On April 20, 2020, the Financial Stability Board ("FSB") released a "consultative document" on Effective Practices for Cyber Incident Response and Recovery (the "Proposal").1 The Proposal requests public comment on a "toolkit" of effective practices designed to assist financial institutions in cyber incident response and recovery activities.2
The Proposal outlines practices for effective cyber incident response and recovery that are organized into seven broad categories that contain 46 practices. These practices will be familiar to many in the field and generally do not break new ground on best practices for response and recovery activities.
The Proposal is intended to provide a "toolkit" for institutions as well as a resource for national regulatory authorities in designing appropriate regulatory or supervisory programs. However, FSB does not intend for the Proposal to become a standard and explicitly states that it is "not a prescriptive recommendation for any particular approach."3
While the Proposal will not create new regulatory obligations for financial institutions, it may, if finalized, represent an important step forward in developing a common understanding of best practices that can be used by financial institutions and national regulators alike to evaluate current practices, set supervisory expectations, and engage in collaborative efforts to define and mitigate cybersecurity risk.
This Legal Update discusses the content and context of the Proposal and identifies how it would fit within the respective cybersecurity frameworks as well as key takeaways for financial institutions in the United States and in the Europe Union ("EU").
Background
The FSB was established in 2009 by the governments of the Group of Twenty ("G20") to provide international coordination among national financial regulatory authorities, international financial institutions, and international standards bodies to develop international standards and make policy recommendations to address vulnerabilities and promote financial system stability.4 Policy recommendations and decisions of the FSB are not legally binding on any of its members; however, policy recommendations are designed to establish international standards to promote financial stability that are encouraged to be adopted by the national regulators in each member jurisdiction.5 May 4, 2020 2 Mayer Brown | Financial Stability Board Proposes Cyber Incident Response and Recovery Best Practices Accordingly, FSB policy recommendations may be adopted by home country regulators as supervisory guidance or other regulatory mandate.
Cybersecurity issues have been a focus of the FSB's work in recent years. In 2017, the FSB surveyed the cybersecurity regulatory and supervisory practices of FSB member jurisdictions.6 Noting a number of common features of national regulators' approaches, the 2017 survey identified a need for a "globally consistent approach" to regulation. To advance this goal, the FSB released a Cyber Lexicon in 2018 to provide a cross-sector common understanding of cybersecurity and cyber resilience terminology to support the work of the FSB, standards bodies, national regulators, and financial institutions.7 As part of its 2019 work program, the FSB undertook a new initiative to develop effective practices relating to a financial institution's response and recovery from a cybersecurity incident.8 The Proposal is the culmination of the FSB's efforts to capture effective practices for cyber incident response and recovery and is expected to be finalized in late 2020.9
Cyber Incident Proposal
The 46 practices discussed in the Proposal (reproduced in the Appendix to this Legal Update) are drawn from the 2017 survey of national regulators' guidance and approaches, a review of case studies on past cybersecurity incidents, an online survey of industry practices, and other engagements with FSB stakeholders. They are grouped into seven broad components: governance, preparation, analysis, mitigation, restoration, improvement, and coordination and communication. In addition to identifying and describing effective practices, the Proposal provides relevant definitions and examples (e.g., types of metrics used by industry to measure incident impact and performance of incident response programs). The Proposal does not address customer notification or related points typically covered in a jurisdiction's consumer breach notification law.
A. GOVERNANCE
The Governance component includes practices related to the
framework for an institution's management of cyber incident
response and recovery, such as defining the organizational
structures, roles, responsibilities, and metrics to coordinate
response and recovery across every facet of the institution's
business. Effective practices in the Governance component include
the development and adoption of an organization-wide governance
framework; engagement by the board; clear roles, responsibilities,
and accountability of senior management; and provision of adequate
financial and human capital to a well-functioning cyber incident
response and recovery capability.
B. PREPARATION
The Preparation component includes practices related to
establishing and maintaining cyber incident response and recovery
capabilities. The Preparation component consists of practices
implemented before an incident that "significantly and
directly" influence the effectiveness of the cyber incident
response and recovery activities. Effective practices in the
Preparation component include written policies that describe the
organization's response and recovery processes; plans and
playbooks to provide well-defined approaches to response and
recovery activities; communications strategies and plans for
engaging internal and external stakeholders; stress testing and
scenario analysis to understand the full scope of possible
incidents; and the establishment and maintenance of disaster
recovery, forensic, and other technical and operational
capabilities.
