IIF Response to FSB Cyber Incident Response and Recovery Toolkit

The Institute of International Finance (IIF) today responded to the Financial Stability Board (FSB) Consultative Document “Effective Practices for Cyber Incident Response and Recovery”. The proposed FSB toolkit of effective practices for cyber incident response and recovery is welcome and important given the constant need to address the frequency and scope of cyber incidents and the increased sophistication of cyber-attacks.

It is also timely given the increased focus of both authorities and the financial industry on building up resilience. While the financial industry has long been the sector most exposed to cyber-attacks, it is also often credited for having the most proactive policy, regulation and investment in risk management and governance practices with respect to IT.

In the Consultation response, the IIF elaborated on the following themes:
• The FSB CIRR toolkit complements the two previous FSB initiatives, which have helped to highlight and address market fragmentation across jurisdictions
• The FSB can help encourage jurisdictions to find common agreement on the definition of an “incident” and thresholds around “significance” and “materiality”
• The established practices can help strengthen the overall resilience of the financial system, especially for less mature firms on a proportional basis
• It is important that the practices are considered to be voluntary and principles-based, and that the wider financial ecosystem are also encouraged to consider using them
• The proposed practices could be more closely aligned with leading global practices and would thereby further help address regulatory and supervisory fragmentation
• There should be a coordinated approach to how regulators communicate with firms during a material incident

The IIF also encouraged the FSB to play a role going forward in the active debate taking place across jurisdictions by policy-makers and industry about what constitutes an “incident”, and to what extent such an event is “significant” or “material.” Clear definitions and thresholds would greatly benefit both authorities and industry to prioritize what should be reported. By working together with its membership and other global standard-setters, the FSB can encourage agreement on key definitions and how to establish a scalable “materiality” threshold which best captures relevant incidents in the financial system.

It will be increasingly important that relevant authorities have accurate and comparable data on significant cyber incidents, also given the growing range of market participants involved in the provision of financial services and products. Incident Reporting is also an area that the IIF will be focusing on this year and the IIF offered to support the FSB in this area later this year with key recommendations and to help coordinate industry viewpoints and expertise.