- Appendix A: Overview of Relevant Groupings and their Membership
- Appendix B: Overview of Existing FinCERTs
- Appendix C: Sector-specific Statements by U.S. Government
- Appendix D: Bipartisan Letter from U.S. Congressmen
- Appendix E: Project Roadmap
- Appendix F: Advisory Group
- Appendix G: Stakeholder Engagements
- Appendix H: Compendium Of Actors
Appendix A: Overview of Relevant Groupings and their Membership
|Members of the G20||Major Financial Markets||Members of the G10||Major Cyber Powers||States With Global Systemic Insurers||States With Global Systemic Banks||Globally Systemically Important Insurers1||Globally Systemically Important Banks2|
|UK||UK||UK||UK||UK (2)||UK (4)||Aegon||Agricultural Bank of China|
|United States||United States||United States||United States||United States (3)||United States (8)||Allianz||Bank of America|
|China||China||China||China (1)||China (4)||AIG||Bank of China|
|Germany||Germany||Germany||Germany (1)||Germany (1)||Aviva||Bank of New York Mellon|
|France||France||France (1)||France (3)||AXA||Barclays|
|Japan||Japan||Japan||Japan (3)||MetLife||BNP Paribas|
|Canada||Canada||Canada||Canada (1)||Ping An||China Construction Bank|
|Russia||Russia||Prudential Financial||Crédit Agricole|
|Mexico||Industrial and Commercial Bank of China|
|South Africa||JPMorgan Chase|
|South Korea||Mitsubishi UFJ FG|
|Hong Kong||Morgan Stanley|
|Switzerland||Switzerland||Switzerland (2)||Royal Bank of Canada|
|United Arab Emirates||Standard Chartered|
|Sweden||Sweden (1)||State Street|
|Belgium||Sumitomo Mitsui FG|
|Netherlands||Netherlands (1)||Netherlands (1)||Toronto Dominion|
|1 Financial Stability Board, “2016 List of Global Systemically Important Insurers (G-SIIs),” November 21, 2016, https://www.fsb.org/wp-content/uploads/2016-list-of-global-systemically-important-insurers-G-SIIs.pdf.
2 Financial Stability Board, “2019 List of Global Systemically Important Banks (G-SIBs),” November 22, 2019, https://www.fsb.org/wp-content/uploads/P221119-1.pdf.
Appendix B: Overview of Existing FinCERTs
|Public Sector FinCERTs|
|G7||France||CERT Banque de France / CERT Caisse des Dépôts|
|UK||NCSC / Bank of England Cyber Defence Centre|
|Italy||CERT Banca d’Italia|
|Other Government||Denmark||Nordic Financial CERT|
|Finland||Nordic Financial CERT|
|Iceland||Nordic Financial CERT|
|Norway||Nordic Financial CERT|
|Portugal||CSIRT Banco de Portugal|
|Russia||Russia FinCERT (Central Bank of Russia)|
|Singapore||Financial Sector Security Operations Centre (FS-SOC, Monetary Authority of Singapore)|
|South Korea||Financial Security Institute CERT|
|Sri Lanka||Sri Lanka FinCSIRT (Central Bank of Sri Lanka)|
|Sweden||SBAB-SIRT (SBAB Bank AB)|
|Sweden||Nordic Financial CERT|
|Tunisia||Tunisian Financial CERT|
|Multilateral||OCINT-CSIRT||World Bank Group|
|EU||CSIRT-ECB (European Central Bank)|
This list does not include the national cybersecurity agencies, CIRTs, CSIRTs, or CERTs that provide services to but are not exclusively focused on the financial sector.
|Financial Institution CERTs (TF-CSIRT and/or FIRST accredited)|
|Australia||CBAcert (Commonwealth Bank of Australia)|
|Australia||nabCERT (National Australia Bank)|
|Austria||Raiffeisen Informatik CERT|
|Belgium||KBC Group CERT|
|Canada||BMO InfoSec Incident Response Team|
|Canada||TDBFG CSIRT (TD Bank)|
|China||Alibaba Security Response Center|
|Colombia||CSIRT Financiero Asobancaria|
|Czech Republic||CSIRT CSAS|
|Czech Republic||NN-Group CSIRT|
|Denmark||JN Data Cyber Defence Center|
|Denmark||NetsCERT (Nets A/S)|
|France||CERT-AG (Crédit Agricole)|
|France||CSIRT BNP Paribas|
|France||CERT Groupe BPCE|
|France||CERT SG (Société Générale)|
|France||CERT La Poste|
|Germany||Deutsche Bank Cyber Threat Response Team|
|Germany||S-CERT (German Savings Banks Organization)|
|Germany||Clearstream—Deutsche Boerse AG CERT|
|Greece||Alpha Bank CSIRT|
|Italy||Intesa Sanpaolo CSIRT|
|Japan||Mitsubishi UFJ Financial Group (CERT Japan)|
|Japan||Hitachi Incident Response Team|
|Malaysia||Standard Chartered Cyber Defence Centre|
|Netherlands||Rabobank Cyber Defense Center|
|Norway||DNB Cyber Defence Center|
|Norway||SpareBank 1 Incident Response Team|
|Poland||CERT PKO Bank Polski|
|Poland||CERT BIK (Biuro Informacji Kredytowej)|
|Poland||Polish Financial CERT (Polish Bank Association)|
|South Africa||Standard Bank Group CSIRT|
|Spain||CaixaBank Team CSIRT|
|Spain||Santander Global CERT|
|Switzerland||Bank Vontobel CERT|
|Thailand||Thailand Banking Sector CERT (Thai Bankers’ Association)|
|UK||ISPIRIT (Barclays Information Security and Privacy)|
|UK||Royal Bank of Scotland, Investigation and Threat Management|
|Ukraine||KredoBank Cybersecurity Center|
|U.S.||Bank of America/Merrill Lynch Computer Incident Response TeamCIRT|
|U.S.||Capital Group Security Intelligence Response Team|
|U.S.||Fidelity Intelligence Operations CERT|
|U.S.||JPMC-GCS: (JPMorgan Chase Global Cyber Security)|
|U.S.||Morgan Stanley CERT|
|U.S.||US Bank CSIRT|
|U.S.||Wells Fargo Security Operation Center|
Appendix C: Sector-specific Statements by U.S. Government
- Election-specific: On July 31, 2018, then U.S. secretary of homeland security Kirstjen Nielsen issued the following sector-specific declaratory statement:
Let me be clear in this, ANY attempt to interfere in our elections is a direct attack on our democracy, it is unacceptable, and it will not be tolerated. Mark my words: America will not tolerate this meddling. . . . Let me also again take this opportunity today to issue a warning, as I have in other speeches, to any foreign power that would consider meddling in our networks or in the affairs of our democracy: The United States will no longer tolerate your interference. You will be exposed. And, you will pay a high price.1
- Health sector-specific: On April 17, 2020, U.S. Secretary of State Mike Pompeo issued the following sector-specific warning:
Malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results. Anyone that engages in such an action should expect consequences. We call upon the actor in question to refrain from carrying out disruptive malicious cyber activity against the Czech Republic’s healthcare system or similar infrastructure elsewhere. We also call upon all states not to turn a blind eye to criminal or other organizations carrying out such activity from their territory.
The United States has zero tolerance for malicious cyber activity designed to undermine U.S. and international partners’ efforts to protect, assist, and inform the public during this global pandemic. Such activity against critical civilian infrastructure is deeply irresponsible and dangerous. The United States promotes a framework of responsible state behavior in cyberspace, including nonbinding norms regarding states refraining from cyber activities that intentionally damage critical infrastructure and knowingly allowing their territory to be used for malicious cyber activities. When states do not abide by this framework, we hold them accountable.2
- Health sector-specific: In May 2020, the United States joined Australia, the Czech Republic, Estonia, Japan, and Kazakhstan in proposing that the OEWG report reflect that:
The OEWG developed its report in the context of the COVID-19 pandemic. In these circumstances, the OEWG underscored that all states considered medical services and medical facilities to be critical infrastructure for the purposes of norms (f) and (g),” adding that “In providing guidance for the implementation of these norms, States should note that highlighting particular sectors as critical infrastructure is not intended to be an exhaustive list and does not impact on the national designation, or not, of any other sector, nor does it implicitly condone malicious activity against a category not specified.3
1 Kirstjen M. Nielsen, “National Cybersecurity Summit Keynote Speech” (Speech, National Cybersecurity Summit, New York City, New York, July 31, 2018), https://www.dhs.gov/news/2018/07/31/secretary-kirstjen-m-nielsen-s-national-cybersecurity-summit-keynote-speech.
2 Michael A. Pompeo, “The United States Concerned by Threat of Cyber Attack Against the Czech Republic’s Healthcare Sector,” Press Statement, April 17, 2020, https://www.state.gov/the-united-states-concerned-by-threat-of-cyber-attack-against-the-czech-republics-healthcare-sector/.
3 “Malicious Cyber Activity against Healthcare Services and Facilities: Joint OEWG Report Proposal from Australia, Czech Republic, Estonia, Japan, Kazakhstan and United States of America,” Open Ended Working Group, Spring 2020, https://www.dfat.gov.au/sites/default/files/joint-oewg-proposal-protection-health-infrastructure.pdf.
