Introduction

• The BCBS uses the FSB Lexicon definition of cyber-resilience, which defines it as
  • the ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.

Cyber-Resilience Standards And Guidelines

• Most jurisdictions address cybersecurity and Cyber-resilience through the lens of IT and general operational risk. The intent of IT risk guidance is to communicate jurisdictions’ expectations, encourage good practice, addresses governance, information security, IT recovery and management of IT outsourcing arrangements.
• Standards on general risk topics such as business continuity planning and outsourcing contribute to the management of a wide range of risks and also have relevance to cyber-risk.
• Specific cyber-risk management guidance has emerged in the context of information security. A few jurisdictions have issued specific cyber-risk management or information security guidance, including
  • the importance of effective cyber-security risk management (Hong Kong SAR),
  • early detection of cyber intrusions (Singapore),
  • establishment of a cyber-security policy (Brazil)
  • common procedures and methodologies for the assessment of ICT risk (European Banking Authority (EBA)).
  • consideration about relevance of outsourcing versus appropriateness of service provider risk management, recognizing that bank supply chains have become more complex. (The Australian Prudential Regulation Authority(APRA))
• In jurisdictions where no specific cyber-security regulations exist for the financial sector, supervisors encourage their regulated entities to implement international standards and apply prescriptive guidance, and practices in accordance with the top-down initiatives of national cyber-agencies.
  • Most jurisdictions implement key concepts from international and industry standards such as NIST, ISO/IEC and COBIT.
  • Regulators also leverage supervisory practices from the US (Federal Financial Institution Examining Council (FFIEC) IT Examination Handbook) and the UK (CBEST).

Cyber-Governance

• The majority of the regulators have issued either principles based guidance or prescriptive regulations, with varying levels of maturity.
• In general, regulatory standards and supervisory practices address enterprise IT risk management but do not include specific regulations or supervisory practices that cover cyber- risk management
• The following are the supervisory expectations and practices with respect to cyber-governance:
  1. Cyber-security strategy
  2. Management roles and responsibilities
  3. Cyber-risk awareness culture
  4. Architecture and standards
  5. Cyber-security workforce

1. Cyber-Security Strategy

• Although most regulators do not require regulated entities to develop a cyber-security strategy, all expect regulated institutions to have a board-approved information security strategy, policy and procedures under the broad remit of effective oversight of technology. Many jurisdictions (eg Australia, Brazil and jurisdictions across Europe) expect that cyber-risk should be covered by the organization-wide risk management framework and/or information security framework which is monitored and reviewed by senior executives.
• Jurisdictions enforce cyber-security strategy requirements using three types of non-mutually exclusive regulatory approaches:
  • The regulator/authority implements cyber-security strategy requirements, with which financial institutions have to comply. This is a common approach in emerging market economies with relative homogeneity in their banking systems.
  • The financial institutions establish their own cyber-security strategies in compliance with principles-based risk management practices. Regulators review these strategies as part of their assessment of an institution’s overall risk management practices.
  • A third approach, prevalent in Europe, involves examining whether financial entities have an IT strategy and the accompanying security provisions.

2. Management Roles And Responsibilities

• Board of Directors and Senior Management – Almost all the jurisdictions emphasize the importance of management roles and responsibilities for cyber-governance and controls.
  • In the US, EU and Japan, high-level guidelines encourage global systemically important banks (G-SIBs) and domestic systemically important banks (D-SIBs) to implement well defined, risk-sensitive management frameworks by Board of Directors (BoDs)
  • In addition, the EBA implements granular and prescriptive requirements, ensuring consistent cyber-security regulation and supervision across the European banking sector.
  • Similarly, emerging market economies implement more granular and prescriptive cyber- security requirements.
• Second and Third Lines of Defence (3LD) – The majority of regulators have adopted the 3LD risk management model to assess cyber-security risk and controls. However, most regulators do not require the implementation of 3LD at regulated entities The banks are expected define the responsibilities themselves without leaving any gaps. Hence, supervisory practices for assessing the degree of 3LD implementation vary widely, and there appears to be a greater supervisory focus on the first and second lines of defence than on the third line across jurisdictions, which could hamper the effectiveness of the 3LD checks and balances model.

