Oct 182016

G7 Sets Guidelines for Cybersecurity for the Financial Sector

William RM Long and Thomas Fearon
, , , , , , ,

As the financial services sector becomes ever more reliant on new technologies to decrease costs and create more efficient systems, it becomes more vulnerable to cyber attacks. On October 11, 2016, the Group of Seven (“G7”) industrial nations agreed on a set of guidelines to combat the cyber risks that are “growing more dangerous and diverse, [and] threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.” These issues have been particularly visible following a number of high profile cybersecurity attacks at financial institutions.

The G7 sought to address these issues through eight non-binding, fundamental elements to be used by entities as building blocks to design their cyber-security strategy and operating framework.

The elements include:

  1. Cybersecurity Strategy Framework – establishing and maintaining a framework tailored to specific cyber risks, informed by the appropriate standards and guidelines.
  2. Governance – defining and facilitating roles and responsibilities of personnel to oversee the framework and provide the necessary resources and access to the governing authority.
  3. Risk and Control Assessment – identifying functions, activities, products and services and managing the risks within the tolerance set by the governing authority.
  4. Monitoring – systematic monitoring processes to detect cyber incidents and evaluate the effectiveness of controls and procedures.
  5. Response – timely assessment, impact mitigation, notifying stakeholders and coordinating joint responses to cyber incidents.
  6. Recovery – resuming operations while allowing for continued remediation.
  7. Information Sharing – sharing of information on cybersecurity threats and risks with internal and external stakeholders.
  8. Continuous learning – reviewing frameworks regularly and addressing changes in cyber risks.

The elements are designed to create cohesion between public authorities within and across jurisdictions who can use the elements to guide their public policy, regulatory, and supervisory efforts. They are designed as an alternative to specific regulatory standards, and as they are non-binding, allow for greater flexibility in implementation.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.