Appendix D: Bipartisan Letter from U.S. Congressmen
Appendix E: Project Roadmap
Appendix F: Advisory Group
|GOVERNMENT||1||Lyndon Nelson, Co-chair of G7 Cyber Experts Group||Bank of England|
|2||Paolo Ciocca, Commissioner of CONSOB||CONSOB, Italy|
|3||Art Lindo, Deputy Director, Division of Supervision and Regulation||Federal Reserve Board, United States|
|4||Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology||Department of Foreign Affairs and Trade, Australia|
|5||Yeow Seng Tan, Chief Cyber Security Officer||MAS, Singapore|
|6||Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy||Federal Department of Foreign Affairs, Switzerland|
|INDUSTRY||7||Cheri McGuire, (former) Chief Information Security Officer||Standard Chartered|
|8||Cameron “Buck” Rogers, Global Head of Resilience Advisory Function||HSBC|
|9||Natasha de Teran, (former) Head of Corporate Affairs||SWIFT|
|10||Rahul Prabhakar, Principal, Security Assurance||Amazon Web Services|
|11||Valerie Abend, Managing Director, Global Financial Services Cybersecurity and Global Cyber Regulatory Practices||Accenture|
|12||Marc Radice, Head of International Affairs||Zurich Insurance Group|
|13||Jason Witty, Global Chief Information Security Officer||JPMorgan Chase|
|14||Mark Morrison, Chief Information Security Officer (and chair of the cybersecurity working group of the World Federation of Exchanges)||Options Clearing Corporation|
|15||Sultan Meghji, Co-founder and CEO||Neocova|
|16||Ramy Houssaini, Global Chief Cyber and Technology Risk Officer and Group Data Protection Officer||BNP Paribas|
|OTHER||17||Jennifer Elliott, Division Chief, Technical Assistance Strategy, Monetary and Capital Markets||IMF|
|18||Belisario Contreras, Manager, Cyber Security Programme||OAS|
|19||Steven Silberstein, CEO||FS-ISAC|
|20||Alois Zwinggi, Member of the Managing Board, Head of the Centre for Cybersecurity||World Economic Forum|
|21||Boris Ruge, Ambassador and Vice-Chairman||Munich Security Conference|
|22||Dmitri Alperovitch, Co-founder and (former) Chief Technology Officer||CrowdStrike|
|23||Lisa Monaco, Distinguished Senior Fellow||NYU School of Law, Reiss Center on Law and Security|
|24||Juan Zarate, Chairman and Co-founder||Financial Integrity Network|
Appendix G: Stakeholder Engagements
Carnegie hosted a series of stakeholder engagements for this project in addition to briefings to various associations, regulatory bodies, and other interested stakeholders, including:
Governments, Central Banks, and Financial Authorities
Australian Government Department of Foreign Affairs and Trade
Australian Prudential Regulation Authority
Bank of Canada
Bank of England
Bank of France
Bank of Italy
Bank of Japan
Bank of Kenya
Bank of Spain
Canadian Office of the Superintendent of Financial Institutions
Chilean Computer Security Incident Response Team
Cyber Security Agency of Singapore
Department of Finance Canada
Dutch Central Bank (DNB)
Dutch Ministry of Foreign Affairs
Estonian Ministry of Foreign Affairs
Federal Reserve Bank of New York
French Ministry for the Economy and Finance
French Ministry of Europe and Foreign Affairs
German Ministry of Finance
HM Treasury (UK)
Israeli Ministry of Finance
Italian Ministry of Economy and Finance
Japanese Financial Services Agency
MELANI, Swiss Federal Intelligence Service
Mexican Ministry of Foreign Affairs
Mexican National Banking and Securities Commission
Monetary Authority of Singapore
National Bank of Georgia
National Security Research Institute, Republic of Korea
New York State Department of Financial Services
New Zealand Ministry of Foreign Affairs and Trade
Philippine Central Bank
Reserve Bank of Australia
Swiss Federal Department of Foreign Affairs
U.S. Cyberspace Solarium Commission
U.S. Department of Homeland Security
U.S. Department of Labor
U.S. Department of the Treasury
U.S. Federal Reserve Board
U.S. National Institute of Standards and Technology
U.S. Public Company Accounting Oversight Board
U.S. Secret Service
U.S. Securities and Exchange Commission
U.S. State Department
UK Financial Conduct Authority
UK National Cyber Security Centre
Bank for International Settlements
Basel Committee on Banking Supervision
Committee on Payments and Market Infrastructures
European Central Bank
European External Action Service
Financial Stability Board
Financial Stability Institute
Inter-American Development Bank
International Association of Insurance Supervisors
International Monetary Fund
International Organization of Securities Commissions
Office of the UN Secretary-General’s Special Advocate for Inclusive Finance
Organization of American States
UN Institute for Disarmament Research
UN Office for Disarmament Affairs
Financial Services Industry
Asia Securities Industry & Financial Markets Association
Association for Financial Markets in Europe
Bank of America
Bank Policy Institute
Business Round Table
Commonwealth Bank of Australia
Cyber Defence Alliance
Cyber Risk Institute
European Banking Federation
Financial Integrity Network
Financial Services Sector Coordinating Council
Financial Systemic Analysis and Resilience Center
Global Financial Markets Association
Institute of International Finance
Mitsubishi UFJ Financial Group
MUFG Union Bank
Options Clearing Corporation
Securities Industry & Financial Markets Association
Union Bank of India
World Federation of Exchanges
Zurich Insurance Group
Other Industry Stakeholders
Amazon Web Services
Cambridge Quantum Computing
Steptoe & Johnson
Albright Stonebridge Group
Alliance for Financial Inclusion
Better Than Cash Alliance
Bill & Melinda Gates Foundation
Center for Strategic and International Studies
Consultative Group to Assist the Poor
Cyber Threat Alliance
Cybersecurity Talent Initiative
Forum of Incident Response and Security Teams
Global Cyber Alliance
Global Forum on Cyber Expertise
International Committee of the Red Cross
Munich Security Conference
Centre for Intellectual Property and Information Technology Law
George Mason University
Korea University School of Law
Seoul National University of Science and Technology
U.S. Military Academy
University of Oxford
Appendix H: Compendium Of Actors
African Forum on Cybercrime:The African Forum on Cybercrime, convened by the African Union and first hosted in 2018, is an organization effort for African countries to facilitate international cooperation to fight against cyber crime and strengthen law enforcement authorities in Africa through capacity-building. The African Forum receives support from the Council of Europe, the European Union, INTERPOL, the UN Office on Drugs and Crime (UNODC), and others.1
Alliance for Financial Inclusion (AFI):Founded by the Bill & Melinda Gates Foundation in 2008, the AFI is an advocacy and policy organization for financial inclusion, whose members are central banks and financial regulatory institutions.2 The AFI organizes the annual Global Policy Forums. In 2017, the AFI held a policy forum for cybersecurity and financial inclusion in Malaysia, in partnership with Bank Negara Malaysia.3 In November 2019, the AFI published “Cybersecurity for Financial Inclusion: Framework and Risk Guide,” which provides key principles and best practices to assist regulatory and supervisory authorities dealing with cybersecurity risk in the financial sector.4
Asia Securities Industry and Financial Markets Association (ASIFMA): ASIFMA is a financial industry trade association that represents financial institutions in Asia, particularly with the Monetary Authority of Singapore (MAS) and the Hong Kong Monetary Authority (HKMA).5
Association for Financial Markets in Europe (AFME):AFME is a financial industry trade association that represents financial institutions in Europe. AFME advocates for cybersecurity regulatory harmonization across the European Union.6
Association for South East Asian Nations (ASEAN) Regional Forum (ARF):The ARF is a forum consisting of ten countries from southeast Asia that is dedicated to regional stability and economic cooperation. The ARF has focused on cybersecurity capacity-building and confidence-building measures at a regional level, especially after the UN Group of Governmental Experts (UN GGE) failed to reach consensus in 2017. Countering transnational cyber crime was a core focus of the twentieth ARF in 2019.7
(Australia) AustCyber: Australia’s federal government established a nonprofit organization, AustCyber, to cultivate an Australian cybersecurity ecosystem,8 including building a pipeline for cybersecurity talent.
(Australia) Australian Cyber Security Centre (ACSC):The ACSC is the Australian government’s lead body on national cybersecurity issues, housed under the Australian Signals Directorate.9
(Australia) Australian Prudential Regulatory Authority (APRA): APRA is an independent authority that supervises financial institutions and promotes financial system stability in Australia. In July 2019, APRA implemented a new information security guidance for financial institutions, “Prudential Practice Guide CPG 234 Information Security.”10
(Australia) Australian Transaction Reports and Analysis Centre (AUSTRAC):AUSTRAC is Australia’s financial intelligence unit and has been involved in international cyber crime investigations with like-minded allies.11
(Australia) Council of Financial Regulators (CFR): The CFR is the coordinating body for Australia’s main financial regulatory agencies. In 2020, the CFR noted that “cyber risk is consistently ranked among the top risks to the Australian financial system.”12
(Australia) Fintel Alliance: The Fintel Alliance is a public-private partnership comprised of twenty-two public and private sector organizations, led by the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s national financial intelligence unit (FIU).13 The public-private partnership focuses primarily on domestic crime and works with ReportCyber to counter financial cyber crime.
