On August 20, the IIF submitted comments to the Financial Stability Board (FSB) Consultative Document "Cyber Lexicon." The letter commends the active engagement of the FSB in the ongoing discussions among regulators, market participants and industry groups on this topic, and hope that our views will be taken into consideration in preparing the next stage of the Lexicon.
The letter says that IIF members support the creation of the Lexicon and its objective of reinforcing the work that the FSB, standard setting bodies (SSBs), authorities and private sector participants are undertaking to address cyber security and improve cyber resilience in the financial sector, is an important undertaking that will serve as a foundation for the various cyber-related industry initiatives such as the "financial sector profile", the certification of cloud providers, the homogenization of breach reporting, and the further development of cyber risk insurance.
The Lexicon is also a necessary first step towards reducing the regulatory fragmentation that we highlighted in the IIF Staff Paper - "ddressing regulatory fragmentation to support a cyber resilient global financial services industry. The cross-sectoral application of the Lexicon - from banks to insurers to financial market infrastructure - recognizes the similar impact of cyber events across the financial sector and sets forth a common framework that should help support the reduction of the number of similar, but not identical, industry cyber requirements. We encourage the FSB to work with SSBs and regional/national authorities across the financial sector to leverage the Lexicon where appropriate, and to only supplement it where needed (for instance in the alignment of existing taxonomies and the development of new ones), and to continue this important work to help further reduce regulatory fragmentation in the cyber space.
Accordingly, we fully support the FSB's work to create a common lexicon of terms related to cyber security and cyber resilience. We are concerned, however, that the proposed definitions for "cyber security" and "cyber resilience" may unintentionally intersect which makes it difficult to understand the difference between the terms and could hinder the lexicon's ability to support the work identified in the consultative document. For example, "cyber resilience" is defined to include "The ability"¦to adapt to changes in the environment." "cyber security", on the other hand, is the "Preservation of confidentiality, integrity, and availability of information"¦" It is unclear how the "bility to adapt to changes" differs from "preservation". Therefore, we encourage the FSB to include an in-depth discussion of the difference between "cyber security" and "cyber resilience" to clearly delineate the difference between those terms, which should better explain the objectives of the Lexicon.'