1、 Effective Practices for Cyber Incident Response and Recovery Final Report 19 October 2020 The Financial Stability Board (FSB) coordinates at the international level the work of national financial authorities and international standard-setting bodies in order to develop and promote the implementatio
2、n of effective regulatory, supervisory and other financial sector policies. Its mandate is set out in the FSB Charter, which governs the policymaking and related activities of the FSB. These activities, including any decisions reached in their context, shall not be binding or give rise to any legal
3、rights or obligations. Contact the Financial Stability Board Sign up for e-mail alerts: www.fsb.org/emailalert Follow the FSB on Twitter: FinStbBoard E-mail the FSB at: fsbfsb.org Copyright 2020 Financial Stability Board. Please refer to the terms and conditions iii Table of Contents Executive summa
4、ry . 1 Introduction . 2 Development of the toolkit . 2 The toolkit . 3 1. Governance . 4 2. Planning and preparation . 7 3. Analysis . 10 4. Mitigation . 12 5. Restoration and recovery . 13 6. Coordination and communication . 14 7. Improvement . 16 Conclusion . 18 iv 1 Executive summary Cyber incide
5、nts1 pose a threat to the stability of the global financial system. In recent years, there have been a number of cyber incidents that have significantly impacted financial institutions and the ecosystems in which they operate.2 A significant cyber incident, if not properly contained, could seriously
6、 disrupt the financial system, including critical financial infrastructure, leading to broader financial stability implications. Efficient and effective response to and recovery from a cyber incident by organisations in the financial ecosystem are essential to limit any related financial stability r
7、isks. Such risks could arise, for example, from interconnected IT systems between multiple financial institutions or between financial institutions and third-party service providers, from loss of confidence in a major financial institution or group of financial institutions, or from impacts on capit
8、al arising from losses due to the incident. The cyber resilience of organisations is crucial for the smooth functioning of the financial system and in engendering financial stability. Enhancing cyber incident response and recovery (CIRR) at organisations is an important focus for national authoritie
9、s. National authorities are in a unique position to gain insights on effective CIRR activities in financial institutions from their supervisory work, and their observations across multiple organisations can help suggest areas for enhancement. Authorities also have an important role to play in respon
10、ding to cyber incidents that present potential risks to financial stability. Authorities can consider the sector-wide implications of a cyber incident or series of cyber incidents, including any market confidence issues and reactions resulting from information from public market data, news and socia
11、l media, or from partial or inaccurate information, possibly proliferated by fraudulent sources. Authorities may also, as appropriate, support organisations in sharing information to protect against threats that could have a detrimental impact on financial stability. The FSB has developed a toolkit
12、of effective practices that aims to assist organisations in their cyber incident response and recovery activities. In this regard, organisations respond function executes the appropriate activities in reaction to a detected or reported cyber incident, while the recover function carries out the appro
13、priate activities to restore any systems, capabilities or resume services or operations that were impaired due to a cyber incident.3 The FSB encourages authorities and organisations to use the toolkit to enhance their CIRR activities. 1 A cyber incident is a cyber event that: (i) jeopardizes the cyb
14、er security of an information system or the information the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not. See FSB (2018) Cyber Lexicon, November, page 9. 2 The twin epis
15、odes of the NotPetya and the WannaCry ransomware attack in 2017, for example, showed the potential of cyber incidents to be both widespread and devastating. 3 FSB (2018), page 12 for definitions of the Respond and Recover functions. 2 Introduction Enhancing cyber resilience has been a key element of
16、 the FSBs work programme to promote financial stability. In 2017, the FSB took stock of financial sector cyber security regulations, guidance and supervisory practices.4 This work identified, among other things, a need to enhance communication between authorities and the private sector. To facilitat
17、e more effective communication, the FSB developed a Cyber Lexicon in 2018 to support the work of the FSB, standard-setting bodies (SSBs), authorities and private sector participants to address financial sector cyber resilience.5 Given the interconnectedness of the financial sector, the FSB agreed in
18、 2018 to develop a toolkit to provide financial institutions with a set of effective practices to respond to and recover from a cyber incident to limit any related financial stability risks. The toolkit is not intended to create an international standard, or constitute standards for organisations an
19、d their supervisors. It is not a prescriptive recommendation for any particular approach. The toolkit is designed as a range of effective practices that any organisation can choose from, based on its size, complexity and risks. Development of the toolkit The draft toolkit of effective practices was
20、published on 20 April 2020 for public consultation.6 In developing the consultative document, the FSB conducted a stocktake of publicly released guidance from national authorities, international organisations and other external stakeholders;7 reviewed existing standards and case studies on past cybe
21、r incidents and engaged with external stakeholders at workshops and bilateral meetings. The FSB also drew on insights from national authorities based on their supervisory work. The public consultation period ended on 20 July 2020, and 58 responses were received from a wide range of external stakehol
22、ders, including banks, insurers, financial market intermediaries, industry associations, IT service providers and public authorities.8 Through the public consultation and engagements with external stakeholders, the FSB sought feedback on lessons learnt from the COVID-19 pandemic and related cyber ac
23、tivity. Thus far, organisations and authorities have generally responded well and shown resilience to cyber risk. This in part reflects the degree to which organisations practiced their playbooks, conducted stress tests and cyber drills, and actively maintained contact lists of key external and inte