(Australia) Reserve Bank of Australia (RBA): As Australia’s central bank, the RBA is tasked with maintaining financial stability. In its 2018 “Financial Stability Review,” the RBA recognized that “cyber security will be a core challenge for the financial system for years to come.”14
Bank for International Settlements (BIS): The BIS, the international organization of central banks, helps its members manage cyber risk and build resilience through key regulator stocktakes,15 convenings,16 consultations, and guidance.17 Most recently, the BIS established the Cyber Resilience Coordination Centre (CRCC) as part of its Innovation BIS 2025 strategy to facilitate collaboration on cyber resilience within the central bank community.18
Better Than Cash Alliance (BTCA):The BTCA is a global partnership administered by the UN Capital Development Fund (UNCDF) that supports governments, companies, and international organizations involved in the transition from cash to digital payments.19 The BTCA has created a series of toolkits for businesses, governments, and development partners and another series related to ecosystem diagnostics, payment measurements, and accelerators.20
Bill & Melinda Gates Foundation:Since 2010, the Gates Foundation has given over $350 million in grants to support its Financial Services for the Poor strategy, which promotes the development of digital payment systems, the advancement of gender equality, and the creation of national and regional financial inclusion strategies.21 The foundation invests in national financial inclusion initiatives in Africa, South Asia, and Southeast Asia.22
(Canada) Bank of Canada:As Canada’s central bank, the Bank of Canada is tasked with ensuring financial stability. The bank’s “2019–2021 Cyber Security Strategy” assumes that cyber breaches are inevitable and outlines strategic actions to “enhance the cyber resilience of the Canadian financial system.”23 The Bank of Canada contributed to a 2016 report from the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO): “Guidance on Cyber Resilience for Financial Market Infrastructures.” The bank also participates in the G7 Finance Track Cyber Expert Group (CEG).24
Charter of Trust:At the 2018 Munich Security Conference, a group of CEOs of major multinational companies, led by Siemens, launched the Charter of Trust. This charter aims to develop standards to ensure greater digital security and integrity in both the public and private sectors. The Charter of Trust has three primary goals: to protect the data of individuals and businesses; to prevent harm to people, businesses, and infrastructure; and to establish a reliable basis to ensure confidence in digital assets.25
(China) Cyberspace Administration of China (CAC):The CAC is the central agency for cybersecurity oversight and data governance in China. However, cybersecurity governance in China is rapidly evolving and there is some ambiguity about who, between China’s financial regulators and the CAC, holds ultimate authority over cybersecurity supervision of financial institutions.26
(China) China Banking and Insurance Regulatory Commission (CBIRC): CBIRC was established in 2018 when the China Banking Regulatory Commission and the China Insurance Regulatory Commission merged. CBIRC’s Statistics, IT and Risk Surveillance Department is responsible for “information security, as well as information technology risk supervision of banking and insurance institutions.”27 CBIRC also oversees the “Guidelines on the Risk Management of Commercial Banks’ Information Technology,” published in 2009 under the CBRC.28
(China) People’s Bank of China (PBOC): PBOC is China’s central bank. It works closely with the Cyberspace Administration of China (CAC) and financial authorities to develop cybersecurity requirements for financial institutions. In February 2020, PBOC issued the “Personal Financial Information Protection Technical Specification,” a comprehensive guidance on handling financial data.29
Committee on Payments and Market Infrastructures (CPMI) and International Organization of Securities Commissions (IOSCO):The CPMI and IOSCO work closely together on cybersecurity issues but are two separate organizations. The CPMI, housed within the Bank for International Settlements (BIS), is a global standard setter for payment, clearing, and settlement in the financial system, and a forum for central bank cooperation on such functions. IOSCO is an international body for financial authorities that regulate securities and futures markets markets and is recognized as the global standard setter for the securities sector.30 In June 2016, CPMI-IOSCO released their joint “Guidance on Cyber Resilience for Financial Market Infrastructures,” which is regarded as the first internationally agreed upon guidance on cybersecurity for the financial industry.31
Consultative Group to Assist the Poor (CGAP):CGAP, an independent think tank focused on financial inclusion, housed at and administered by the World Bank, has developed a concept for regional cyber security resource centers to help low-income countries to address cybersecurity risks in digital financial services.32 In November 2019, CGAP published “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion.”
CyberPeace Institute (CPI):The CPI was launched by Microsoft, Mastercard, the William & Flora Hewlett Foundation, and others in 2019 to reduce the “frequency, impact and scale” of cyber attacks on civilians and critical infrastructure. It focuses on attribution, advancement of international norms, and capacity-building. The CPI is based in Geneva, Switzerland.
Cyber Risk Institute (CRI):The CRI is a newly created private sector organization that maintains the Financial Services Sector Cybersecurity Profile. The CRI is affiliated with the Bank Policy Institute.
Cybersecurity Tech Accord:In April 2018, a group of companies led by Microsoft announced the Cybersecurity Tech Accord, a public commitment by multinational tech companies to protect and empower civilians online and improve the stability of cyberspace. Forty-four companies—including Cisco, Facebook, HP, Microsoft, Nokia, Oracle, and Trend Micro—have agreed to defend all customers, regardless of country, against malicious cyber attacks by state and nonstate actors.33
Cyber Threat Alliance (CTA):The CTA is a nonprofit organization that serves as a platform for information sharing among companies and organizations. CTA members are primarily cybersecurity service providers; the CTA is a partner with FS-ISAC.
Digital Financial Services (DFS) Observatory:The DFS Observatory, based at Columbia University, is currently developing a cybersecurity framework for digital financial services. It holds a curated library of DFS-related laws, regulations and policies.34
Digital Geneva Convention:After many years of engaging in international cybersecurity policy discussions, in 2017 Microsoft President Brad Smith stepped up Microsoft’s engagement by publicly calling for a Digital Geneva Convention. The multistakeholder initiative called for nation-states to refrain from launching cyber attacks on industry, national critical infrastructure, and intellectual property. Additionally, the proposal encouraged the tech sector to adopt shared principles, such as consumer protection and political neutrality. Microsoft also proposed establishing a nongovernmental global cyber attribution organization to independently investigate systemically important cyber incidents.35
(EU) Cyber Information and Intelligence Sharing Initiative (CIISI-EU):In February 2020, the European Union Agency for Cybersecurity (ENISA), the European Cybercrime Centre (EC3), and the Euro Cyber Resilience Board within the ECB established the CIISI-EU, with the aim of “bringing central banks, clearing houses, stock exchanges, and payment system providers together in order to share expertise with the purpose of protecting the European financial system from cyberattacks.”36
(EU) EU Law Enforcement Emergency Response Protocol:In March 2019, in response to WannaCry and NotPetya, the Council of Europe adopted the EU Law Enforcement Emergency Response Protocol, which clarified roles and responsibilities, and communication procedures for EU law enforcement. In the fall of 2019, the European Union Agency for Cybersecurity (ENISA) and the European Cybercrime Centre (EC3) organized CyLEEx19, a cyber law enforcement exercise, to test the EU Law Enforcement Emergency Response Protocol. The exercise brought together cyber crime investigators and experts from the public and private sectors and simulated ransomware attack on the EU’s financial sector.37
(EU) European Banking Authority (EBA):In late 2019, the EBA published its “Guidelines on ICT and Security Risk Management,” to go into full force in June 2020.38 Among other things, these guidelines call for firms to conduct “business impact analysis by analyzing their exposure to severe business disruptions.”39 In February 2019, the EBA also published its outsourcing guidelines.40
(EU) European Banking Federation (EBF):EBF is a financial industry trade association that represents financial institutions in Europe. EBF represents the interests of financial institutions when negotiating cybersecurity regulation with European authorities like the European Banking Authority (EBA), the European Union Agency for Cybersecurity (ENISA), the European Central Bank, and the European Commission.41
(EU) European Central Bank (ECB):As the eurozone’s central bank, the ECB is focused on maintaining the cyber resilience of its members’ financial system. In 2020, the ECB established the Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures, a forum for senior officials to advance cyber resilience policy. In 2019, the ECB published the Cyber Resilience Oversight Expectations (CROE), which provides guidance to FMIs and supervisors about cyber resilience expectations. Additionally, they published the TIBER-EU, a penetration testing framework. The ECB also hosts UNITAS, a cybersecurity exercise that tests the resilience of crisis communications between supervisors and firms.
(EU) European Commission (EC):The EC, which functions as the executive branch of the European Union, has helped coordinate European supervisory authorities to focus on cyber risk in the financial system. Recently, in December 2019, the EC launched a consultation, “Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure.”42
(EU) European Union Agency for Cybersecurity (ENISA):ENISA was established in 2004 with the aim of strengthening cybersecurity expertise, policy, and capacity across the European Union. ENISA works closely with the European Cybercrime Centre (EC3) and was one of the founding members of the European Financial Institutes—Information Sharing and Analysis Centre (European FI-ISAC).43
(EU) Europol Cybercrime Centre (EC3):EC3 is the primary law enforcement unit within Europol to combat cyber crime. EC3 coordinates an Advisory Group on Financial Services that brings together experts from major financial institutions to provide private sector insight into the fight against cyber crime in Europe. The advisory group played a supporting role in the arrest of a leader of the Carbanak/Cobalt cyber crime group.44
(EU) Global Action on Cybercrime Extended (GLACY+):GLACY+ is a joint effort of the EU and the Council of Europe to build up capacity to combat cyber crime in fifteen priority and hub countries in Africa, Asia-Pacific, Latin America, and the Carribean region.45
Financial Action Task Force (FATF):The FATF was created in 1989 through the G7, initially focusing on anti-money laundering and eventually expanding its activities to also focus on combating terrorist financing and nuclear proliferation. After some initial work on virtual currencies in 2014, and following growing concerns about this topic throughout 2017 and 2018, FATF has also become more involved in the debate about the governance of cryptocurrencies.46
Financial Services Information Sharing and Analysis Centre (FS-ISAC): FS-ISAC is a nonprofit industry consortium dedicated to cybersecurity information sharing across the global financial system. Over the past two decades, FS-ISAC’s membership has grown to nearly 7,000 members in over seventy jurisdictions.47 It now operates three hubs: the Americas hub in the United States; the Europe, Middle East, and Africa (EMEA) hub in London; and the Asia-Pacific hub in Singapore. In addition to information sharing, FS-ISAC also acts as an international convener and hosts cybersecurity exercises.
