Privacy & Information Security Law Blog

On October 11, 2016, Group of Seven (“G-7”) financial leaders endorsed the Fundamental Elements of Cybersecurity for the Financial Sector (“Best Practices”), a set of non-binding best practices for banks and financial institutions to address cybersecurity threats. The endorsement was motivated by recent large hacks on international banks, including the February 2016 theft of $81 million from the central bank of Bangladesh’s account at the New York Federal Reserve.

The Best Practices are divided into eight elements designed to help financial institutions tailor their cybersecurity practices to their specific operations, the relevant threat landscape, their role in the financial sector and legal and regulatory requirements. The elements include:

• establishing and maintaining a cybersecurity strategy and framework tailored to specific risks and relevant, applicable laws;
• defining and facilitating roles and responsibilities of governance personnel (e.g., boards of directors);
• assessing risks and controls to protect against those risks;
• establishing systematic monitoring processes to rapidly detect cyber threats and evaluate the effectiveness of existing controls;
• maintaining response procedures to timely identify, assess and contain a cyber incident and make required notifications;
• resuming normal operations responsibly with an eye toward continued remediation;
• sharing reliable cybersecurity information with internal and external stakeholders; and
• reviewing institutional cybersecurity policies and procedures regularly to address changes in cyber risks and resource allocations, and to amend procedures as necessary based on lessons learned.

The Best Practices emphasize the need for flexibility in the face of ever-evolving cyber threats, and stress that financial institutions should continuously re-assess their cybersecurity strategies and practices to effectively combat such threats.

Federal Reserve Board Chairman Stanley Fisher praised the G-7’s endorsement of the Best Practices, stating that, “The international financial architecture is only as strong as its weakest link and that is why the United States should work with our partners around the world to bolster their information security and resiliency...These elements are a crucial step in further hardening each link in the chain of our global financial system.”