3. Cyber-Risk Awareness Culture

• An awareness of cyber-risk by staff at individual banks and a common risk culture across the banking industry are important for maintaining cyber-resilience. Regulators in most jurisdictions have published guidance emphasizing the importance of risk awareness and risk culture for staff and management at all levels, including BoDs and third-party employees. In some jurisdictions, regulators require cyber-security awareness training during each phase of the employment process, from recruitment to termination.
• Regulated entities may be required to include non-disclosure clauses within staff agreements. To mitigate insider threats, some jurisdictions require new employees to complete a screening and background verification process, while existing employees undergo a mandatory reverification process at regular intervals.
• In some jurisdictions, regulators assess each bank’s cyber-risk appetite, considering such factors as the bank’s business model, core business strategy and key technologies.
• Some jurisdictions view cyber-security as a critical business function, since a cyber-attack could lead to insolvency of individual entities or even to widespread disruption of the entire sector.

4. Architecture And Standards

• For most jurisdictions, general regulatory requirements for architecture and standards are not in place, or there is a lack of coverage. Only a small number of countries specifically highlight control considerations and substantial supervisory guidance for cyber-security architecture. Examples include –
  • The US FFIEC IT Examination Handbook specifies that when discussing network architecture, supervisors should confirm that the diagrams are current, securely stored and reflective of a defence-in-depth security architecture.
  • In Saudi Arabia, practices covering cybersecurity architecture are subject to a periodic self- assessment.

5. Cyber-Security Workforce

• The skills and competencies of cyber-workforces, their regulatory frameworks and the range of practices differ markedly across jurisdictions. Some jurisdictions have IT-specific standards that address the responsibilities of the IT workforce and information security functions, with particular attention to cybersecurity workforce training and competencies. Their range of supervisory practices covers the assessment of team divisions, staff expertise (background and security checks of cyber-security specialists), the staff training processes and the adequacy of funding and resources to implement the organization’s cybersecurity framework.
• The majority of regulators assess the cyber-security workforce of the institutions through on- site inspections, where they talk to relevant specialists. Self-assessment questionnaires are becoming common practice. Training processes are particularly scrutinized.
• Jurisdictions diverge in how they regulate the roles and responsibilities of the IT and information security staff –
  • Some jurisdictions, including Argentina, Australia, the EU, Japan and Saudi Arabia, issue regulations specifically addressing IT staff’s roles and responsibilities.
  • Sometimes regulations are embedded in a jurisdiction’s global governance framework, such as those issued in Switzerland.
  • In regulations issued by Mexico, the US, and Saudi Arabia, regulatory requirements addressing the roles and responsibilities of the IT and information security functions are encompassed by requirements for the BoD and senior management.
  • In South Africa, such regulations are included in the national cyber-security strategy.

Approaches To Risk Management, Testing And Incident Response And Recovery

• The four areas with respect to observed practices on cyber-risk management, and incident response and recovery are as follows –
  • Methods for supervising cyber-resilience
  • Information security controls testing and independent assurance
  • Response and recovery testing and exercising
  • Cyber-security and resilience metrics.

