On April 20, 2020, the Financial Stability Board ("FSB") released a "consultative document" on Effective Practices for Cyber Incident Response and Recovery (the "Proposal").1 The Proposal requests public comment on a "toolkit" of effective practices designed to assist financial institutions in cyber incident response and recovery activities.2
The Proposal outlines practices for effective cyber incident response and recovery that are organized into seven broad categories that contain 46 practices. These practices will be familiar to many in the field and generally do not break new ground on best practices for response and recovery activities.
The Proposal is intended to provide a "toolkit" for institutions as well as a resource for national regulatory authorities in designing appropriate regulatory or supervisory programs. However, FSB does not intend for the Proposal to become a standard and explicitly states that it is "not a prescriptive recommendation for any particular approach."3
While the Proposal will not create new regulatory obligations for financial institutions, it may, if finalized, represent an important step forward in developing a common understanding of best practices that can be used by financial institutions and national regulators alike to evaluate current practices, set supervisory expectations, and engage in collaborative efforts to define and mitigate cybersecurity risk.
This Legal Update discusses the content and context of the Proposal and identifies how it would fit within the respective cybersecurity frameworks as well as key takeaways for financial institutions in the United States and in the Europe Union ("EU").
The FSB was established in 2009 by the governments of the Group of Twenty ("G20") to provide international coordination among national financial regulatory authorities, international financial institutions, and international standards bodies to develop international standards and make policy recommendations to address vulnerabilities and promote financial system stability.4 Policy recommendations and decisions of the FSB are not legally binding on any of its members; however, policy recommendations are designed to establish international standards to promote financial stability that are encouraged to be adopted by the national regulators in each member jurisdiction.5 May 4, 2020 2 Mayer Brown | Financial Stability Board Proposes Cyber Incident Response and Recovery Best Practices Accordingly, FSB policy recommendations may be adopted by home country regulators as supervisory guidance or other regulatory mandate.
Cybersecurity issues have been a focus of the FSB's work in recent years. In 2017, the FSB surveyed the cybersecurity regulatory and supervisory practices of FSB member jurisdictions.6 Noting a number of common features of national regulators' approaches, the 2017 survey identified a need for a "globally consistent approach" to regulation. To advance this goal, the FSB released a Cyber Lexicon in 2018 to provide a cross-sector common understanding of cybersecurity and cyber resilience terminology to support the work of the FSB, standards bodies, national regulators, and financial institutions.7 As part of its 2019 work program, the FSB undertook a new initiative to develop effective practices relating to a financial institution's response and recovery from a cybersecurity incident.8 The Proposal is the culmination of the FSB's efforts to capture effective practices for cyber incident response and recovery and is expected to be finalized in late 2020.9
Cyber Incident Proposal
The 46 practices discussed in the Proposal (reproduced in the Appendix to this Legal Update) are drawn from the 2017 survey of national regulators' guidance and approaches, a review of case studies on past cybersecurity incidents, an online survey of industry practices, and other engagements with FSB stakeholders. They are grouped into seven broad components: governance, preparation, analysis, mitigation, restoration, improvement, and coordination and communication. In addition to identifying and describing effective practices, the Proposal provides relevant definitions and examples (e.g., types of metrics used by industry to measure incident impact and performance of incident response programs). The Proposal does not address customer notification or related points typically covered in a jurisdiction's consumer breach notification law.
The Governance component includes practices related to the framework for an institution's management of cyber incident response and recovery, such as defining the organizational structures, roles, responsibilities, and metrics to coordinate response and recovery across every facet of the institution's business. Effective practices in the Governance component include the development and adoption of an organization-wide governance framework; engagement by the board; clear roles, responsibilities, and accountability of senior management; and provision of adequate financial and human capital to a well-functioning cyber incident response and recovery capability.
