ECB Cyber Guidance
Cyber Challenge for the Financial Sector
“Cyber security has in recent years become an integral component of a board’s role in risk oversight, but directors often find themselves in unfamiliar territory when it comes to formulating policies and oversight processes that address cyber security risk. It can be especially challenging for directors to identify upcoming risks and avoid focusing too much on yesterday’s headlines.” Harvard Law School Forum on Corporate Governance and Financial Regulation
The Answer Lies in Leadership
The Group of 7 (G7) is a group consisting of Canada, France, Germany, Italy, Japan, the United Kingdom and the United States. They have recognised the interdependence of the global financial sector and the risks associated with cyber related threats that affect all financial service institutions around the globe. In a positive step to deal with this, they formed a specialist team that have developed a guide based on 8 fundamentals that the leadership within the financial sector need to embrace. These fundamentals have been adopted as guidance by the ECB and all regulators within their scope.
Fundamental #1 - Strategy and Framework
“Entities in the financial sector should establish cybersecurity strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture.........”
“.......The purpose of a cyber security strategy and framework is to specify how to identify, manage, and reduce cyber risks effectively in an integrated and comprehensive manner.” G7 – ECB European Central Bank
Inherent Cyber Risk
The G7 has recognised that a one size fits all approach does not work and it is an imperative for a financial institution to calculate their inherent cyber risk associated with “cyber”.
This is the metric in relation to cyber risk associated with people, processes and technology absent of mitigating controls. CyberPrism calculates the unique inherent cyber risk of every organisation by assessing their unique cyber DNA and characteristics including business model and dependencies.
Fundamental #2 - Governance & Oversight
“Consistent with their missions and strategies, boards of directors (or similar oversight bodies for public entities or authorities) should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cybersecurity programs..........”
“.......Effective governance structures reinforce accountability by articulating clear responsibilities and lines of reporting and escalation.
Effective governance also mediates competing objectives and fosters communication among operating units, information technology, risk, and control related activities.” G7 – ECB European Central Bank
Effective Governance and Oversight
The G7 has recognised that effective leadership and governance is a key to dealing with the cyber challenge.
CyberPrism supports an effective cyber governance and oversight model with aspects such as board level metrics together with MI (Management Information) holistically covering all aspects of the business. Empowering leaders to make key decisions on risk management, resourcing and ensuring the cyber strategy and framework is aligned with their business strategy.
Fundamental #3 - Assess Risk & Control
“Ideally as part of an enterprise risk management program, entities should evaluate the inherent cyber risk (or the risk absent any compensating controls) presented by the people, processes, technology, and underlying data that support each identified function, activity, product, and service.” G7 – ECB European Central Bank
Cyber Maturity Assessment
The G7 has recognised the relationship between inherent risk and the required controls, including the appropriate maturity of those controls.
The CyberPrism award winning assessment methodology is based on analysing the inherent cyber risk of an organisation and then calculating the appropriate controls and their appropriate maturity level. Stage 1 of the assessment calculates the inherent risk and stage 2 completes a holistic cyber control assessment. At that point the analysis can calculate the current “cyber status” via a vis what is actually required by the organisation. This methodology is completely inline and supports the approach of the G7 guidance and produces a comprehensive regulatory grade cyber assessment report with guidance.
Fundamental #4 - Monitoring
“Effective monitoring helps entities adhere to established risk tolerances and timely enhance or remediate weaknesses in existing controls. Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike” G7 – ECB European Central Bank
Monitoring Management System and Technical
The G7 has recognised monitoring the effectiveness of controls is a key imperative. This guidance applies not only to “system monitoring” by the NOC (Network Operations Centre) and SOC (Security Operations Centre) teams. It applies to monitoring the effectiveness of the management system, that is the policies, processes and related controls required to support your cyber risk strategy and framework.
CyberPrism facilitates ongoing periodic reviews on not just the technical controls but the management controls. The tool and methodology also facilitates gathering level 4 documents (evidence) that controls are in place and are effective. It empowers an organisation to articulate “What they do, how they do it and prove they do it”
Fundamental #5 - Incident Response
“As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response.” G7 – ECB European Central Bank
Cyber Incident Response Management
The G7 has recognised that cyber breaches are inevitable. Organisations should have effective and appropriate cyber incident response controls. This not only includes “responsive” controls but also “detective” controls. Think smoke alarms and fire extinguishers in relation to cyber.
CyberPrism facilitates ongoing periodic reviews of the entire cyber incident response process including all related supporting processes such as threat intelligence. “Would you know if you had a cyber incident? Have you the ability to respond? When and why is it appropriate to escalate and notify the board or regulatory bodies? CyberPrism helps you deal with the cyber incident management challenge and answer these questions.
Fundamental #6 - Cyber Incident - Recovery
“Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritisation of critical economic and other functions and in accordance with objectives set by the relevant public authorities.” G7 – ECB European Central Bank
BCP – DR – Cyber Resilience
The G7 has recognised that cyber breaches are inevitable and organisations need to be able to confidentially demonstrate not only their ability to reduce the likelihood and impact of a significant attack but be able to provide assurance the organisation has the capability to recover from a cyber crisis.
The CyberPrism methodology reviews and assesses all related aspects including the relationship between all key stakeholders including third party vendors. Recovery is a complex issue involving potentially every facet of the organisation. It is an imperative that the leadership understand their current ability and identify any shortcomings. CyberPrism facilitates the board and all supporting entities within an organisation their ability to recover from a cyber crisis.
Fundamental #7 - Information Sharing
“Sharing broader insights among entities, between entities and public authorities, and among public authorities deepens collective understanding of how attackers may exploit sector-wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability.” G7 – ECB European Central Bank
Me Today – You Tomorrow!
The G7 has echoed the voice of organisations such as the ICTTF International Cyber Threat Task Force
“It Takes a Network to Defeat a Network”
No organisation is immune, large and small are interconnected and depend on each other. Understanding your environment and identifying current cyber threats are a key maturity objective of CyberPrism including a dedicated focussed domain on threat intelligence.
Fundamental #8 - Continuous Learning
“Entity-specific, as well as sector-wide, cybersecurity strategies and frameworks need periodic review and update to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources” G7 – ECB European Central Bank
Me Today – You Tomorrow!
The G7 has recognises “cyber” is a moving target. Business models change, the threat landscape particularly geopolitical related cyber threats are dynamic. Therefore it is an imperative that organisations continually evolve and adapt to the cyber challenge.
CyberPrism facilitates an organisation continually assessing their status as their business strategy and model develops. CyberPrism empowers the leadership team in a single pain view of the current cyber risk status and always inline with the latest regulatory guidance. It allows the organisation to learn and adapt over time by tacking the issues in a prioritised fashion via policy augmentation, development and training.
CRI Cyber Risk International work with financial service organisations around the globe of all sizes and types. Our mission to “empower cyber leadership”. We can provide you with the tools and support you need to deal with all your cyber risk related challenges.
We Are Here to Help
Contact us for a free no obligation consultation and learn how CRI and our partners can help you deal with the cyber challenge.
Phone +353(0)1-905 3260
Email: [email protected]
CyberPrism supports the latest guidance from the Central Bank Of Ireland
- Bank of England (BoE)
- Prudential Regulation Authority (PRA), a subsidiary of the BoE
- Financial Conduct Authority (FCA)
CyberPrism supports the latest guidance from all the above authorities.