Financial Stability Board (FSB):The FSB (formerly the Financial Stability Forum) was established in 2009 by the G20 following the 2008 global recession and is hosted and funded by the Bank for International Settlements (BIS). In 2017, the G20 tasked the FSB with taking stock of approaches on cybersecurity and the financial system.48 The FSB also published a cyber lexicon to promote a common language in the industry.49
Financial Stability Institute (FSI):The FSI was jointly established in 1998 by the Bank for International Settlements (BIS) and the Basel Committee on Banking Supervision (BCBS). Its mandate is to assist supervisors around the world in improving and strengthening their financial systems. The FSI produces research on cybersecurity and resilience through policy briefs, crisis exercises, and papers on best practices.
FINCA International:FINCA is an international charity that promotes financial inclusion through a network of community-based microfinance institutions that provide loans, savings accounts, insurance, and money transfers to individuals and groups in Africa, Eurasia, Latin America, the Middle East, and South Asia.50 FINCA has made leveraging fintech to support its microfinance and social enterprise efforts a priority, and it partners with technology companies and financial institutions around the globe to integrate digital technologies into their products and services.51
Forum of Incident Response and Security Teams (FIRST):FIRST is a global coordinating body for CSIRTs and CERTs, including FinCERTs.52
(France) Bank of France:The central bank of France is an active participant in the G7 Finance Track Cyber Group of Experts. The Bank of France hosted the G7 Cyber Expert Group in 2019 and facilitated a cybersecurity exercise.53 In November 2019, the central bank signed a memorandum of understanding with the Monetary Authority of Singapore (MAS) to enhance cooperation in cybersecurity.54
(France) Prudential Supervision and Resolution Authority (ACPR):The ACPR is a supervisor of financial institutions in France. In 2013, the ACPR published “ACPR Guidance: The Risks Associated With Cloud Computing.”55
G7 24/7 Cybercrime Network:The 24/7 Network, made up of seventy nations, established points of contact for responding to government requests regarding cyber crime cases. It was established in 1997 by the G8 Justice and Interior Ministers to provide “timely, effective response to transnational high-tech cases.”56
G7 Cyber Expert Group (CEG):The G7 CEG was established by the G7 Finance Ministers and Central Bank Governors in 2015 to identify the core cybersecurity risks to the financial system. The group has released a series of best practices and recommendations since 2016.57
G7 Deauville Partnership Action Plan for Financial Inclusion:The G8 launched the Deauville Partnership in 2011 to support democratic transitions in the Arab world through economic and governance assistance.58 In 2015, the “Deauville Partnership Action Plan for Financial Inclusion” outlined G7 priorities for advancing financial inclusion, one of which is the development of digital financial inclusion policies with adequate risk management measures.59
G7 Finance Ministers and Central Bank Governors:This forum is the lead mechanism to coordinate work in the G7 Finance Track.60 Work is directed through consensus communiqués. The ministers and governors established the G7 Cyber Expert Group in 2015.
G7 Ise-Shima Cyber Group: In 2016, the heads of state of the G7 created a new work stream through the G7 dedicated to international cybersecurity. This work stream led to the 2017 Lucca Declaration on Responsible State Behavior in Cyberspace, the most detailed outline by a group of Western states regarding their views for rules of the road for cyberspace.
G20 Finance Ministers and Central Bank Governors:This forum is the primary mechanism to coordinate work in the G20 Finance Track. In March 2017, G20 Finance Ministers and Central Bank Governors warned for the first time that cyber attacks could threaten financial stability and instructed the Financial Stability Board to investigate the risks.61
(Germany) Deutsche Bundesbank (Bundesbank):Germany’s central bank is an active participant in the G7 Cyber Expert Group. In the 2018 “Financial Stability Review,” the Bundesbank determined that an extreme cyber attack could “destabilise the entire [financial] system.”62
(Germany) Federal Financial Supervisory Authority (BaFin):BaFin is a German financial regulator that supervises financial institutions. In 2018 BaFin published the “Supervisory Requirements for IT in Financial Institutions,” which aims to create a comprehensive framework for management of IT resources in financial institutions.63
Global Cyber Alliance (GCA):The GCA is a nonprofit organization established in 2015 by the Center for Internet Security, the New York County district attorney, and the City of London police commissioner to “address systemic cyber risk” and build capacity to combat cyber crime. The GCA provides organizations with resources, toolkits, and accessible education to reduce cyber risk.64
Global Financial Markets Association (GFMA):The GFMA is a global financial industry trade association that represents the interests of multinational financial institutions and that engages in advocacy about cybersecurity regulations. It is the parent association of the Securities Industry and Financial Markets Association (SIFMA), the Asia Securities Industry and Financial Markets Association (ASIFMA), and the Association for Financial Markets in Europe (AFME). The GFMA advocates for global cybersecurity regulatory harmonization and is a leading industry voice on regulated penetration testing.65
Global Forum on Cyber Expertise (GFCE): The GFCE is a nonprofit coalition whose mission is “to strengthen cyber capacity and expertise globally through international collaboration and cooperation.”66 The GFCE is the primary coordinating platform for cyber capacity-building. Its focus is to coordinate cyber capacity projects, share knowledge and expertise by recommending tools and publications, and act as a clearing house to match needs for cyber capacities with offers of support.67
Global Partnership for Financial Inclusion (GPFI):In 2010, G20 leaders adopted the “G20 Principles for Innovative Financial Inclusion”68 and launched the GPFI at the Seoul Summit. The GPFI is primarily tasked with implementing the G20 Financial Inclusion Action Plan (FIAP) through policy analysis and recommendations, with tracking G20 financial inclusion indicators, and with coordinating global financial inclusion efforts.69
GSMA:The GSMA is a major industry association representing mobile operators.70 In 2019, it launched the Inclusive Tech Lab with the goal of promoting industry collaboration on technological solutions driving financial inclusion.71 The lab works on openness and interoperability of payment systems, access to financial services by women and vulnerable populations, and digital identity.72
(Hong Kong) Hong Kong Monetary Authority (HKMA):The HKMA is the primary financial regulator for financial institutions in Hong Kong. In 2016, the HKMA published the “Enhanced Competency Framework on Cybersecurity” and launched the Cybersecurity Fortification Initiative, which includes a maturity assessment, an inherent risk assessment, and a penetration testing requirement.73
(India) Reserve Bank of India (RBI):The RBI is India’s central bank and acts as the lead government body on cybersecurity in India’s financial sector. The RBI works closely with India’s national CERT (CERT-In), and the Institute for Development and Research in Banking Technology (IDRBT) to facilitate information sharing and issue alerts to Indian financial institutions.74 Since issuing a circular on cybersecurity to banks in 2016, the RBI has become increasingly proactive on cybersecurity issues.75 In 2019, the RBI centralized all regulatory and supervisory functions related to cyber risk within its Cyber Security and IT Risk Group in the Department of Supervision.
Institute of International Finance (IIF):The IIF is a global association of the finance industry based in Washington, DC. In April 2018, the IIF published the white paper, “Addressing Regulatory Fragmentation to Support a Cyber-Resilient Global Financial Services Industry,” that called for improved regulatory harmonization.76
International Criminal Police Organization (INTERPOL):INTERPOL is an international organization that coordinates international cooperation on crime, including financial cyber crime.77 It operates the Cyber Fusion Centre which co-locates industry and law enforcement cyber experts to provide stakeholders with actionable threat intelligence. It also facilitates regular INTERPOL Regional Working Groups on Cybercrime.
International Finance Corporation (IFC):IFC works with approximately 800 financial institutions in over 100 countries to create and leverage markets to solve development challenges. With the support of the Mastercard Foundation, IFC has launched the Partnership for Financial Inclusion, a $37.4 million initiative to expand microfinance and DFS in sub-Saharan Africa.78
International Monetary Fund (IMF):The IMF oversees the international monetary and financial system and monitors the activities of its 189 member countries. In 2018, the IMF established a program to assist financial regulators and supervisors with cybersecurity risk management after it declared cybersecurity to be a financial stability risk.79 The IMF’s cybersecurity technical assistance program, implemented by the Monetary and Capital Markets Department, has three pillars: annual workshops, regional technical assistance center workshops, and bilateral technical assistance missions.80
International Telecommunications Union (ITU):In 2014, the ITU established a Focus Group on Digital Financial Services to convene telecom and financial service regulators, digital financial service providers, mobile network operators, and international organizations.81 The group released twenty-eight position papers, including one on security aspects of digital financial services.82 The ITU works with the World Bank, the Committee on Payments and Market Infrastructures (CPMI), and the Bill & Melinda Gates Foundation to administer the Financial Inclusion Global Initiative (see entry for World Bank below).
(Israel) Bank of Israel: In 2015, Israel’s central bank issued a directive on Cyber Defense Management that outlines a cyber risk management framework for financial institutions.83
(Israel) Cyber and Finance Continuity Center (FC3):FC3 provides specialized cybersecurity capabilities to Israel’s financial sector. FC3 was established after a cybersecurity exercise with the country’s financial leadership revealed “a need for integration and ‘translation’ between the financial language, the cyber and technology language and the risk management needs.”84 FC3 is co-owned and co-managed by the Israeli Ministry of Finance and the Israeli National Cyber Directorate, which provide expertise in the financial ecosystem and expertise in cyber and technology, respectively.