1. Methods For Supervising Cyber-Resilience

• Jurisdictions apply different approaches to supervise regulated institutions’ cyber-resilience. Guided by existing international and national legislation, a programme of supervision is agreed spanning financial and operational resilience matters.
• Half of the jurisdictions in the EU have internal guidance addressing the circumstances when the competent authority should conduct a cyber-security review. These include institutions’ own risk assessments, findings from on-site inspections or questionnaires, and incidents (eg cyber incident trend analysis).
• Assessments by risk specialists typically draw on documentary evidence including survey responses, physical inspections, incident reports, and in-person meetings to assess the adequacy of controls in place. Many supervisory expectations are aligned with industry standards (eg COBIT, NIST) but approach, of supervisory assessments vary between jurisdictions.
• Most jurisdictions undertake off- and on-site reviews and inspections of regulated institutions’ information security controls to assess compliance with regulatory standards and alignment with good practice. Reviews tend to focus on governance and strategy, management and frameworks, controls, third-party arrangements, training, monitoring and detection, response and recovery, and information-sharing and communication.
• The number, type, and nature of regulated institutions vary by jurisdiction, as do the size of the specialist risk teams of the regulator. Some jurisdictions (eg Australia, Brazil and Singapore) have developed approaches to equip front-line supervisors with knowledge and tools to assess (triage) IT risk issues. Additionally, a number of jurisdictions (eg Australia and the UK) have powers to appoint an auditor or other third party to provide a report to the regulator on a particular aspect of the regulated institutions’ risk management, including cyber.
• Industry engagement is used to either influence industry behavior, or to seek feedback and views to inform regulatory work. Common methods of engagement also include speaking at conferences and other communications to reach a range of regulated entities and industry participants. Some jurisdictions include third-party service providers in this engagement. In the EU, both the European Commission EU FinTech Lab and the EBA FinTech Knowledge Hub have organised events with regulators, supervisors, industry and third-party service providers. Communicating key messages through these channels can be faster and more responsive.

2. Information Security Controls And Independent Assurance

• Most jurisdictions (eg Australia, the EU, Hong Kong, Singapore and the US) recognize the importance of mapping and classifying business services and supporting assets and services as a basis for building resilience. A clear understanding of business services and supporting assets (and their criticality and sensitivity) can be used to design testing and assurance of end-to-end business services. This is typically completed as part of business impact analysis, recovery and resolution planning, reviewing dependency of critical services on external third parties, and scoping for assessments.
• Independent assurance also provides management and regulators with an evaluation of whether appropriate controls have been implemented effectively. Jurisdictions commonly also leverage the management information outputs of these activities, providing the regulator with another source of information for their own assessments.
• Cyber-security controls are implemented through risk-based decisions against a regulated institution’s risk appetite. Regulated institutions typically perform penetrating testing of information security controls applied to hardware, software and data to prevent, detect, respond and recover from cyber-incidents.
• Supervisors review and challenge regulated institutions ‘approach to testing controls and the remediation of issues identified. This can include reviewing survey responses, threat and vulnerability assessments, risk assessments, audit reports and control testing reports (eg penetration testing, health checks).
• Five EU jurisdictions have developed programs of regulator led penetration tests and three (the ECB, the Netherlands and the UK) have provided guidance for regulated institutions on how to test. Tests are typically voluntary, funded by the regulated institution and targeted at larger, more systemic institutions. The majority of directed penetration tests focus on regulated institutions’ protective and detective cyber-resilience capabilities, while a few also test response and recovery capabilities.
• Some jurisdictions use taxonomies of cyber-risk controls to understand whether there are any gaps in the coverage of their supervisory approach. Currently the taxonomies are jurisdiction- specific and do not rely on harmonized concepts and definitions. If an authority is unable to assess a particular type of control, for example because it has no supervisory approach, assessment method or the required skillset to assess the control, then that is identified as a gap.

3. Response And Recovery Testing And Exercising

• Evaluation of service continuity plans focuses on reviewing alignment with institutions’ risk management frameworks, the business continuity management strategies chosen, IT disaster recovery arrangements and data centre strategies.
• The majority of regulators require entities to establish a framework or policy for prevention, detection, response and recovery activities, including incident reporting.
  • A few jurisdictions, like China and India, have prescribed cyber-incident response framework to be a key component of cyber-governance.
  • The US also has supervisory guidance regarding incident management, covering identification of indicator of compromise, analysis and classification of events and escalation and reporting of incidents.
  • Some authorities, such as the Japanese Financial Services Agency (JFSA) and Bank of Japan, also focus on potential threats and information-sharing to minimize delays in reporting cyber-incidents.
  • In Canada, the assessment of a bank’s internal and external communication plans and protocols seeks to determine if all relevant stakeholders are included, to avoid contagion.
  • Several jurisdictions (eg Australia, Belgium, Hong Kong, Japan and the US) complete a supervisory review of post-incident learning. This is conducted through the discussion of regulated institutions’ response and the root cause analysis, without any standard practice.
• Joint Public-Private Exercising – Most supervisors and banks use exercises to train and practice how they would respond to an incident. Cross-border international exercises have made this more visible. Examples include the UK/US exercise Resilient Shield and the TITUS exercise in 2015,16 as well as the G7 exercise under planning in 2018.