24、rnal stakeholders. However, the COVID-19 pandemic also highlighted the need for many organisations and authorities to consider adjustments to cyber risk management processes, cyber incident reporting, cyber incident response and recovery activities, as well as management of critical third-party serv
25、ice providers (e.g. cloud services) and relevant stakeholders. Effective preparation and testing of incident response and recovery plans, particularly business continuity planning, facilitated organisations transition to remote work and operations. One of the key challenges posed by 4 FSB (2017), Su
26、mmary Report on Financial Sector Cyber security Regulations, Guidance and Supervisory Practices, October. 5 FSB (2018). 6 FSB (2020), Effective Practices for Cyber Incident Response and Recovery: Consultative document, 20 April. 7 For example, a survey of industry practices was conducted in July 202
27、0. 8 All public responses received are available on the FSB website. 3 remote working was the restricted ability to collect system hardware in order to conduct forensic analysis of a cyber incident. Furthermore, effective communication across the supply chain, including through intra-group entities
28、and third-party service providers, is often highlighted as a key challenge. Drawing on the feedback from the public consultation, the FSB modified the draft effective practices in the following ways. First, the FSB further clarified the proportionate and risk-based nature of the toolkit to improve i
29、ts usability. Second, the toolkit is better aligned with industry practices and international standards. For example, “preparation” and “restoration” components have been renamed “planning and preparation” and “restoration and recovery” respectively, and the details of the relevant effective practic
30、es have been modified to more closely align with existing or leading practices adopted by organisations. The toolkit The toolkit, structured across seven components, comprises 49 effective practices that organisations have adopted while taking into account jurisdictions legislative, judicial and reg
31、ulatory frameworks, the size of the organisation, the organisations role in the financial ecosystem and the extent to which stakeholders are affected by a cyber incident. The toolkit is composed as a resource and reference guide for effective practices using common cyber- taxonomies in a manner alig
32、ned to industry standards accessible to senior management, board of directors or other governance or compliance, risk, and legal professionals that interface with cybersecurity technical experts within the organisation, the SSBs or authorities. Figure 1: Illustration of CIRR components 4 While many
33、of these effective practices are already in use by larger organisations, they could also be valuable for smaller and less complex organisations to help strengthen their cyber resilience.9 The toolkit provides a range of effective practices and organisations can choose to adopt some or all of the eff
34、ective practices that are suitable for their respective business models, taking into account their size, complexity and risks to the financial ecosystem.10 The toolkit is useful for authorities as they consider the approaches they may undertake with respect to regulation or supervision, or in respon
35、ding to a cyber incident within the sector. The toolkit promotes a common range of effective practices that SSBs and authorities can incorporate into their guidance around cybersecurity. 1. Governance Governance frames the way in which CIRR is organised and managed. It aligns CIRR activities with go
36、als set for continuity of business operations, sets the organisational structure and roles needed to coordinate response and recovery across internal functions, business lines, organisations, jurisdictions or even sectors. Governance involves defining the decision-making framework with clear steps a
37、nd measures of success, and allocates responsibilities and accountabilities to ensure that the right internal and external stakeholders are engaged when a cyber incident occurs. Governance also encapsulates the commitment to support CIRR activities through adequate sponsorship by senior management a
38、nd to promote positive behaviours dealing with, and following, a cyber incident. 1. Organisation-wide governance framework. The CIRR governance structure is part of the broader organisation-wide governance framework. CIRR objectives and priorities are aligned with the organisations risk management f
39、ramework and are communicated and understood throughout the organisation. Based on the risk management framework, roles and responsibilities are clearly defined for managing CIRR activities and internal processes to facilitate effective decision-making when handling a cyber incident. 2. Roles and re
40、sponsibilities of the board and senior management.11 Organisations have clear and direct reporting lines between their management and the board (or board of directors) in order to ensure accountability, and the roles and responsibilities of management are clearly specified for CIRR activities. The b
41、oard. The board is responsible for steering the organisations risk management strategy and sets clear and achievable CIRR objectives to enhance the cyber resilience of the organisation. The board plays a key role in assessing the effectiveness of these 9 FSB (2018), page 9. 10 As the toolkit is a no
42、t a one-size-fits-all approach, the onus will be on organisations and authorities to assess whether their governance framework and processes are adequate and their CIRR activities are effective. 11 The toolkit refers to a management structure composed of a board of directors and senior management. T
43、here are significant differences in legislative and regulatory frameworks across jurisdictions regarding the functions of the board of directors and senior management. In some jurisdictions, the board has the main, if not exclusive, function of supervising the executive body (senior management, gene
44、ral management) and is known as a supervisory board. This means that the board has no executive functions. In other jurisdictions, the board has a broader competence in that it lays down the general framework for the management of the organisation. Owing to these differences, the terms “board of dir
45、ectors” and “senior management” are used in the toolkit to label distinct decision-making functions within an organisation. 5 activities in meeting the CIRR objectives and empowers senior management to take decisions to deploy CIRR activities. Senior management. Senior management is responsible for the implemen