(Italy) Bank of Italy:The central bank of Italy is an active participant in the G7 Cyber Expert Group.85 The bank also chairs Italy’s CODISE, the body responsible for crisis management coordination in the Italian financial sector. In 2020, the Bank of Italy and CONSOB announced a joint “Strategy on Cyber Security for the Financial System,” which aims to ensure the reliability of the financial system as a whole.86
(Italy) CONSOB:CONSOB is the regulator that oversees the Italian securities market. In 2020, the Bank of Italy and CONSOB announced their “Joint Strategy for the Cyber Security of the Financial Sector,” which aims to ensure the reliability of the financial system as a whole.87
(Japan) Bank of Japan:Japan’s central bank is an active participant in the G7 Cyber Expert Group. In 2020, the Bank of Japan warned its financial institutions that they were vulnerable to cyber attacks ahead of the Olympic Games.88
(Japan) Financial Services Agency (JFSA):The JFSA conducts supervision and inspection of cyber security management in Japanese financial institutions. In 2015, the JFSA published policy approaches that address cybersecurity for the financial sector.89
(Japan) Japan Cybercrime Control Center (JC3):The JC3 was established in 2014 as a nonprofit organization designed to “identify, mitigate, and neutralize the root of threats to cyberspace.” It was modeled after the U.S. National Cyber-Forensics and Training Alliance (NCFTA).90
Joint Cybercrime Action Taskforce (J-CAT):J‑CAT, launched in 2014 and based at EC3 headquarters, is a standing operational team of cyber liaison officers from around the world. There are sixteen member countries (nine EU members and seven non-EU countries). J‑CAT focuses on countering transnational cyber crime and has conducted successful operations against cyber crime in the financial sector.91
(Netherlands) De Nederlandsche Bank (DNB):DNB, the central bank of the Netherlands, is best known in the financial cybersecurity community as the creator of the TIBER-NL framework for penetration testing.92
(Netherlands) National Cyber Security Centre (Dutch NCSC):The Dutch NCSC, founded in 2012, is an information center that facilitates public-private cooperation in the fight against cyber crime.93
(Netherlands) National High Tech Crime Unit (NHTCU):The NHTCU is an investigative unit within the Dutch Police Services Agency focused on combating cyber crime.94 The NHTCU prioritizes investigating cyber attacks on vital infrastructure and the financial system.95 It runs the Dutch Electronic Crimes Task Force, established in 2011 at the request of major Dutch banks.96
(Nigeria) Nigeria Electronic Fraud Forum (NeFF):NeFF is a consortium of public and private institutions established to exchange information and knowledge around fraud issues. Members include banks, mobile payment operators, payment system operators, national security and intelligence authorities, and the Central Bank of Nigeria.97
North Atlantic Treaty Organization (NATO):NATO recognizes cyberspace as a domain of military operations and has declared that a cyber attack could trigger an invocation of Article 5, the collective defence clause.98 NATO operates the Cooperative Cyber Defence Centre of Excellence.99 In 2018, NATO established a Cyberspace Operations Centre and has established Cyber Rapid Reaction teams to assist allies. NATO also cooperates with the private sector on cybersecurity through the NATO Industry Cyber Partnership.100
Organisation for Economic Co-operation and Development (OECD):The OECD has worked to promote consumer protection in financial inclusion efforts and national strategies for financial education. To this end, the OECD is an implementing partner of the Global Partnership for Financial Inclusion (GPFI) and has organized a Task Force on Financial Consumer Protection to implement the G20’s “High-level Principles for Financial Consumer Protection,” which were endorsed at the October 2011 G20 meeting.101
Organization for Security and Co-operation in Europe (OSCE):The OSCE is a security-focused organization comprised of fifty-seven member countries based in Europe, northern and central Asia, and North America. The OSCE wants to “operationalize pertinent UN guidance by [the GGE] on the regional level.”102 Like the ASEAN Regional Forum (ARF), the OSCE has been focused on cybersecurity capacity-building and confidence-building measures at a regional level, especially after the UN Group of Governmental Experts (UN GGE) failed to reach consensus in 2017.
Organization of American States (OAS): The OAS focuses on cooperation in South America and Latin America. It focuses on cybersecurity confidence-building measures and increasing trust among states through a variety of transparency, cooperation, and stability measures that reinforce and complement the discussions at the UN Group of Governmental Experts (UN GGE). OAS also facilitates the Inter-American Cooperation Portal on Cyber-Crime and the Cyber-Crime Working Group, which aim to strengthen Western hemispheric cooperation on combating cyber crimes.103
Paris Call for Trust and Security in Cyberspace (Paris Call):In November 2018, French President Emmanuel Macron announced the Paris Call for Trust and Security in Cyberspace, a high-level declaration of principles for promoting an open, secure, accessible, and peaceful cyberspace. These principles supported the applicability of international law and the UN Charter to cyberspace as well as affirming the UN norms efforts. Sixty-six states, 139 international and civil society organizations, and 347 private sector entities have signed on, although the United States has not joined.104 Interestingly, this initiative grew out of outreach from the private sector, when Microsoft sought French support for its Cybersecurity Tech Accord and the French government took the opportunity to lead in this space.
(Russia) Central Bank of the Russian Federation (CBR):In 2019, the CBR outlined its near-term approach to cybersecurity for the financial system in the “Guidelines for the Advancement of Information Security in the Financial Sector for 2019–2021.”105 The CBR acknowledges that “the rise in cyber crime, primarily in the credit and financial sector, is a global trend that requires coordinated efforts by regulators, law enforcement agencies, credit and financial institutions and financial service consumers,” and goes on to note that “cyber attacks on digital financial systems can provoke a financial crisis.”106 CBR also operates Russia’s FinCERT.107 CBR published “Maintenance of Information Security of the Russian Banking System Organisations” in June 2014.108
SANS Institute:SANS runs the SANS Cyber Workforce Academy, a three- to four-month, scholarship-based training program for those seeking to enter the cybersecurity workforce. SANS has run a Chicago program, and is currently accepting applications for a Maryland program supported by the Maryland Department of Labor.109 SANS also ran the Cyber Retraining Academy for the British government, which provided an immersive ten-week training program for individuals seeking to enter cybersecurity professions. (The Cyber Retraining Academy website has not been updated since 2017.)110
Securities Industry and Financial Markets Association (SIFMA):SIFMA is a financial industry trade association that represents U.S. financial institutions. Among other advocacy work, SIFMA coordinates the global Quantum Dawn cybersecurity exercises.111
Shanghai Cooperation Organisation (SCO):In 2009, the SCO, with Russia and China taking the lead, released its “Agreement on Cooperation in Ensuring International Information Security.” Two years later, four members of the SCO submitted a draft International Code of Conduct for Information Security to the UN General Assembly. This group of four was expanded to six members and introduced a revised draft code to the UN in 2015. Russia’s resolution to establish the UN Open-Ended Working Group (OEWG) draws from language within the SCO’s International Code of Conduct for Information Security.112
(Singapore) Cyber Security Agency of Singapore (CSA):Singapore’s CSA was formed in 2015 to provide dedicated and centralised oversight of national cybersecurity functions. The CSA works with the Monetary Authority of Singapore (MAS) to protect the financial sector, one of the nation’s Critical Information Infrastructure Sectors. The CSA also engages with various industries and stakeholders to heighten cybersecurity awareness as well as to ensure the holistic development of Singapore’s cybersecurity landscape. It is part of the Prime Minister’s office and is managed by the Ministry of Communications and Information.113
(Singapore) Monetary Authority of Singapore (MAS):The MAS, as Singapore’s primary financial regulator, leads work on cybersecurity and operational resilience in the financial sector. The MAS has become a thought leader in building cyber resilience internationally. For example, the MAS served as co-chair in developing the Committee on Payments and Market Infrastructures-International Organization of Securities Commission’s (CPMI-IOSCO) principles, one of the earliest international efforts focused on operational resilience.114 In March 2019, the MAS proposed changes to their Business Continuity Management (BCM) Guidelines, citing concerns about the increase in the scale and frequency of cyber attacks.115
Society for Worldwide Interbank Financial Telecommunication (SWIFT):SWIFT provides a standardized messaging network that allows financial institutions to facilitate financial transactions. SWIFT is a cooperative society under Belgian law and is owned and controlled by its shareholders. Following the 2016 Bangladesh incident, SWIFT updated its Customer Security Program to include cybersecurity standards for its clients in its contractual relationships.116
(South Africa) South African Banking Risk Information Centre (SABRIC): SABRIC is a nonprofit set up by South Africa’s four major banks to coordinate interbank activities to address organized financial cyber crime. SABRIC serves the more than twenty members of the banking and payments sector in South Africa, and it serves as a conduit between the private sector and regulators. SABRIC also leads public education programs to improve digital and cybersecurity literacy.
(South Korea) Cyber Bureau, National Police Agency:The South Korean National Police Agency established its Cyber Bureau in 2014, partially in response to a massive breach of credit card data that affected 20 million South Koreans.117
(South Korea) Cybercrime Investigation Division:The Cybercrime Investigation Division exists within the National Digital Forensics Center of the Supreme Prosecutors’ Office of South Korea.118
(South Korea) Financial Security Institute (FSI): The Financial Security Institute was established by the South Korean government in 2015 to protect their financial sector.119 FSI’s CERT, known as FSI-CERT, is a member of the Forum of Incident Response and Security Teams (FIRST).