4. Cyber-Security And Resilience Metrics

• Some jurisdictions have developed cyber-security and resilience metrics by focusing on reported incidents, surveys, penetration tests and on-site inspections. None of these methodologies produce quantitative metrics or risk indicators comparable to standardised quantitative metrics where established data are available. But still, these can act as indicators to provide information on regulated institutions’ approach to building and ensuring cyber- security and resilience more broadly. Supervisory authorities also rely on entities’ own management information, although this differs across entities and is not yet mature.
• It has been common traditionally for jurisdictions (and often regulated institutions themselves) to focus on backward-looking indicators of the performance of the technology function. These indicators are presented to Board members and executives as part of management information that regulators may review. But cyber-risk adversaries are dynamic, themselves adapting to institutions’ responses and protective measures, sometimes changing their tactics and strategies even in the space of a single cyber-incident. Hence, even though backward- looking metrics continue to be important, jurisdictions are increasingly recognizing the need for forward looking indicators of cyber-resilience, indicating whether a regulated institution is likely to be more or less resilient in the event of a risk crystallizing.

Communication And Sharing Of Information

• Most Basel Committee jurisdictions have put in place cyber-security information-sharing mechanisms, be they mandatory or voluntary, to facilitate sharing of cyber-security information among banks, regulators and security agencies. There are five types of information sharing:
  1. Sharing among banks,
  2. Sharing among banks and regulators,
  3. Sharing among regulators,
  4. Sharing from regulators to banks,
  5. Sharing from banks and regulators to security agencies.
• Among these five types of cyber-security information-sharing practices, sharing among banks; sharing from banks to regulators and sharing with security agencies are the most commonly observed.
• Sharing among regulators is the least observed type. This is partly due to the less systematic nature of information-sharing arrangements between regulators, where it can happen on an ad hoc basis at a bilateral level or within supervisory colleges, under specific circumstance.
• Information shared by banks and regulators include cyber-threat information, information related to cyber-security incidents, regulatory and supervisory responses in case of cyber- security incidents and/ or identifications of cyber-threat, and best practices related to cyber- security risk management.
  • Information related to cyber-security incidents is more widely observed in sharing from banks to regulators and with security agencies.
  • Cyber-threat information/intelligence is the most common kind of information shared among banks.
• Various jurisdictions have put in place certain cyber-security information-sharing arrangements to facilitate more effective sharing of cyber-security information by banks and regulators. Full adoption of all types of information-sharing arrangements within a jurisdiction is still exceptional.
  • For jurisdictions with observed practices of information-sharing among banks, there are less observed practices of information-sharing from regulators to banks. This is probably attributable to the lesser need for sharing by regulators to banks if an effective peer sharing mechanism among banks already exists.
  • Similarly, jurisdictions with observed practices of information-sharing from banks to regulators display lower rates of sharing with security agencies, potentially due to the allocation of responsibilities for cybersecurity information processing among regulators and security agencies within a jurisdiction.
• For some of the jurisdictions, both mandatory and voluntary information-sharing arrangements are noted for the same type of information-sharing arrangement. This is because voluntary/ mandatory sharing is sometimes applicable when different types of information are being shared, or when information is shared with different parties. For example, there is a mandatory requirement in Singapore for financial institutions to report relevant cybersecurity incidents to MAS, while cyber-threat information exchange between MAS and the Cyber Security Agency (CSA) is voluntary.

1. Sharing Among Banks

• Banks share information (eg knowledge of a cyber-security threat) with peer banks through established channels, mainly to allow peer banks to take more timely action in response to similar threats. Regulators in most jurisdictions are not directly involved in bank-to-bank information sharing but do play a role in facilitating the establishment of voluntary sharing mechanisms.
• Some jurisdictions have established public sector platforms to accomplish information-sharing initiatives while others have encouraged private sector development of information-sharing organizations. Three jurisdictions (Brazil, Japan and Saudi Arabia) have mandated cyber-security information-sharing among banks through regulations or statutes. Some jurisdictions have established public/private forums or government-led centers for information-sharing.
• Sharing of information and collaboration among banks depend on the financial industry’s culture and level of trust among participants. Experience shows that a two-level information- sharing structure through which information would be first shared on the interpersonal level with a closer group and then be exchanged at the company level with a broader group of banks helps build trust into the system.

