Cybersecurity and financial sector firms: IOSCO poses 15 sample questions to ask when reviewing your practices
The IOSCO Cyber Task Force has produced a set of questions to assist in understanding core cybersecurity standards and to promote international consistency in the fight against cybercrime.
The International Organization of Securities Commissions (IOSCO) is a global cooperative of securities regulatory agencies whose members include, amongst many others, the financial regulators in the US (CFTC and SEC), UK (FCA), France (AMF), Hong Kong (SFC) and Australia (ASIC).
The IOSCO Cyber Task Force has produced a sample set of 15 questions which is included in a final report prepared by the Task Force (in consultation with the IOSCO Affiliate Members Consultative Committee and other industry stakeholders) and issued by the IOSCO Board on 18 June 2019.
It will come as no surprise that the report highlights cyber risk (defined as the combination of the probability of cyber incidents occurring and their impact) as one of the top threats to financial markets today. It notes that, as that risk has grown, so too have domestic and international efforts to address it.
IOSCO therefore aims by this report to provide a resource for regulators and firms to raise awareness of existing international cyber guidance and to encourage the adoption of good practices among the IOSCO community – a crucial international agenda to promote when the nature of cybercrime is transnational.
The questions are intended to assist financial sector entities operating in IOSCO jurisdictions in understanding certain key structural components commonly found in the 'Core Standards'.
What are the Core Standards?
The Core Standards are three examples of well-received and widely used cyber standards and frameworks used by IOSCO members:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
- CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; and
- International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standards.
Which cybersecurity standard to apply?
The Task Force's survey found that a majority of respondents indicated that their domestic regime was generally or entirely consistent with one of the Core Standards, but no one standard predominates. Almost half of respondents indicated that they are flexible and not prescriptive as to which standard they may use to comply with their domestic regime, although a number of common cyber strategies, policies or framework elements were identified across respondents (such as collaboration between government and industry on cybersecurity, and international cooperation between governments to fight cybercrime).
Although the Core Standards share many of the same objectives (namely the identification, detection and management of cyber risk), each offers a different approach in both scope and detail. The NIST Framework was one of the first specific cyber standards, and has been incorporated directly into national legislation of countries including Italy. ISO certification, the most relevant for cyber being ISO27001 and ISO27002, provides third parties and customers with confidence that information they share with you will be protected, and may make sense for multinational firms as it is an internationally recognised standard. The CPMI-IOSCO Guidance is aimed at financial market infrastructures (e.g. payment systems, central counterparties).
Other standards will also be relevant depending on the region. For example, in the EU it will be appropriate for critical infrastructure to consider (instead or as well) the Networks and Information Systems (NIS) Directive, which aims to standardise cybersecurity legislation across all of its 28 member states, and contains legal measures and incentives aimed at making the EU's online environment secure by strengthening preparedness, cross-border cooperation, cyber incident reporting and information exchange.
For regulated firms in the UK, the FCA has published a report 'Cyber security – industry insights'. While it is stated not to be FCA guidance, it takes the same position as IOSCO in drawing attention to existing standards, including those that implement the NIS Directive and ISO27001/2, which is included in one of the IOSCO Core Standards. As such, while the FCA does not lay down specific cybersecurity requirements for firms, it is clear that it would be beneficial for firms to have reference to an internationally recognised standard (such as those from the ISO) in designing, implementing and monitoring their cybersecurity plans, and failure to do so where there are issues in a regulated context may be seen with a dim view by the regulator.
The relevant standard will therefore depend on the nature of your organisation and the market within which it operates.
The 15 questions for assessing cybersecurity practices
IOSCO is at pains to point out that these questions are intended to assist firms' understanding of relevant standards, but are not intended to be a shortcut for applying one or more of the Core Standards (or other regulatory framework). Rather, they are to promote awareness of sound cybersecurity practices in the financial sector.
Nonetheless, we consider that they give a good steer on the lines of enquiry that firms can take when reviewing their own cybersecurity practices.
The questions are set out in full from page 19 of IOSCO's report. They are split into four sections:
- Industry standard framework: does the organisation use an industry standard to develop a cyber risk management strategy and framework?
- Identify and protect: questions about identification and protection against cyber incidents (e.g. user authentication, penetration testing, secure network infrastructure).
- Detect: questions about detection of hacking and other risks and alerting institutions, clients and authorities to mitigate their impact and reduce financial losses.
- Respond/recover: questions about developing and managing incident response plans, as well as backup and contingency plans (including incident reporting and management of third-party service providers).
There are 'no cyber-borders between countries'
IOSCO is not providing new cyber standards or guidance in its report. Each of the Core Standards identified is pre-existing, and widely recognised and used.
However, the set of 15 sample questions may be useful to firms by way of an overarching framework to assess at a high level their current cybersecurity arrangements, and to gain insight from this assessment of whether the application of a more detailed standard (whether one of the Core Standards or another more applicable to your organisation or sector) is appropriate.
Concerns have been raised about the growing risk of fragmentation where many countries are currently drafting new cybersecurity laws (for example, in south-east Asia). It is to be hoped that, by IOSCO taking this approach of promoting existing cyber standards, this will increase consistency across cyber frameworks internationally (rather than countries being minded to retreat from internationally recognised standards, as has been seen in recent years).
This is crucial to seeking to control cybercrime, which by its nature is transnational, with malicious operators acting without borders. Effective cybersecurity depends on international buy-in on an equally transnational approach.
What should you be doing now?
Cybersecurity is a board-level risk with major implications. High-profile cyber and system hacks highlight the serious reputational and financial impact of a cyber incident. A global shake-up in cyber laws is happening. In the EU, this means potential fines of up to 4% of global revenue for serious breaches, regulators gaining new invasive audit powers, and mandatory reporting of significant cyber incidents. Similar proposals are taking effect around the world.
Although IOSCO has focused on those in the financial sector, our view is that considering an internationally recognised standard for cybersecurity (whether an IOSCO Core Standard or another which may be more applicable for your business) is advisable for all organisations, whether regulated or not.
The 15 questions from the IOSCO Cyber Task Force are a good starting point for you to consider what the risks are for your organisation and the extent to which you need to look to a more detailed standard to ensure you have controls in place to maximise your cyber resilience.
We are well equipped to help you understand your cyber risk profile and identify key risks. Inevitably, there may be breaches, and we are experienced in developing robust cyber disaster response plans as well as providing advice when an incident occurs. Key to a robust defence is to recognise that cybersecurity does not respect borders – we have experts wherever you need help, providing a truly global and cross-practice team of cyber experts that work as one to protect your business activities, reduce risk and deliver the best response should the worst happen.