Task Force on Computer Security Incident Response Teams (TF-CSIRT):TF-CSIRT is a global coordinating body for CSIRTs and CERTs, including FinCERTs. TF-CSIRT works closely with the European Union Agency for Cybersecurity (ENISA) to help coordinate European CSIRTs and CERTs.120
(UK) Bank of England (BoE):The BoE, the United Kingdom’s central bank, is a global thought leader in cyber resilience. It is one of the UK Financial Service Authorities (UK FSAs). In July 2018, the UK FSAs published a series of discussion papers, “Building the UK Financial Sector’s Operational Resilience,” that argued for shifting focus away from firms’ ability to prevent disruptions and instead ensuring that individual firms and the financial sector had the ability to withstand disruptions, or “shocks.”121 The BoE also created CBEST, a penetration testing framework.122
(UK) Cyber Defence Alliance (CDA): CDA was established in 2015 by a small number of UK-based financial institutions as a nonprofit public-private partnership that works collaboratively across the financial sector and law enforcement. 123 In October 2018, the CDA signed a memorandum of understanding with Europol’s European Cybercrime Centre (EC3) to formalize information sharing between the two organizations.124
(UK) Financial Conduct Authority (FCA):FCA is one of the UK Financial Service Authorities (UK FSAs), and one of the global thought leaders on cyber resilience. In July 2018, the UK FSAs published a series of discussion papers, “Building the UK Financial Sector’s Operational Resilience.”125
(UK) Financial Sector Cyber Collaboration Centre (FSCCC):Modeled after the Financial Systemic Analysis & Resilience Center (FSARC), FSCCC was established by UK Finance in 2017. FSCCC is comprised of twenty large banks and other financial institutions in collaboration with the United Kingdom’s National Cyber Security Centre (NCSC), the UK’s Financial Supervisory Authorities, and the UK’s National Crime Agency.126
(UK) National Cyber Security Centre (NCSC):The NCSC was operationalized in 2016 under the UK Government Communications Headquarters (GCHQ) to provide cybersecurity advice to public and private institutions in the United Kingdom.127 It facilitates public-private cooperation through the Financial Sector Cyber Collaboration Centre (FSCCC) and the Cyber Security Information Sharing Partnership, a “joint industry and government initiative set up to exchange cyber threat information sharing in real time.”128 The NCSC was established, in part, to address concerns from the Bank of England (BoE). Robert Hannigan, the former director of the GCHQ and the driving champion behind the NCSC’s establishment, reflects: “[BoE Governor Mark Carney] came to the GCHQ’s London office and told me that there were too many sources of advice from government and too much confusion for industry.”129
(UK) Prudential Regulatory Authority (PRA):PRA is one of the UK Financial Service Authorities (UK FSAs), and one of the global thought leaders on cyber resilience. In July 2018, the UK FSAs published a series of discussion papers, “Building the UK Financial Sector’s Operational Resilience.”130
(UK) UK Finance:UK Finance is a financial industry trade association established after Brexit. It represents financial institutions in discussions with the UK Financial Service Authorities: the Prudential Regulatory Authority, the Financial Conduct Authority, and the Bank of England.131
(United Nations) UN Department of Economic and Social Affairs (UN DESA):In 2015, UN DESA organized the Third International Conference on Financing for Development, resulting in the Addis Ababa Action Agenda (AAAA). This document created a global framework for financing the 2030 Agenda for Sustainable Development and mandated a high-level dialogue on financing for development be held every four years.132 The most recent round of these dialogues was held in September 2019.
(United Nations) UN Group of Governmental Experts (UN GGE): The UN GGE was established in 2004 to examine how information communications technology affected national security and military affairs. The UN GGE is composed of twenty-five member countries: five are the permanent members of the Security Council and the remaining members are chosen “on the basis of equitable geographical distribution.” There have been six iterations of the UN GGE thus far. The sixth UN GGE is currently running in parallel with the UN Open-Ended Working Group (OEWG).
(United Nations) UN Office on Drugs and Crime (UNODC):The UNODC “promotes long-term and sustainable capacity-building in the fight against cybercrime,” through resources, trainings, and guidance. It facilitates the Global Programme on Cybercrime, which provides technical assistance, prevention and awareness raising, and analysis in developing countries.133
(United Nations) UN Open-Ended Working Group (OEWG):In 2018, the UN General Assembly created the OEWG as a second process alongside the UN Group of Governmental Experts (UN GGE) that would focus on norms of responsible state behavior in cyberspace. In contrast to the UN GGE, which limited its membership to twenty-five UN member states, the OEWG is open to all UN members and holds consultative meetings with industry, academia, and civil society. The duplicate GGE and OEWG processes are the product of rival resolutions proposed by the United States and the Russian Federation, respectively. In 2018 the UN First Committee voted to pass both, thus establishing the concurrent processes.
(United Nations) UN Secretary-General’s Special Advocate (UNSGSA) for Inclusive Finance for Development:In 2009, UN Secretary-General Ban Ki-Moon designated Queen Máxima of the Netherlands the UN Secretary-General’s Special Advocate for Inclusive Finance for Development. The UNSGSA’s strategic priorities include 1) usage and development impact; 2) policies for digital financial inclusion;134 and 3) underserved populations.
(United Nations) UN Security Council (UNSC):The UNSC, charged with maintaining international peace and security, has not yet held a formal debate on cybersecurity. However, the 2019 UNSC Panel of Experts report on North Korea examined how North Korean cyber attacks were used to evade counter-proliferation sanctions and steal billions of dollars.135
(U.S.) American Bankers Association (ABA):The ABA is a U.S.-based financial industry trade association that primarily represents small and mid-sized financial institutions. The ABA was a co-creator of the Financial Services Sector Cybersecurity Profile.136
(U.S.) Bank Policy Institute (BPI):The BPI is a U.S.-based financial industry trade association. It was established in 2018 after the Financial Services Roundtable and the Clearing House Association merged. BITS is the technology policy division of the BPI. The BPI was a co-creator of the Financial Services Sector Cybersecurity Profile.137
(U.S.) Board of Governors of the U.S. Federal Reserve System (Federal Reserve Board):The Federal Reserve Board is the main governing body of the U.S. Federal Reserve Banks. The Board is embracing operational resilience slowly by prioritizing regulatory harmonization and private sector input over speed. In 2016, it signaled an advance notice of proposed rulemaking around enhanced cyber risk management standards; these rules were to be issued in 2017 but were later deprioritized after comments from the private sector.138 In the fall of 2019, the Fed reopened the consultation process for the proposed “Enhanced Cyber Risk Management Standards,” suggesting that resilience is once again becoming a priority.
(U.S.) Cyber Fraud Task Forces (CFTFs):The Cyber Fraud Task Forces were created in July 2020 after the U.S. Secret Service announced that it would merge its Electronic Crimes Task Forces (ECTFs) and its Financial Crimes Task Forces (FCTFs). The Electronic Crimes Task Forces program is a series of regional agreements between the U.S. Secret Service, federal and local law enforcement, the private sector, and academia “for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment system.”139 The first ECTF, the New York Electronic Crimes Task Force (NY ECTF) was established in 1995 to “combat computer-based threats to our financial payment systems and critical infrastructures.”140 Subsequent ECTFs were mandated by the USA PATRIOT Act (2001). The ECTFs have “prevented over $13 billion in potential losses and arrested approximately 10,000 individuals.”141
(U.S.) Cyber Readiness Institute:Launched in 2017 by Mastercard, Microsoft, and others, the Cyber Readiness Institute builds and promotes capacity-building resources for small and medium-sized enterprises.142 It is administered by the Center for Global Enterprise.
(U.S.) Cybersecurity Talent Initiative (CTI):Announced in April 2019, CTI is a public-private partnership that provides students in cybersecurity-related fields with two-year placements at federal agencies with cybersecurity needs. Following completion of federal service placements, graduating students are also invited to apply for private sector jobs.143 CTI is supported by Mastercard, Microsoft, Workday, and Partnership for Public Service.
(U.S.) Cyber Workforce Alliance (CWA):Created in 2015 as a division of the online learning platform iQ4, CWA is a partnership of government, industry, and university leaders committed to training cybersecurity professionals. It provides an online platform and curriculum and connects industry mentors and university professors with students seeking to gain new cybersecurity skills.144 According to a press release, CWA’s partners include individuals at the Federal Reserve Bank of New York and its member banks, at the Securities Industry and Financial Markets Association (SIFMA), as well as 600 corporate executives.145
(U.S.) Department of the Treasury: The U.S. Department of the Treasury is charged with protecting the critical infrastructure of financial institutions. Within the Treasury Department, the Office of the Comptroller of the Currency and the Office of Critical Infrastructure Protection work closely with U.S. financial institutions on cybersecurity issues. The Treasury Department also runs the Office of Foreign Assets Control (OFAC), the body in charge of managing U.S. sanctions. In 2020, legislation was introduced, with the support of the Trump administration, including the U.S. Department of Homeland Security, to move the U.S. Secret Service back to the Department of the Treasury.146
(U.S.) Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3):IC3, a branch of the FBI, provides the public with a mechanism for reporting cyber crime. IC3’s Recovery Asset Team (RAT) was established in February 2018 to “streamline communication with financial institutions.” In 2019, RAT reported 1,307 incidents, with $304 million recovered from a total of $384 million is losses.147
(U.S.) Financial and Banking Information Infrastructure Committee (FBIIC):Established following the attacks on September 11, 2001, the FBIIC was created to coordinate the security and reliability of the financial sector infrastructure in the United States. The Committee is composed of eighteen member organizations across the U.S. financial regulatory community and is chaired by the Assistant Secretary of the Treasury for Financial Institutions.148
(U.S.) Financial Crimes Enforcement Network (FinCEN):FinCEN is a bureau of the U.S. Department of the Treasury whose mission is to “safeguard the financial system from illicit use and combat money laundering and promote national security through collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.”149 In 2019, FinCEN restructured and established the new Cyber and Emergent Issues Section under the Strategic Operations Division.150
(U.S.) Financial Services Sector Coordinating Council (FSSCC):FSSCC, an industry initiative established in 2002, is the coordinating body for critical infrastructure protection within the financial sector. FSSCC facilitates coordination between the private sector and U.S. government agencies charged with critical infrastructure protection. It established the Financial Services Sector Cybersecurity Profile in 2018.151
(U.S.) Financial Systemic Analysis and Resilience Sector (FSARC):A consortium of the most critical U.S. financial institutions established the FSARC in 2016 with the mission to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system.”152 FSARC functions as a mechanism for banks to collaborate with the U.S. national security community, including the Departments of Defense, Homeland Security, the Treasury, and the FBI. Its offices are steps away from the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. In 2017, FSARC began providing the U.S. Cyber Command with cyber threat data in an arrangement called “Project Indigo.”153
(U.S.) National Cyber-Forensics and Training Alliance’s (NCFTA) Cyber Financial (CyFin) Program:The NCFTA is a nonprofit partnership between industry and government focused on “two-way collaboration and cooperation to identify, mitigate, and disrupt cybercrime.”154 NCFTA’s CyFin program was established in 2007 to focus on disrupting malicious actors in the financial services industry. CyFin’s analysis has been frequently cited in Department of Justice indictments, including the arrest of FIN7 members.155
(U.S.) National Initiative for Cybersecurity Education (NICE):A program of the National Institute of Standards and Technology (NIST), NICE was founded in 2010 to convene government, academic, and private sector stakeholders around cybersecurity education and training.156 In August 2017, NICE published a Cybersecurity Workforce Framework to help standardize descriptions of cybersecurity work.157
(U.S.) New York State Department of Financial Services (NYDFS):NYDFS is the financial regulator for New York State and oversees most financial institutions in the U.S. financial sector located in New York City. In 2016, NYDFS published “Cybersecurity Requirements for Financial Service Companies,” a major revision to existing cybersecurity supervision requirements that focused less on preventing cyber incidents and more on recovering from them.158
(U.S.) Office of Foreign Assets Control (OFAC):OFAC is an office within the U.S. Department of the Treasury that administers and enforces U.S. sanctions, including cyber-related sanctions authorized by U.S. Executive Order 13694 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities).
