The International Monetary Fund (IMF) has said that 56 percent of central banks or supervisory authorities of 51 countries surveyed, do not have a national cyber strategy for the financial sector.
Also, the Fund said 42 percent lack a dedicated cybersecurity or technology risk-management regulation, and 68 percent also lack a specialised risk unit as part of their supervision department.
“64 percent do not mandate testing and exercising cyber security measures or provide further guidance. 54 percent lack a dedicated cyber incident reporting regime and 48 percent do not have cybercrime regulations,” the IMF said in an article titled “Mounting cyber threats mean financial firms urgently need better safeguards.”
The IMF explained that cyber attackers continue to target the financial sector.
Tight financial and technological interconnections within the financial sector can facilitate the quick spread of attacks through the entire system, potentially causing widespread disruption and loss of confidence. Cybersecurity is a clear a threat to financial stability.
Among emerging markets and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or built resources to enforce them, according to a recent IMF survey of 51 countries.
In order to neutralise the cyber threat, the IMF urged financial institutions and regulators to prepare for heightened cyber threats and potential successful breaches.
The Fund said the regulators can do this by prioritising five things:
“Central banks, regulators, and financial firms must develop a cybersecurity strategy. Cyber risk is a multi-dimensional issue that requires sound security within authorities; robust oversight through regulation and supervision; collective action within the market; and efforts to build capacity and expertise.
“Financial regulators and firms need to shift their focus from classic business continuity and disaster recovery planning, to delivering critical services even when attacks disrupt normal operations. Resilience requires buy-in from the top leaders of companies and financial regulators and their board members. Firms need to prepare for severe but plausible incidents that can have a systemic impact. Supervisors should require the industry to consider such adverse scenarios and test their contingency plans both individually and collectively.
“Financial supervisors need to ensure that cyber regulation and supervision can effectively promote resilience. There is no one-size-fits-all approach, but many elements are common. An effective supervisory approach balances onsite and offsite activities, performed by a mix of security experts and generalist supervisors, who enforce regulation in a proportional manner.
“Financial firms must strengthen cyber “hygiene,” secure-by-design systems, and response and recovery strategies. While many of today’s attacks are increasingly sophisticated and rely on social engineering to get a victim to provide sensitive information, most successful attacks are the result of routine lapses—such as failing to deploy patch updates or make the correct security configurations. In this context, habitual practices for ensuring the safe handling of critical data and for securing networks makes all the difference.
“The international community must harmonize cyber incident reporting and effective information sharing to ensure authorities around the world can manage incidents effectively. The model for incident reporting and the common lexicon being developed by the Financial Stability Board are important steps forward.”