes in financial sector products, services, or technical developments; and

    • Incorporate lessons learned from recent cyber incidents.

© 2021 Covington & Burling LLPNational Law Review, Volume VI, Number 291

About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...