Banks' cyber security - a second generation of regulatory approaches

This paper revisits cyber regulations in jurisdictions covered in a previous paper, as well as examining those issued in other jurisdictions. The paper finds that many jurisdictions, including in emerging market and developing economies, have introduced or enhanced bank cyber regulations in the past few years. This highlights that cyber security is a top priority for bank supervisory authorities worldwide. Moreover, cyber regulations have evolved and recent ones could be described as "second-generation". These newer regulations have a more embedded "assume breach" mentality and hence are more aligned with operational resilience concepts. As such, they focus on improving cyber resilience and providing banks and supervisors with specific tools to achieve this. Work by standard-setting bodies and the G7 have been instrumental in achieving convergence in cyber regulations but there may be scope to seek further convergence in testing the effectiveness of cyber resilience measures and third-party cyber risk management.

JEL classification: G21, G28, O33

Keywords: cyber risk, cyber security, cyber resilience, operational resilience