A year after urging the financial sector to step up its level of cyber security, a G-7 working group has released new metrics for assessing resiliency efforts and pushed greater oversight of cyber-related projects.
Financial ministry representatives from the multi-national group, which includes the U.S., Canada Germany, Japan, and more, detailed a two part plan in their new report for meeting better cyber security outcomes if the financial sector follows the components included in their 2016 plan.
“Cyber security should not be viewed as separate from the concept, design, and operation of entities’ core business processes but as into a key strategic consideration, both when developing new products and services, and when assessing the effectiveness of business operations that utilize existing technology or infrastructures,” the G-7 writes in its report.
The G-7’s first cyber-related financial sector guidelines, released in Oct. 2016, provided a set of practices for public and private entities to develop new policies for creating cyber security frameworks.
Elements of the original report were non-binding, but meant to push the financial sector towards better risk management behavior and attempt to weed out the potential for insider threats.
The first component included in the latest G-7 report calls on the financial sector to self-assess if progress has been made in implementing the guidelines from the 2016 plan.
“Financial institutions have a long history of conducting assessments and developing appropriate controls. This is rooted in the financial sectors risk management culture and regulatory requirement,” John Carlson, chief of staff for the Financial Services-Information Sharing and Analysis Center, told Defense Daily. “Assessments are critical for understanding the changing threat environment and the necessary controls to mitigate the risks.”
Fundamental goals for financial sector to self-assess on cyber security include maintaining an updated risk framework, reinforcing governance processes, establishing mitigation controls, effectively monitoring threats, improving response direction and building information sharing practices.
In their new plan, G-7 financial representatives urge financial executives to restructure organizational cyber decision making and work towards an adaptive cyber security approach. Both public and private financial industry must ensure incident response mechanisms are in place and reactive functions to domain threats are flexible, according to the report.
“Entities that fail to recognize this concept may exhibit an imbalance by having an over reliance on perimeter controls, at the detriment of clearly defined and regularly exercised responses and a viable, tested contingency plan for the resumption of operations,” the G-7 writes in its report.
The G-7 is also pushing a second part of the plan to promote more effective cyber security assessments among the financial industry. The report calls for the systematic collection and review of current practices and controls used for cyber security.
Financial industry leaders are urged to establish explicit security goals, measurable expectations for cyber practices, regularly report findings on threats and maintain a consistent approach to updating security measures.