(U.S.) Securities and Exchange Commission (SEC):The SEC is the U.S. financial authority that oversees securities markets. Primarily through its Office of Compliance Inspections and Examinations and its Cyber Unit (part of the SEC’s Division of Enforcement), the SEC provides guidance, conducts examinations, issues risk alerts, and sets policy on cybersecurity and resilience for key market participants like securities exchanges, securities brokers and dealers, investment advisors, and mutual funds. The SEC also coordinates with other financial authority counterparts to advance the cybersecurity of the broader U.S. financial sector.
(U.S.) Sheltered Harbor:Sheltered Harbor is a U.S. financial sector-led initiative designed to improve the resilience of and preserve public confidence in the U.S. financial system, specifically with respect to the integrity of financial data.159 It functions as a fail-safe to restore financial data for banks and customers in the event of a major disruption. As of October 2018, Sheltered Harbor holds the data for 70 percent of U.S. deposit accounts and 55 percent of U.S. retail brokerage client assets.160
U.S. Secret Service:The U.S. Secret Service is the primary law enforcement agency countering financial cyber crimes in the United States. The U.S. Secret Servic runs the Cyber Fraud Task Forces.161 At the time of writing, the U.S. Congress is considering legislation, which the Trump administration supports, to move the U.S. Secret Service and its cyber investigative capabilities from the Department of Homeland Security back to the Department of the Treasury.162
World Bank:The World Bank focuses on developing law enforcement capacity to combat cyber crime.163 It also focuses on cybersecurity in financial inclusion efforts through the provision of technical assistance, and data collection. Two of its initiatives, Harnessing Innovation for Financial Inclusion and the Financial Inclusion Global Initiative, emphasize digital innovation for financial inclusion and provide technical assistance to financial services providers seeking to modernize or expand national payment systems.164 The World Bank also runs Identification for Development, a program that provides technical assistance and advisory services and facilitates knowledge-sharing among national initiatives to implement digital identification systems.
World Economic Forum (WEF):In January 2018, the WEF established the Global Centre for Cybersecurity, based in Geneva, Switzerland, to help promote a secure and open cyberspace.165 The center strives to create a global platform for governments, businesses, experts, and law enforcement agencies to collaborate on cybersecurity challenges. The organization focuses on collaboration, information sharing, and common standards to combat international cyber crime.166
World Federation of Exchanges:The WFE is a global financial industry association for publicly regulated stock, futures, and options exchanges and central counterparties. In addition to engagement with financial authorities, the WFE conducts industry-relevant cybersecurity research and operates the Global Exchange Cyber Security Working Group.
1 African Union, “First African Forum on Cybercrime” (Addis Ababa, October 16, 2018), https://au.int/en/newsevents/20181016/first-african-forum-cybercrime.
2 Alliance for Financial Inclusion, “About Us - AFI,” accessed July 22, 2020, https://www.afi-global.org/about-us.
3 Alliance for Financial Inclusion, “Global Policy Forum,” accessed July 22, 2020, https://www.afi-global.org/global-policy-forum.
4 Alliance for Financial Inclusion, “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” October, 2019.
5 Asia Securities Industry & Financial Markets Association, “ASIFMA,” accessed July 22, 2020, https://www.asifma.org/.
6 Emmanuel LaMarois, “Cybersecurity Needs to Be a Global and Coordinated Effort,” AFME, December 5, 2017, https://www.afme.eu/News/Views-from-AFME/Details/cybersecurity-needs-to-be-a-global-and-coordinated-effort.
7 NATO Cooperative Cyber Defence Centre of Excellence, “ASEAN Regional Forum Reaffirming the Commitment to Fight Cyber Crime.”
8 AustCyber, “About Us,” accessed July 22, 2020, https://www.austcyber.com/about-us.
9 Australian Signals Directorate, “Cyber Security,” accessed July 22, 2020, https://www.asd.gov.au/cyber.
10 Australian Prudential Regulation Authority, “APRA Finalises Updated Guidance on Information Security | APRA,” Press Release, June 25, 2019, https://www.apra.gov.au/news-and-publications/apra-finalises-updated-guidance-on-information-security.
11 AUSTRAC, “AUSTRAC Overview,” accessed July 22, 2020, https://www.austrac.gov.au/about-us/austrac-overview.
12 Council of Financial Regulators, “Cyber Security—Financial Stability,” Australia, accessed July 22, 2020, https://www.cfr.gov.au/financial-stability/cyber-security.html.
13 AUSTRAC, “Fintel Alliance,” accessed July 22, 2020, https://www.austrac.gov.au/about-us/fintel-alliance.
14 Reserve Bank of Australia, “Financial Stability Review,” October 2018, Australia, https://www.rba.gov.au/publications/fsr/2018/oct/box-d.html.
15 Bank for International Settlements (BIS), “Cyber Resilience: Range of Practices.”
16 Committee on Payments and Market Infrastructures, “Payment, Clearing and Settlement Operators Meet on Global Cyber-Resilience.”
17 Committee on Payments and Market Infrastructures and The Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures.”
18 Bank for International Settlements (BIS), “Innovation BIS 2025: Shaping the Bank for Tomorrow,” June 2019, https://www.bis.org/about/innovation_bis_2025/index.htm.
19 Better Than Cash Alliance, “About The Better Than Cash Alliance,” accessed July 22, 2020, https://www.betterthancash.org/about.
20 Better Than Cash Alliance, “Toolkits,” accessed July 22, 2020, https://www.betterthancash.org/tools-research/toolkits.
21 Bill and Melinda Gates Foundation, “Financial Services for the Poor Strategy Overview,” July 2012, https://docs.gatesfoundation.org/Documents/fsp-strategy-overview.pdf.
22 Bill and Melinda Gates Foundation, “Financial Services for the Poor Strategy Overview,” July 2012, https://docs.gatesfoundation.org/Documents/fsp-strategy-overview.pdf.
23 Bank of Canada, “2019-2021 Cyber Security Strategy: Reducing Risk, Promoting Resilience,” 2019, https://www.bankofcanada.ca/wp-content/uploads/2019/06/cyber-security-strategy-2019-2021.pdf.
24 Bank of Canada, “2019-2021 Cyber Security Strategy: Reducing Risk, Promoting Resilience,” 2019, https://www.bankofcanada.ca/wp-content/uploads/2019/06/cyber-security-strategy-2019-2021.pdf.
25 Siemens, “Siemens and partners sign joint charter on cybersecurity,” press release, May 17, 2017, https://www.siemens.com/press/en/feature/2018/corporate/2018-02-cybersecurity.php.
26 Samm Sacks, Qiheng Chen, and Graham Webster, “Five Important Takeaways From China’s Draft Data Security Law,” DigiChina Project (blog), July 9, 2020, http://newamerica.org/cybersecurity-initiative/digichina/blog/five-important-take-aways-chinas-draft-data-security-law/.
27 US-China Business Council, “China Banking and Insurance Regulatory Commission,” December 19, 2018, https://www.uschina.org/sites/default/files/cbirc_2018.12.19.pdf.
28 China Banking Regulatory Commission, “Guidelines on the Risk Management of Commercial Banks’ Information Technology,” accessed July 22, 2020, https://wenku.baidu.com/view/71d9dbc48bd63186bcebbc1b.html.
29 Yan Luo and Zhijing Yu, “China Releases Personal Financial Information Protection Technical Specification,” Inside Privacy (blog), March 2, 2020, https://www.insideprivacy.com/international/china/china-releases-personal-financial-information-protection-technical-specification/.
31 Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures.”
32 Detailed plans for the concept drawn from interviews with senior CGAP leadership and “Regional Cybersecurity Resource Centers for Financial Inclusion,” Business Concept, CGAP, June 2020.
33 Cybersecurity Tech Accord, “Eleven new companies join pledge to fight cyberattacks, promise equal protection for customers worldwide,” press release, June 20, 2018, https://cybertechaccord.org/eleven-new-companies-join-pledge-to-fight-cyberattacks-promise-equal-protection-for-customers-worldwide/.
34 DFS Observatory, “About the Digital Financial Services Observatory,” May 19, 2016, https://dfsobservatory.com/content/about-digital-financial-services-observatory.
35 Sam Meredith, “Microsoft Calls for ‘New Digital Geneva Convention’ After Spate of High-Profile Cyberattacks,” CNBC, January 26, 2018, https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html.
