What's new

P2.T7.20.14. Range of cyber-resilience practices among banks and regulators

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Define cyber-resilience and compare recent regulatory initiatives in the area of cyber-resilience. Describe current practices by banks and supervisors in the governance of a cyber risk management framework, including roles and responsibilities. Explain methods for supervising cyber-resilience, testing and incident response approaches and cybersecurity and resilience metrics. Explain and assess current practices for the sharing of cybersecurity information between different types of institutions. Describe practices for the governance of risks of interconnected third-party service providers.


20.14.1. According to the Basel Committee on Banking Supervision (BCBS, 2018), in regard to cyber-security and cyber-resilience metrics, "Some jurisdictions have methodologies to assess or benchmark regulated institutions’ cyber-security and resilience ... None of these methodologies produce quantitative metrics or risk indicators comparable to those available for financial risks and resilience; e.g., standardized quantitative metrics where established data are available. Instead, indicators provide information on regulated institutions’ approach to building and ensuring cyber-security and resilience more broadly. Supervisory authorities also rely on entities’ own management information, although this differs across entities and is not yet mature."

With respect to current cybersecurity and resilience metrics, each of the following statements is true EXCEPT which is inaccurate?

a. No single cybersecurity/resilience metric in isolation is sufficient
b. Page aging (aka, days to patch) is a widespread and comparable metric
c. Backward-looking metrics are helpful but insufficient; forward-looking metrics are necessary because adversaries dynamically adapt
d. The penetration ratio (i.e., percentage of banks in a jurisdiction that can be penetrated) is a useful metric that compares a supervisor's effectiveness to other jurisdictions

20.14.2. The Basel Committee on Banking Supervision (BCBS) borrows the FSB lexicon's definition of cyber-resilience: the ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from a cyber incident. According to the BCBS, which of the following is a TRUE statement about cyber-resilience?

a. The chief information security officer (CISO) should report to the chief risk officer (CRO)
b. Previously developed national and international standards cannot be leveraged for cyber-resilience because their scope is information technology (IT) or risk management
c. The skills shortage is due to the impracticality and/or inability of regulators to conduct on-site inspections; a lack of any existing, reputable certification or accreditation programs; and a lack of qualified cyber headhunters
d. Although regulators generally do not require a specific cyber strategy, they do expect banks to maintain cyber-resilience capabilities under their broader oversight of technology, information systems (IS), and/or enterprise risk management (ERM)

20.14.3. According to the Basel Committee on Banking Supervision (BCBS), "given the increase in the frequency, severity and sophistication of cyber-incidents in recent years, a number of legislative, regulatory and supervisory initiatives have been taken to increase cyber-resilience." Financial institutions also recognize they must build their cyber-resilience capabilities. This is a non-trivial effort that involves governance, culture, strategy, the workforce, information-sharing, and third-party risk. In regard to BCBS's report on the range of cyber-resilience, each of the following is true EXCEPT which is false?

a. Regulatory frameworks for outsourcing activities across jurisdictions are quite established and share substantial commonalities
b. Some jurisdictions use taxonomies of controls to understand whether there are any gaps in the coverage of their supervisory approach
c. The international standard of incident management frameworks is a three dimensional (3LD) framework that utilizes software to evaluate cyber incidents in three-dimensional holographic space
d. The report defines five types of categories of information sharing: among banks, among regulators, from bank to regulator, from regulator to bank, and with security agencies

Answers here: