It’s become a common question for chief executives and high-ranking government officials at nearly every policy gathering or industry conference around the world: “What keeps you awake at night?”
Lately, the answer is almost always some variation of “cybersecurity.” That’s no surprise as there have been more than 100 significant global cyber incidents in the last year, according to the Center for Strategic and International Studies. These ranged from hackers breaching the International Committee of the Red Cross systems to the widely publicized Colonial Pipeline and JBS meat processing firm ransomware attacks, and from cyberespionage campaigns in Europe and Southeast Asia to the theft of $600 million in cryptocurrency from a blockchain site.
Related: The Path to Enhanced EU Digital Resilience
Recently, we have seen a focus on cybersecurity demonstrated in Washington, DC, and an underscoring of the importance of public and private sector cybersecurity measures. In fact, the bipartisan Cyber Incident Reporting Act was approved by the House and Senate, and was signed into law by President Biden as part of the 2022 omnibus spending bill.
These continued Congressional efforts are encouraging and significant steps in combatting cybersecurity risks. It’s also clear from discussions with policymakers and stakeholders across the financial services industry that addressing cyber threats on a global scale will require broader action. A coordinated global regulatory approach is the most effective way to tackle cyber threats and to bolster safety across financial markets.
In fact, the potential scope and scale of cyber-attacks has prompted new laws and regulation around the globe as legislators and financial authorities work with the private sector to develop consistent cyber and resilience standards and approaches.
And U.S. policymakers and financial institutions must continue to take international cybersecurity efforts into account. Important initiatives for cyber practitioners to monitor include:
- The European Union Digital Operational Resilience Act (DORA), which aims to provide regulatory and oversight consistency for cyber resilience across Member States.
- In the Asia-Pacific region, the Financial Sector Cyber Threat Intelligence Platform, overseen by Bank Negara Malaysia, began operations in September. The Australian government is exploring stronger cyber security regulations and incentives to respond to threats and to better support the digital economy. In early 2021, the Hong Kong Monetary Authority launched its upgraded Cybersecurity Fortification Initiative 2.0 and the Monetary Authority of Singapore issued its Technology Risk Management Guidelines addressing a wide range of risk, cybersecurity and resilience issues.
While all these initiatives are important steps forward in establishing a global foundation for battling cybercriminals, what had been largely missing is a unifying thread to connect key pieces of these efforts.
Progress is being made in this area, as we saw in October 2021 when the international Financial Stability Board (FSB)—which identifies systemic risk in the financial sector—issued an important white paper, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, that acknowledged “[f]ragmentation exists across sectors and jurisdictions” for addressing cyber incidents. It also recommended solutions that included the adoption of a consistent taxonomy and harmonizing language for reporting cyber incidents, addressing multiple reporting requirements for one incident, identifying common information that should be shared across sectors and jurisdictions and establishing effective reporting timeframes.
The FSB report followed a paper issued in September 2021 by the CPMI-IOSCO Working Group on Cyber Resilience (WGCR), Cyber Threats and Data Recover Challenges for FMIs, that evaluated how financial market infrastructures (FMIs) are protecting and leveraging data and explored options for improving data recovery and replay. It also encouraged greater industry collaboration for housing and protecting critical data.
While all of these efforts are to be commended, it is understood that it is unlikely that there would ever be a truly global approach for addressing cybersecurity. We have seen approaches that vary widely at international, regional, national and local levels. We believe that a coordinated, consistent approach across jurisdictions along the lines of the FSB’s recommendations is the best and most achievable, realistic way to eliminate fragmentation and potential consequences of widely divergent approaches to cybersecurity.
By agreeing on general principles and embracing a more unified strategy globally, we will narrow gaps and streamline processes to better safeguard against cybercriminals and fortify the safety and stability of the global financial markets.