2. Sharing From Banks To Regulators

• The sharing of cyber-security information from a bank to its regulator(s)/supervisor(s) is generally limited to cyber-incidents based on regulatory reporting requirements. Such requirements are mainly established to
  • enable systemic risk monitoring of the financial industry by regulator(s)
  • enhance regulatory requirements or issue recommendations by regulator(s) to adjust policies and strategies based on information collected
  • allow appropriate oversight of incident resolution by regulator(s)
  • facilitate further sharing of information with industry and regulators to develop a cyber-risk response framework.
• Reporting requirements are established by different authorities for specific purposes depending on their mandate (eg supervisory and regulatory functions, consumer protection etc.). Nearly all institutions regulated in the EU are required to report cyber-security incidents to the competent authorities. The requirements stem from supervisory frameworks (such as the Single Supervisory Mechanism (SSM) cyber-incident reporting framework), EU directives (PSD2, NIS) and local law. Some requirements also include the obligation to submit a root cause analysis for the incident, or a full post-mortem or lessons learnt after the incident.
• While many of the supervisors focus only on reporting and tracking incidents that have already taken place, some require proactive monitoring and tracking of potential cyber-threats because concerns about reputational risk may lead to a delay in incident reporting by the regulated entity.
• Based on these considerations, different reporting frameworks are also observed. These range from formal communications to informal communications (eg free-text updates via email or verbal updates over the phone).
• Differences are noted in:
  • taxonomy for reporting;
  • reporting time frame (immediately, after two hours, after four hours and after 72 hours are examples of practices observed)
  • templates
  • threshold to trigger an incident reporting.
• All incident reporting processes have a single direction flow, by a bank to an authority, although an informal flow back can be used for alerting firms in case of an incoming threat.

3. Sharing Among Regulators

• Regulators share information with fellow regulators, be they domestic or cross-border, as appropriate according to established mandatory or voluntary information-sharing arrangements.
• Cyber-security information shared among regulators may include regulatory actions, responses and measures. Considering different types of cyber-security information-sharing, information- sharing among regulators is the least observed practice across jurisdictions, although it is expected that many informal and ad hoc communication channels exist, such as through supervisory colleges and memoranda of understanding.
• Cyber-fraud is becoming more sophisticated and cross-jurisdiction, and sharing of cyber- security information among regulators could assist in maintaining awareness of the cyber- threat situation for timely guidance to be provided to banks to protect financial systems against cyber-frauds.

4. Sharing From Regulators To Banks

• Information-sharing from regulators to banks occurs through established channels, based on the information the regulator receives both from banks and other sources.
• Various jurisdictions (eg Australia, China, Korea, Saudi Arabia, Singapore, Turkey and the US) have established clear guidance in the form of standards and practices to enable cyber-security information-sharing by regulators to banks. In these jurisdictions, information flows from the bank to the regulator, and the regulator assesses the risk to the financial industry and shares the information with the industry, as appropriate, based on the risk assessment. In cases where the information is sensitive (eg contains customer-specific or bank-specific information), the regulator anonymizes or summarizes it to allow sharing.
• Regulators with a regulator to bank sharing mechanism use informal channels such as industry sharing platforms (eg industry forums), meetings and informal communications to disseminate information to the banks. In cases where non-public information is obtained by regulators, it is shared with selected parties via informal meetings or other informal communication vehicles, so as to preserve anonymity and confidentiality of the institution(s)/ bank(s) impacted by a cyber-attack, and maintain banks’ confidence and trust in the regulators generally.
• Mandatory requirements for regulators to share information with banks have only been established for a few jurisdictions (eg China). A few other jurisdictions have put in place practices for voluntary sharing (eg Singapore, the UK).
• Classification of information could ensure that the appropriate audience could receive the appropriate information and help to build trust between regulators and banks.

