Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks
according to the business model, size and technological complexity of the institution and
the sensitivity and value of its information and data assets.
This paper is not a replacement for and does not supersede the legislation, regulations,
guidelines and standards that firms must comply with as part of their regulatory
obligations, particularly in the areas of risk management, internal controls and corporate
governance. Firms must at all times refer directly to the relevant legislation, regulations,
standards and guidance to ascertain its statutory obligations and to ensure that it is taking
appropriate steps to mitigate and manage IT and cybersecurity risk.
Background
The rapid advancement of technology innovations in recent times has fundamentally
changed business processes and models in financial firms of all sizes. These advancements
have undoubtedly introduced efficiencies and cost savings for firms and their customers.
However, these technologies also bring significant risks, as firms become increasingly
interconnected and more reliant on complex IT systems and outsourcing service providers
to conduct their business and deliver services to customers. In addition, while the
adoption of technological innovations has reduced costs and increased efficiencies, it has
concurrently provided greater risks for data to be lost, stolen, corrupted or accessed by
unauthorised users.
Firms are also increasingly exposed to the risk of cyber-attacks. These have become more
sophisticated, more frequent, more targeted and progressively more difficult to detect,
with the financial sector one of the most frequently targeted.
Cybersecurity has become a
risk for all financial firms. The failure of a firm’s IT systems can have significant adverse
financial, legal, customer and reputational consequences that should not be
underestimated. Based on our supervisory experience to date, firms are not implementing
sufficiently robust systems and controls and must increase their efforts in developing
Some key international guidance in this regard
can be found in the Appendix.
The Gemalto Breach Level Index 2015 report finds that the financial sector suffered 16% of all reported
breaches in 2015, second only to the healthcare sector. The IBM 2016 Cyber Security Intelligence Index
found that the financial sector was the third most attacked industry sector in 2015.