Out-Law News 2 min. read

Financial services firms need clear cybersecurity plans, say G7 ministers


Financial services firms must put clear and detailed cybersecurity strategies in place including plans for how to respond to an attack, G7 finance ministers have said in a report on cybersecurity in the sector. 

The G7 Fundamental Elements of Cybersecurity for the Financial Sector report proposes eight 'elements' of cybersecurity that the G7 believes represent "best practices in cybersecurity for public and private financial sector entities of all sizes … designed to be tailored and proportionate to the particular characteristics of each entity and the cyber risks it faces".

The elements include the need for a cybersecurity strategy and framework, and defined governance to ensure it is clear who is responsible for each aspect of security.

Organisations must identify where risks lie, and implement controls to manage these, the G7 said. Monitoring systems can then be set up to rapidly detect cyber incidents, and also to periodically evaluate the effectiveness of controls, it said.

Plans should also cover fast, effective responses to a cyber incident and plans for recovery, with information sharing and continuous learning to keep up to date.

Japan's Ministry of Finance said: "Cyber attacks have grown in terms of frequency, severity, and sophistication, and improving the cybersecurity of the international financial system is a critical objective for G7 countries. Cyber incidents cross national boundaries and malicious cyber activity may originate in any country in the world."

Sarah Bloom Raskin, co-chair of the G7 cyber expert group said: "Cyber threats present a set of pressing operational, reputational and financial stability risks facing the international financial system. Sovereign borders do not contain these threats, and accordingly, nations must work together to address them. The fundamental elements announced today are a significant achievement in our efforts to cooperate and improve cybersecurity within our countries. They are also a testament to the growing international resolve to counter cyberattacks and I encourage private and public sector leaders alike to use them to drive and fortify their institutions’ cybersecurity and resiliency."

The UK began an annual survey of cybersecurity breaches this month. Businesses have been asked to share their experience of protecting against, handling and responding to cyber attacks, as well as the costs they have sustained from successful breaches, in a new government-commissioned survey.

Carried out by Ipsos MORI, the survey will conclude in December, with the results expected to be published early next year.

The Cybersecurity Breaches Survey 2016 revealed that 65% of major UK businesses experienced at least one cyber security breach or attack in the period of the previous year. A quarter of large firms that were victim to breaches experienced such incidents at least once a month, the survey report said.

The report also highlighted that many UK companies lack formal cybersecurity policies and a plan to manage incidents when they occur.

Last month the National Audit Office (NAO) urged the UK government to adopt a "new approach" to data security after it concluded that "too many bodies" within government have "overlapping responsibilities" for information security matters.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.