5. Sharing With Security Agencies

• For jurisdictions with operations of Computer Emergency Readiness Team (CERT) or similar security agencies, these agencies may act as focal points for cyber-security incident notification. Banks or regulators share cyber-security information with these agencies for broader circulation of information and collaboration with other sectors within the country (eg public sector, civilian sector, computer community).
• While most jurisdictions adopt a voluntary approach, a few jurisdictions mandate formal sharing requirements –
  • In the US, an online portal is available for cyber-security information to be submitted to the National Cyber-security and Communications Integration Center and the US CERT.
  • In Luxembourg, the Computer Incident Response Center (CIRCL) has established a Malware Information-sharing Platform (MISP) to gather, review, report and respond to computer security threats and incidents. The MISP allows organizations to share information about malware and their indicators. The aim of this trusted platform is to help improve the countermeasures used against targeted attacks and set up preventive actions and detection.
  • For jurisdictions with mandatory requirements for cyber-security incident information-sharing with national security agencies (Canada, France, Singapore and Spain), the sharing arrangements are bilateral in general. Instead of requiring banks or regulators to share all cyber-security incidents, these jurisdictions require cyber-security incidents affecting key operators of critical infrastructure to be reported.
  • Some jurisdictions have established procedures for relevant information to be exchanged voluntarily and bring together relevant parties for coordination of responses to incidents. In the UK, the Authorities Response Framework can be invoked by financial authorities to bring together the Financial Conduct Authority (FCA), the Bank of England, the Treasury, the National Crime Agency and the National Cyber-security Centre to coordinate their response to a cyber-security incident.

Interconnections With Third Parties

• Extensive use of third-party services increases the challenge for jurisdictions and regulated institutions themselves to have full sight of the controls in place, and the level of risk. For the purpose of identifying the range of practices in relation to cyber-resilience, “third parties” is understood in a broad sense, including:
  • all forms of outsourcing (including cloud computing services)
  • standardised and non-standardised services and products that are typically not considered outsourcing (power supply, telecommunication, commercial hardware and software, etc)
  • interconnected counterparties such as other institutions (financial or not) and FMIs (eg payment and settlement systems, trading platforms, central securities depositories etc.)
• Cyber-resilience practices in relation to third parties are analysed across the following areas:
  1. Governance of third-party interconnections
  2. Business continuity and availability
  3. Information confidentiality and integrity
  4. Specific expectations and practices regarding visibility of third-party interconnections
  5. Auditing and testing
  6. Resources and skills

1. Governance Of Third Party Connections

A. Widespread Expectations and Practices –

• Regulations across different jurisdictions require that institutions develop a management- and/or board-approved outsourcing (or organizational) framework that defines
  • the applicable roles and responsibilities,
  • the outsourceable activities and concrete conditions for outsourcing,
  • the specific risks that need to be analyzed (either prior to selection of a provider or when substantially amending/renewing an agreement), and
  • recurrent obligations (such as monitoring procedures or regular risk assessments).
• Regulators typically also require that institutions implement a contractual framework, defining generic rights, obligations, roles and responsibilities of the institution and the service provider.
• As regards supervisory practices, the following activities appear to be widespread:
  • Intrusive on-site inspections with respect to cyber-risk in relation to outsourcing. During such inspections, the outsourcing framework, the applicable processes and the completeness and adequacy of specific risk assessments and contracts will typically be reviewed.
  • As part of their off-site supervision practices, most jurisdictions receive periodic statements or reports that assess the outsourcing policies and risks at the financial institution. These reports will typically contain statements on the existence and adequacy of outsourcing policies, processes, risk assessments and contracts.
  • As part of their off-site supervision practices, most jurisdictions receive periodic statements or reports that assess the outsourcing policies and risks at the financial institution. These reports will typically contain statements on the existence and adequacy of outsourcing policies, processes, risk assessments and contracts.

