Bank Cybersecurity Best Practices Endorsed by G-7

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Oct. 11 — Group of Seven (G-7) financial leaders have endorsed non-binding cybersecurity best practices for banks and financial institutions to help combat cybersecurity threats, according to guidelines released Oct. 11.

The best practices, “Fundamental Elements of Cybersecurity for the Financial Sector,” are aimed to address the increased level of “sophistication, frequency and persistence” of cyberattacks that are growing “more dangerous and diverse,” the guidelines said.

The guidelines will help the financial sector along with their public-facing entities to protect the “interconnected global financial institutions that operate and support these systems,” it said.

The goal of the guidelines released by the G-7—Canada, France, Germany, the U.K., Italy, Japan and the U.S.—is to provide “fundamental elements” to “help address cyber risks facing the financial sectors from both entity-specific and system-wide perspectives,” U.S. Treasury Deputy Secretary Sarah Bloom Raskin, co-chair of the G-7 Cyber Expert Group, said in Oct. 11 statement.

The G-7 Cyber Expert group was created in 2015 to survey member countries' financial sector cybersecurity awareness and is tasked with recommending cybersecurity best practices to the G-7 finance ministers and central bank governors.

Cybersecurity Best Practices

The financial institutions' cybersecurity best practices focus on bolstering a bank's internal infrastructure in addition to enhancing information sharing across banks and public-sector stakeholders.

The guidelines outline eight elements for cybersecurity best practices including: establish and maintain a cybersecurity strategy and framework; define and facilitate performance of roles and responsibilities in overseeing cybersecurity plan; identify inherent cybersecurity risks presented by “people, process and technology”; establish systematic monitoring processes to detect sophisticated cyberattacks; set up systems to timely address cybersecurity threats; implement systems to resume operations quickly after a cyberattack; share information with government and third-party stakeholders to better protect against future cyberthreats; and continue to learn cybersecurity best practices to stay ahead of the curve.

Federal Reserve Board Vice Chairman Stanley Fischer said in a Oct. 11 statement that banks who adopt best practices help harden each link in the cybersecurity chain of the “global financial system.”

“The international financial architecture is only as strong as its weakest link and that is why the United States should work with out partners around the world to bolster their information security and resiliency,” Fischer said.

Banks are Prime Hacking Target

The increased call for financial institution's cybersecurity best practices comes off the heels of the Bangladesh bank heist and its fallout.

In February 2016, thieves were able to steal $81 million from the central bank of Bangladesh's account at the New York Federal Reserve. The hackers were able to infiltrate the bank-to-bank messaging system Society for Worldwide Interbank Financial Telecommunications (SWIFT) (15 PVLR 1162, 6/6/16). Investigators subsequently said that hackers could have breached computers at as many as 12 banks using SWIFT (15 PVLR 1161, 6/6/16).

Although the focus of the attacks have been on Bangladesh's central bank, the cyberattacks may have affected up to 12 other banks across the world—banks in the Philippines, New Zealand, among others.

The perceived lack of federal inaction on bank cybersecurity and a rush of cyberattacks at large banks—JPMorgan Chase & Co. and HSBC Group—led some states to propose rules addressing the growing breach concern. New York’s Department of Financial Services introduced cybersecurity guidelines directly to banks and other financial institution—a move that Gov. Andrew Cuomo (D) called a “first-in-the-nation” endeavor (15 PVLR 1868, 9/19/16).

The biggest impact of the New York regulations is likely to be on small banks and insurers, which may now need to bring their cybersecurity programs up to at least a minimum standard .

With assistance from Russell Ward in Tokyo

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editors responsible for this story: Donald G. Aplin at ; Jimmy H. Koo at

For More Information

The financial institutions' cybersecurity best practices guide is available at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security