On October 13, 2017, finance ministers and central bank governors of the Group of Seven (the “G-7”) released a report entitled Fundamental Elements for Effective Assessment of Cybersecurity for the Financial Sector. The G-7 report (the “Report”), available here, features non-binding guidance to aid the assessment of financial sector entities’ cybersecurity procedures and follows an analysis released by the G-7 last year describing the fundamental elements of cybersecurity for financial entities. The guidance in the Report is not prescriptive; rather, it is designed to inform companies and promote internal discussions about best practices for effective assessments.
The Report is divided into two parts, Part A and Part B. Part A describes five “desirable outcomes” financial entities should be able to demonstrate as part of an assessment. The first desirable outcome is that the fundamental elements identified in last year’s G-7 cybersecurity analysis are in place, including a cybersecurity strategy and framework, effective monitoring, response and recovery procedures, and information sharing. Outcome 2 is that cybersecurity concerns meaningfully impact decision-making at the financial entity, meaning cybersecurity is not “viewed as separate from the concept, design, and operation of entities’ core business processes but as … a key strategic consideration, both when developing new products and services, and when assessing the effectiveness of business operations that utilize existing technology or infrastructures.”
The Report’s third desirable outcome is an appreciation for the fact that cyber disruptions are not an if, but a when. Per the Report, financial sector companies “that fail to recognize this concept may exhibit an imbalance by having an over reliance on perimeter controls, at the detriment of clearly defined and regularly exercised responses … and a viable, tested contingency plan for the resumption of operations….” Outcome 4 states that financial entities must aim for an adaptive approach to cybersecurity in light of the constantly evolving threat environment. Outcome 5 focuses on promoting a culture of effective cybersecurity at a financial company.
Part B of the Report describes five components of strong cybersecurity assessments. The Report notes that as companies “strive to achieve the desired outcomes [described in the Report] … there is a necessity to conduct regular assessments to measure the effectiveness of their cybersecurity programs.” Component 1 is that the assessor must have clear objectives so that both the assessor and financial entity are motivated throughout the process and held accountable. Component 2 builds on Component 1, noting the importance of effectively communicating the methodology and expectations of the assessment.
The third component urges financial entities to “maintain a diverse toolkit and process for tool selection.” The Report points out that toolkits for cyber assessments can include “desktop reviews, self-assessments, on-site inspections, threat-based penetration testing, technical reviews (‘deep dives’), thematic reviews, and exercises.” Component 4 focuses on reporting—assessments must report clear feedback to financial sector entities to drive appropriate remedial measures—and Component 5 states that cyber assessments must be proportional, fair, and reliable.
Commenting on the release of the Report, U.S. Treasury Secretary Steven Mnuchin said that “a secure, safe, and strong financial sector is essential to promote real growth within the U.S. economy and across the world. Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency.”