IOSCO Cyber Task Force (CTF) Report:
Assessing progress in the implementation of the core cybersecurity standards
20 June 2019
Regulatory News Alert
Context and objectives
Compiling information from different jurisdictions regarding their existing frameworks for Cyber regulation, on 18 June 2019, the IOSCO has published a final report that provides an international overview of core cybersecurity standards as well as identification of the potential gaps in their application in different countries.
The report focuses on three existing Cyber frameworks: (1) the CPMI-IOSCO Guidance, (2) the National Institute of Standards and Technology Framework; (3) the International Organization for Standardization standards, and does not propose new cyber standards or guidance.
These Core Standards are three prominent and widely respected Cyber frameworks that are being used in the financial sector worldwide.
Overview of 3 international cyber standards
While the Core Standards share many of the same objectives, each offers a different approach in both scope and detail:
1. CPMI-IOSCO Guidance on cyber Resilience for Financial Market Infrastructures outlines five primary risk management categories:
- Governance: arrangements should be put in place to establish, implement and review the FMI’s approach to managing Cyber risks
- Identification: how an FMI should identify and classify business processes, information assets, system access and external dependencies
- Protection: appropriate and effective controls and design systems and processes should be implemented to prevent, limit and contain the impact of a potential Cyber incident
- Detection: monitoring and process tools should be used by an FMI for the detection of Cyber incidents
- Response and recovery: an FMI’s arrangements should be designed to enable it to resume critical operations rapidly, safely, and with accurate data to mitigate the potentially systemic risks of failure to meet such obligations
2. National Institute of Standards and Technology Framework for improving Critical Infrastructure Cybersecurity enables organizations to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure, which is composed of three elements:
- The Framework Core: set of Cyber Security activities, desired outcomes, and applicable references, common across critical infrastructure sectors, consists of five Functions—Identify, Protect, Detect, Respond, Recover
- The Framework Implementation Tiers: how an organization views Cyber Security risks and its processes to manage these risks
- The Framework Profile: alignment of standards, guidelines, and practices to the Framework Core in a specific implementation scenario
3. International Organization for Standardization 27000 series standards aims to provide standards on information security management systems to help organizations keep secure information assets, including financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. It consists of:
- ISO/IEC 27001 defines a suite of activities for managing information risks, which is an overarching management framework through which the organization identifies analyzes and addresses information risks
- ISO/IEC 27002 sets out a code of good practice for information security. It is an advisory document and not a formal specification like ISO/IEC 27001.
The report examines how IOSCO member jurisdictions are using three prominent and internationally recognized Cyber frameworks, and indicates how such existing Cyber frameworks could help address any gaps identified in members’ current regimes:
- Many IOSCO member jurisdictions consider Cyber to be at least one of the most important risks faced by regulated firms in their jurisdiction
- Domestic regulations, guidance, and/or supervisory practices were either “generally consistent” or “entirely consistent” with one of the Core Standards
- Cyber firms are flexible and not prescriptive to comply with applicable domestic regulations
- Despite jurisdictional differences, the Cyber frameworks share certain common elements
- Cyber Regimes has been planned to issue, within the next year, and with new regulations, guidance or supervisory practices that address Cyber Security 2 for all or part of their financial sector
The optimal path forward, given the reliance by many IOSCO members on the Core Standards, is to continue to draw from existing, prominent Cyber frameworks developed by experts in this space. This approach ensures consistency and avoids overlap, duplication, and conflict between Cyber frameworks, all of which can impede progress in this area.
The CTF considers exploring the use of sector-wide organizational surveys as part of the next phase of its work to gain a better understanding of where the gaps lie.
In the next few years, these frameworks will also be introduced into the EU regulatory system.
How Deloitte can help you?
Deloitte can help navigate regulatory trends to identify which are relevant for your activities with the RegWatch Kaleidoscope service.
Deloitte can help you in structuring your activity to develop new products and to adapt to regulatory and market demands.
Deloitte can help organizations prevent cyberattacks and protect valuable assets: https://www2.deloitte.com/lu/en/pages/risk/solutions/cyber-risk.html