The threat and impact of cyberattacks on the financial sector is increasing, and financial sector authorities are increasingly looking to address cyber risk and cybersecurity.
Customers of financial services suffered 65% more cyberattacks in 2016 than customers of any other industry, which represented a 29% increase from the previous year, according to Bank Group estimates.
Improving coordination between financial sector authorities and other agencies dealing with cyber risk and cybersecurity is essential. To help advance this work, the World Bank Group has published two reports:
- Financial Sector’s Cybersecurity Regulatory Digest, which takes stock of existing regulatory and supervisory practices, including cybersecurity laws, regulations, guidelines and other significant documents on cybersecurity for the financial sector
- A paper on Financial Sector's Cybersecurity Regulation and Supervision
Several leading jurisdictions are strengthening regulatory and supervisory practices to deal with cyber risk. Best practices from around the world include:
- Establishing coordination protocols between financial sector authorities and other agencies involved in regulating and supervising cyber-risk, akin to those in place for financial stability.
- Voluntary and anonymous information-sharing of cyber incidents among market participants. Regulators may develop risk and incident taxonomies and require mandatory reporting to estimate the actual or potential impact on the continuity of essential services to facilitate information sharing.
- Some jurisdictions ask financial institutions to develop an ICT strategy and risk management framework, including incident response plans with a clear chain of command to take the necessary business decisions. Some countries also require the appointment of an information security officer.
- Financial institutions do regular testing and simulations of incident response capabilities.
However, more work is needed as the paper on Financial Sector Cybersecurity Regulation and Supervision points out.