B. Expectations on the Scope of the Ecosystem and Management of Third Parties

• Some international standards explicitly recognise that institutions may critically depend on third- party interconnections, other than those that are typically considered outsourcing. The CPMI- IOSCO guidance on cyber-resilience for FMIs discusses the identification of cyber-risks and the coordination of resilience efforts from the perspective of the ecosystem of an FMI. The ISO 27031 standard specifies requirements for hardware, software, telecoms, applications, third-party hosting services, utilities and environmental issues, such as air conditioning, environmental monitoring and fire suppression.
• Some jurisdictions require that financial institutions enter into a prior agreement with their clients when they offer financial services via the internet that involve the consultation and management of personalized data or carrying out transactions.
• In Luxembourg, authorities have put in place a specific regulation for companies that supply specialized services to financial institutions.
• Consistent with the expanding scope of supervisory scrutiny or regulated entities, in Europe legal mandates that regulate interaction between institutions, supervisors and third-party providers are provided by the Mifid II Directive, and 12 competent authorities can directly review third parties involved in IT services.
• Specific requirements about the location of at least one data center for cloud computing services provided in the country or region (eg in the EU) be identified, or data ownership, control (Australia) and location (Brazil and France) be identified and monitored as part of the outsourcing agreement.
• Some jurisdictions (Germany, Singapore and Switzerland) further require a contractual clause that reserves the right for institutions to intervene at, or give directives to, the service provider.
• Most jurisdictions also require either prior notification or prior authorization of material (cloud) outsourcing activities. To this end, jurisdictions have created questionnaires/templates (sometimes specifically for IT outsourcing or cloud computing).
• New expectations for secure development and procurement of products and services also contribute to making regulations and practices future-proof. In particular, specific requirements (e.g. regarding “internet of things” systems in Japan) are in place for systems to be designed, developed and operated under the principle of security by design, considering that many individual devices, applications and systems will be interconnected in the future, providing new opportunities and possibly introducing new vulnerabilities.

C. Observed Supervisory Practices

• Supervisors have been using traditional supervisory tools in order to ensure that the standard practices are followed. Third party providers can be reviewed during on-site reviews and inspections, either on the basis of formal requirements or authority (as is done in Hong Kong, Singapore and the US) or based on cooperation from service providers. For example, Australia engages with systemically important third-party service providers which host critical systems for regulated institutions. Periodic engagements are voluntary and allow for a more open discussion of relevant strategy, governance, customer engagement, controls and capabilities (including those pertaining to cyber).
• Supervisors can work directly with cloud suppliers both on formal or informal grounds, to include the right to audit in contracts for the financial industry (as in the Netherlands) or to take part in regulatory summits organized by major cloud providers (including for discussions of assurance frameworks.
• A “supervisory college” model can be established to supervise and share information about large, internationally active service providers (particularly cloud providers) to address the blind spots resulting from mandate limitations and regulatory fragmentation.

2. Business Continuity And Availability

• To safeguard the availability and continuity of critical business activities in case of exceptional events or crises (e.g. cyberattacks), regulators typically request that financial institutions analyze these activities, to design and implement appropriate plans, procedures and technical solutions, and to adequately test mitigating measures. The same holds true where critical business activities depend on interconnections with third parties, with regulations stressing the importance of aligning the business continuity plans of critical suppliers (and their subcontractors) with the needs and policies of the financial institution in terms of continuity and security.
• It is common practice to request that recovery and resumption objectives be defined for critical business activities from an end to- end perspective Typical activities and services that are considered by regulators are cloud outsourcing, settlement processes or internet services offered to customers.
• Most regulators and international standards expect financial institutions to test protective measures periodically in order to verify their effectiveness and efficiency, based on realistic and probable disruptive scenarios, conducted at least on a yearly basis. These tests should be typically complemented by audits and monitoring activities of the outsourcing vendors.

3. Information Confidentiality And Integrity

• Confidentiality and integrity of information for third-party interactions are commonly addressed in general data protection requirements, through explicitly requiring contractual terms to include confidentiality agreement and security requirements for safeguarding the bank’s and its customers’ information. In addition, banks are generally required to take appropriate steps to ensure the CPMI-IOSCO guidance on cyber-resilience are followed . For example, financial market infrastructure should, design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and enable itself to complete settlement by the end of the day of the disruption.
• A growing number of jurisdictions (e.g. Luxembourg) have cloud-specific requirements, which range from requirements that information transferred to the cloud be subject to a contractual clause and that different cloud-specific issues be considered to ensure data security, to more specific requirements on data location, data segregation, data use limitations, security and exit.
• In a number of jurisdictions, regulations explicitly include expectations that outsourcing arrangements comply with legal and regulatory provisions on protection of personal data, confidentiality and intellectual property.