C. ANALYSIS
The Analysis component includes practices related to determining
the severity, impact, and root cause of cyber incidents to drive
appropriate response and recovery activities. Effective practices
in the Analysis component include using a pre-established taxonomy
for classifying cybersecurity incidents and a pre-established
framework for assessing incident severity; identifying and
collecting appropriate logs for timely analysis and investigation;
collecting, verifying, and continuously monitoring information from
computing resources across the organization; and accumulating
threat intelligence information from trusted third-party
sources.
D. MITIGATION
The Mitigation component includes practices designed to prevent
aggravation of a cybersecurity incident and to assist in quickly
eradicating the threat and minimizing the impact on business
operations. Effective practices in the Mitigation component include
activating threat-specific containment processes and technologies;
invoking business continuity plans and contingency measures to
(potentially manually) process critical transactions; shutting down
or isolating affected systems and operations; and eradicating
malicious artifacts and closing vulnerabilities to prevent
reintroduction.
E. RESTORATION
The Restoration component includes practices designed to repair or
restore impacted systems such that services can return to normal
operation. Effective practices in the Restoration component include
prioritizing restoration activities based on business needs and
security and technical requirements; defining acceptable interim
measures such as continuing operations with a diminished capacity
while restoration is in progress; monitoring systems to identify
abnormal activities and compromised assets; validating system
recovery; and managing the restoration and ensuring the integrity
of data.
F. IMPROVEMENT
The Improvement component includes practices designed to enhance
readiness through exercises and tests that proactively build
capabilities and post-incident analysis and reflection to assess
adherence to and effectiveness of organizational policies and
procedures. Effective practices in the Improvement component
include tabletop exercises and live simulations; cross-sectoral and
cross-border exercises, potentially with the participation of
national regulatory authorities; integration of third-party
technological tools and data sources; and post-incident analysis
and assessment of lessons learned with internal and external
stakeholders.
G. COORDINATION AND COMMUNICATION
The Coordination and Communication component includes practices
designed to ensure effective, timely, and trusted communication
with internal and external stakeholders to share progress,
outcomes, and analysis throughout the lifecycle of the
cybersecurity incident. Effective practices in the Coordination and
Communication component include timely escalation of cybersecurity
incidents within the organization; pre-defined communication
intervals and formats to share actionable, timely, and concrete
information regarding the incident and recovery processes;
cross-border coordination developed, where possible, through
engagement with national regulatory authorities; and trusted
communications channels and processes.
To view the full article, please click here.
Footnotes
1. FSB, Effective Practices for Cyber Incident Response and Recovery (Apr. 20, 2020), https://www.fsb.org/wp-content/uploads/P200420- 1.pdf [hereinafter the "Proposal"].
2. The FSB defines a "cyber incident" as a cyber event that (i) jeopardizes the cyber security of an information system or the information the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not. See FSB, Cyber Lexicon (November 2018).
3. Supra note 1, at 2.
4. History of the FSB (2020), https://www.fsb.org/history-of-the-fsb/.
5. About the FSB (Nov. 8, 2014), https://www.fsb.org/about/.
6. Press Release, FSB publishes stocktake on cybersecurity regulatory and supervisory practices (Oct. 13, 2017), https://www.fsb.org/2017/10/fsb-publishes-stocktake-on-cybersecurity-regulatory-and-supervisory-practices/.
7. FSB, Cyber Lexicon (Nov. 12, 2018), https://www.fsb.org/wp-content/uploads/P121118-1.pdf.
8. Press Release, FSB reviews financial vulnerabilities and deliverables for G20 Summit (Oct. 22, 2018), https://www.fsb.org/2018/10/fsbreviews-financial-vulnerabilities-and-deliverables-for-g20-summit/.
9. Press Release, FSB updates G20 on its work related to cyber incident response and recovery (May 28, 2019), https://www.fsb.org/2019/05/fsb-updates-g20-on-its-work-related-to-cyber-incident-response-and-recovery/.
Originally published 4 May, 2020
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.