The Preparation component includes practices related to establishing and maintaining cyber incident response and recovery capabilities. The Preparation component consists of practices implemented before an incident that "significantly and directly" influence the effectiveness of the cyber incident response and recovery activities. Effective practices in the Preparation component include written policies that describe the organization's response and recovery processes; plans and playbooks to provide well-defined approaches to response and recovery activities; communications strategies and plans for engaging internal and external stakeholders; stress testing and scenario analysis to understand the full scope of possible incidents; and the establishment and maintenance of disaster recovery, forensic, and other technical and operational capabilities.
The Analysis component includes practices related to determining the severity, impact, and root cause of cyber incidents to drive appropriate response and recovery activities. Effective practices in the Analysis component include using a pre-established taxonomy for classifying cybersecurity incidents and a pre-established framework for assessing incident severity; identifying and collecting appropriate logs for timely analysis and investigation; collecting, verifying, and continuously monitoring information from computing resources across the organization; and accumulating threat intelligence information from trusted third-party sources.
The Mitigation component includes practices designed to prevent aggravation of a cybersecurity incident and to assist in quickly eradicating the threat and minimizing the impact on business operations. Effective practices in the Mitigation component include activating threat-specific containment processes and technologies; invoking business continuity plans and contingency measures to (potentially manually) process critical transactions; shutting down or isolating affected systems and operations; and eradicating malicious artifacts and closing vulnerabilities to prevent reintroduction.
The Restoration component includes practices designed to repair or restore impacted systems such that services can return to normal operation. Effective practices in the Restoration component include prioritizing restoration activities based on business needs and security and technical requirements; defining acceptable interim measures such as continuing operations with a diminished capacity while restoration is in progress; monitoring systems to identify abnormal activities and compromised assets; validating system recovery; and managing the restoration and ensuring the integrity of data.
The Improvement component includes practices designed to enhance readiness through exercises and tests that proactively build capabilities and post-incident analysis and reflection to assess adherence to and effectiveness of organizational policies and procedures. Effective practices in the Improvement component include tabletop exercises and live simulations; cross-sectoral and cross-border exercises, potentially with the participation of national regulatory authorities; integration of third-party technological tools and data sources; and post-incident analysis and assessment of lessons learned with internal and external stakeholders.
G. COORDINATION AND COMMUNICATION
The Coordination and Communication component includes practices designed to ensure effective, timely, and trusted communication with internal and external stakeholders to share progress, outcomes, and analysis throughout the lifecycle of the cybersecurity incident. Effective practices in the Coordination and Communication component include timely escalation of cybersecurity incidents within the organization; pre-defined communication intervals and formats to share actionable, timely, and concrete information regarding the incident and recovery processes; cross-border coordination developed, where possible, through engagement with national regulatory authorities; and trusted communications channels and processes.
To view the full article, please click here.
1. FSB, Effective Practices for Cyber Incident Response and Recovery (Apr. 20, 2020), https://www.fsb.org/wp-content/uploads/P200420- 1.pdf [hereinafter the "Proposal"].
2. The FSB defines a "cyber incident" as a cyber event that (i) jeopardizes the cyber security of an information system or the information the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not. See FSB, Cyber Lexicon (November 2018).
3. Supra note 1, at 2.
4. History of the FSB (2020), https://www.fsb.org/history-of-the-fsb/.
5. About the FSB (Nov. 8, 2014), https://www.fsb.org/about/.
6. Press Release, FSB publishes stocktake on cybersecurity regulatory and supervisory practices (Oct. 13, 2017), https://www.fsb.org/2017/10/fsb-publishes-stocktake-on-cybersecurity-regulatory-and-supervisory-practices/.
7. FSB, Cyber Lexicon (Nov. 12, 2018), https://www.fsb.org/wp-content/uploads/P121118-1.pdf.
8. Press Release, FSB reviews financial vulnerabilities and deliverables for G20 Summit (Oct. 22, 2018), https://www.fsb.org/2018/10/fsbreviews-financial-vulnerabilities-and-deliverables-for-g20-summit/.
9. Press Release, FSB updates G20 on its work related to cyber incident response and recovery (May 28, 2019), https://www.fsb.org/2019/05/fsb-updates-g20-on-its-work-related-to-cyber-incident-response-and-recovery/.
Originally published 4 May, 2020
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.