4. Expectations For Visibility Of Third Party Connections

• In many jurisdictions the supervisory authority requests to disclose the material outsourcing agreements made by supervised institutions and imposes some conditions on them, including about preserving a minimum level of visibility on the outsourced functions by the supervised entity.
• Supervised institutions are commonly expected to maintain an inventory of outsourced functions and to receive regular reports from service providers, mainly about measurements of service level agreements and the appropriate performance of controls. Some jurisdictions also require sub- outsourcing activities to be visible for the supervised entities so that the associated risks can also be managed.
• Analysis of supervisory expectations for the visibility of third-party connections shows that the scope, format and content of supervisory authorities’ information requests about material outsourcing vary greatly across jurisdictions. The current practices inspired by the various expectations set at national supervisory level and by international guidance play a complementary role.

5. Auditing And Testing

• Supervisory expectations regarding the audit of third parties (internal and/or external) are aligned in two areas.
  • First, the majority of the requirements state the necessity for the supervised organizations to guarantee the “rights to inspect and audit” their service providers. Some jurisdictions require that this right be cascaded to the significant subcontractors while other jurisdictions (France, Switzerland, Singapore) have granted this right directly to supervisory authorities.
  • Second, for several jurisdictions the audit opinion on the outsourcing arrangements may be formed based on the report of the service provider’s external auditor. Others accept pooled audits, organized by multiple financial institutions, or audits performed by the internal audit department of a service provider, under the condition that the audit department comply with certain regulatory conditions.
• Current regulations focus on traditional outsourcing and, in some cases, cloud computing providers. The scope of the requirements for “rights to inspect and audit” critical third parties is nonetheless still focused on the strict banking sector. Shared and independent audit reporting on the critical interconnections with third parties could therefore facilitate the audit approach effectiveness and efficiency.
• As regards testing of the security requirements for outsourcing and cloud computing providers, although institutions are generally required to monitor their providers’ compliance, most regulations are not aligned in terms of how compliance should be verified or tested. One possible method is the application of supervisor-led or bank-led (intelligence-based) red teaming exercises focused on interconnections. In the EU, the scope of the TIBER-EU test appears to include the institution’s critical functions that are outsourced to third-party service providers.

6. Resources And Skills

• The Basel Committee’s Sound Practices on Implications of fintech developments for banks and bank supervisors, published in February 2018, indicate that banks may require specialist competencies to assess whether their risk functions are capable of maintaining effective oversight of the emerging risks posed by new technologies.
• The expectation that the relevant personnel have the necessary expertise, competencies and qualifications to effectively monitor outsourced services or functions and are able to manage the risks associated with the outsourcing beyond the mere compliance dimension.
• Regulators expect that institutions contract sufficient and qualified personnel to ensure continuity in managing and monitoring outsourced services or functions, even if key personnel leave the institution or become otherwise unavailable. When institutions do not have internal resources sufficient in know-how or number, the general expectation is that external experts or technical resources, such as consultants or specialists, would be proactively identified to complement or supplement in-house personnel.
  • In Belgium, institutions are required to provide a monitoring and replacement plan for employees who are crucial for ensuring the proper functioning of the critical activities, services and resources and who are difficult to replace due to their specific expertise and limited number.
• Just like with the regulatory expectations, supervisory practices mostly require the assessment of human resources and qualifications for managing third-party connections and relationships being usually done during on-site inspections. In those jurisdictions where financial supervisors have the authority to examine third parties directly, they assess the sufficiency and qualifications of staff at the third parties, and expect the third parties to perform appropriate background checks.
• Personnel who are Certified Information Systems Security Professionals or an organisation that conforms to the ISO 9001 Quality Management System could provide additional assurance that personnel have the necessary competencies to manage third-party connections.