Cyber-resilience: range of practices

This version

BCBS  | 
04 December 2018

The Basel Committee on Banking Supervision today published the report. It identifies, describes and compares the range of observed bank, regulatory and supervisory cyber-resilience practices across jurisdictions.

Based on analysis of authorities' responses to previous international surveys and on exchanges between international experts, the report gains insight into the effective practices and expectations in place. It also benefited from industry participants' input.

The current challenges and initiatives to enhance cyber-resilience are summarised in 10 key findings and illustrated by case studies which focus on concrete developments in the jurisdictions covered.

1.    General Landscape

Despite convergence in high level expectations, the technical specifications and supervisory practices differ across jurisdictions. This diversity of approaches results in a complex and fragmented landscape, but is also a necessary reflection of actual differences in Members' legal frameworks and degree of digitalisation.

2.   Strategy

Regulators generally do not require a specific cyber strategy, however institutions are expected to ensure that systems are "secure-by-design" and that emphasis is placed on resilience in light of current threats rather than compliance to a standard.

3.   Cyber risk management

In most jurisdictions broader IT and operational risk management practices are more mature and are used to address cyber risk and supervise cyber resilience.

4.   Governance / organisation

Models such as "three lines of defence" are widely adopted, but cyber resilience is not always clearly articulated across the technical, business and strategic lines, which hampers their effectiveness.

5.    Workforce

Skills shortage leads to recruitment challenges. A few jurisdictions have implemented or leveraged specific cyber certifications to address this.

6.     Testing

Protection and detection testing is evolving and prevalent; response and recovery less so.

7.     Incident response

Although an incident management framework is not required, incident response plans are.

8.    Metrics

Although some forward-looking indicators of cyber resilience are being picked up through the most widespread supervisory practices, no standard set of metrics has emerged yet.

9.    Information sharing

The content and use of information collected or shared by banks and supervisors varies widely across jurisdictions. The speed, latitude and security of communications required to cope with a cross-border cyber incident has led a few jurisdictions to take specific formal steps in this area.

10.   Third party risk

Regulatory frameworks for outsourcing activities across jurisdictions are quite established and share substantial commonalities, but there is no common approach regarding third parties beyond outsourced services. While third parties may provide cost-effective solutions to increase resilience levels, the onus remains on the banks to demonstrate adequate understanding and active management of the third party dependencies and concentration across the value chain.

By describing the diversity of approaches thematically, the report will help banks and supervisors navigate the regulatory environment and will serve as useful input for identifying areas where further policy work by the Committee may be warranted. Going forward, the Committee will integrate the cyber dimension into its broader operational resilience work.