36 Europol, “New Initiative Brings Together Law Enforcement and Europe’s Largest Financial Infrastructures,” Press Release, February 27, 2020, https://www.europol.europa.eu/newsroom/news/new-initiative-brings-together-law-enforcement-and-europe%E2%80%99s-largest-financial-infrastructures.
37 ENISA, “CyLEEx19: Inside a Simulated Cross-Border Cyber-Attack on Critical Infrastructure,” October 31, 2019, https://www.enisa.europa.eu/news/enisa-news/test-1.
38 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management,” https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management.
39 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management,” https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management.
40 European Banking Authority, “Guidelines on Outsourcing Arrangements,” https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements.
41 European Banking Federation, “Cybersecurity,” accessed July 22, 2020, https://www.ebf.eu/priorities/cybersecurity-innovation/cybersecurity/.
42 European Commission, “Consultation Document: Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure.”
43 European Union Agency for Cybersecurity, “Financial Fraud in the Digital Space,” November 2018, https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/financial-fraud-in-the-digital-space.
44 Europol, “EC3 Partners,” accessed July 22, 2020, https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3/ec3-partners.
45 Council of Europe, “Global Action on Cybercrime Extended (GLACY)+,” accessed July 22, 2020, https://www.coe.int/en/web/cybercrime/glacyplus.
46 “First FATF Report on the Extent and Nature of the Money Laundering Process and FATF Recommendations to Combat Money Laundering,” Financial Action Task Force, July 2, 1990, http://www.fatf-gafi.org/media/fatf/documents/reports/1990%20ENG.pdf.
47 “About FS-ISAC,” FS-ISAC, accessed July 28, 2018, https://www.fsisac.com/about.
48 “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices.”
49 “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices.”
50 FINCA Microfinance Global Services LLC, “Products and Services - FINCA Impact Finance,” accessed July 22, 2020, https://www.fincaimpact.com/solutions/products-and-services/.
51 FINCA, “Fintech: Innovations and Technology,” accessed July 22, 2020, https://www.fincaimpact.com/solutions/fintech-innovations-technology/.
52 Forum of Incident Response and Security Teams, “FIRST - Improving Security Together,” accessed July 22, 2020, https://www.first.org/.
53 Banque de France, “French Presidency G7 2019 - « Cybersecurity.”
54 Banque de France, “The Banque de France and the Monetary Authority of Singapore Strengthen Financial Cooperation,” Press Release, November 12, 2019, https://www.banque-france.fr/en/communique-de-presse/banque-de-france-and-monetary-authority-singapore-strengthen-financial-cooperation.
55 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” 92.
56 Chris Ott, “What You Should Know About The 24/7 Cybercrime Network,” Davis Wright Tremaine LLP, June 28, 2018, https://www.dwt.com/files/uploads/documents/publications/What%20You%20Should%20Know%20About%20The%2024.pdf.
57 European Central Bank, “Cybersecurity for the Financial Sector,” n.d., https://www.ecb.europa.eu/paym/pol/shared/pdf/qa_cybersecurity.pdf.
58 White House Office of the Press Secretary, “G-8 Action on the Deauville Partnership with Arab Countries in Transition,” Fact Sheet, May 19, 2012, https://obamawhitehouse.archives.gov/the-press-office/2012/05/19/fact-sheet-g-8-action-deauville-partnership-arab-countries-transition.
59 Deauville Partnership, “Deauville Partnership Action Plan for Financial Inclusion” (G7 Germany 2015), accessed July 22, 2020, https://www.afi-global.org/sites/default/files/publications/2015-04-30-deauville-aktionsplan.pdf.
60 G7 Information Centre, “G7/8 Finance Ministers,” accessed July 22, 2020, http://www.g7.utoronto.ca/finance/index.htm.
61 G20 Finance Ministers and Central Bank Governors, “Communiqué,” March 17, 2017, Carnegie Endowment for International Peace, https://carnegieendowment.org/files/g20-communique.pdf.
62 Deutsche Bundesbank, “Financial Stability Review 2018” (Frankfurt am Main, Germany, 2018), https://www.bundesbank.de/resource/blob/766586/f9d675a9f6a50562291589f7f3409f5a/mL/2018-finanzstabilitaetsbericht-data.pdf.
63 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, November 2019, 55, http://pubdocs.worldbank.org/en/940481575300835196/CybersecDIGEST-NOV2019-FINAL.pdf.
64 Global Cyber Alliance, “Cybersecurity Toolkit for Small Business,” accessed July 22, 2020, https://www.globalcyberalliance.org/gca-cybersecurity-toolkit/.
65 Global Financial Markets Association, “A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry”; GFMA and IIF, “Discussion Draft Principles Supporting the Strengthening of Operational Resilience Maturity in Financial Services.”
66 Global Forum on Cyber Expertise, “About the GFCE,” accessed July 22, 2020, https://thegfce.org/about-the-gfce/.
67 Global Forum on Cyber Expertise, “About the GFCE,” accessed July 22, 2020, https://thegfce.org/about-the-gfce/.
68 G20 Leaders, “The G20 Seoul Summit Leaders’ Declaration November 11 - 12, 2010,” Press Statement, November 12, 2010, http://www.g20.utoronto.ca/2010/g20seoul.pdf.
69 Global Partnership for Financial Inclusion, “GPFI,” accessed July 20, 2020, https://www.gpfi.org/.
70 GSMA, “About the GSMA,” accessed July 22, 2020, https://www.gsma.com/aboutus/.
71 GSMA, “GSMA Inclusive Tech Lab,” accessed July 22, 2020, https://www.gsma.com/mobilefordevelopment/mobile-money/gsma-inclusive-tech-lab/.
72 GSMA, “GSMA Launches Inclusive Tech Lab,” Press Release, September 24, 2019, https://www.gsma.com/newsroom/press-release/gsma-launches-inclusive-tech-lab/.
73 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” 61.
74 Institute for Development and Research in Banking Technology, “Cyber Security Checklist,” Reserve Bank of India, July 2016, https://www.idrbt.ac.in/assets/publications/Best%20Practices/CSCL_Final.pdf.
75 Reserve Bank of India, “Cyber Security Frameworks in Banks” (Notification, June 2, 2016), https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0.
76 Jaime Vazquez and Martin Boer, “Addressing Regulatory Fragmentation to Support a Cyber-Resilience Global Financial Services Industry,” n.d., https://www.iif.com/portals/0/Files/private/iif_cyber_reg_04_25_2018_final.pdf.
77 INTERPOL, “INTERPOL-Led Action Takes Aim at Cryptojacking in Southeast Asia,” Press Release, January 8, 2020, https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-led-action-takes-aim-at-cryptojacking-in-Southeast-Asia; Michael Ouma, “INTERPOL Meeting of Cybercrime Unit Chiefs to Develop Response to WannaCry Attack,” aptantech, June 7, 2017, http://aptantech.com/2017/06/interpol-meeting-of-cybercrime-unit-chiefs-to-develop-response-to-wannacry-attack/.
78 International Finance Corporation, “The Partnership for Financial Inclusion,” accessed July 22, 2020, https://www.ifc.org/wps/wcm/connect/REGION__EXT_Content/IFC_External_Corporate_Site/Sub-Saharan+Africa/Priorities/Financial+Inclusion/za_ifc_partnership_financial_inclusion.
79 Monetary and Capital Markets Department, “Technical Assistance Annual Report 2018,” International Monetary Fund, 2018, https://www.imf.org/en/Publications/Technical-Assistance-Annual-Reports/Issues/2018/10/12/technical-assistance-annual-report-2018.
80 Monetary and Capital Markets Department, “Technical Assistance Annual Report 2018,” International Monetary Fund, 2018, https://www.imf.org/en/Publications/Technical-Assistance-Annual-Reports/Issues/2018/10/12/technical-assistance-annual-report-2018.
81 International Telecommunication Union, “Digital Financial Inclusion,” accessed July 22, 2020, https://www.itu.int/en/mediacentre/backgrounders/Pages/digital-financial-inclusion.aspx.
82 Kevin Butler et al., “Security Aspects of Digital Financial Services (DFS),” Focus Group Technical Report (International Telecommunication Union, January 2017).
83 Supervisor of Banks, “Cyber Defense Management,” Proper Conduct of Banking Business Directive, Bank of Israel, March 2015, https://www.boi.org.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf.
84 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” Senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.
85 Banca d’Italia, “Cybersecurity: A Strategy for the G7 Financial Sector,” Press Release, October 11, 2016, https://www.bancaditalia.it/media/notizia/cybersecurity-a-strategy-for-the-g7-financial-sector.
86 CONSOB, “Consob and the Bank of Italy Have Agreed a Common Strategy to Strengthen the Cyber Security of the Italian Financial Sector,” CONSOB Weekly Newsletter, January 2020, http://www.consob.it/web/consob-and-its-activities/newsletter/documenti/english/en_newsletter/2020/year_26_n-02_20_january_2020.html.
87 CONSOB, “Consob and the Bank of Italy Have Agreed a Common Strategy to Strengthen the Cyber Security of the Italian Financial Sector,” CONSOB Weekly Newsletter, January 2020, http://www.consob.it/web/consob-and-its-activities/newsletter/documenti/english/en_newsletter/2020/year_26_n-02_20_january_2020.html.
88 Leika Kihara, “BOJ Warns of Cyber-Attack Vulnerability Ahead of Olympic Games,” Reuters, January 31, 2020, https://www.ibtimes.sg/boj-warns-cyber-attack-vulnerability-ahead-olympic-games-38619.
89 Financial Services Agency, “The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary),” Presentation, July 2, 2015, https://www.fsa.go.jp/en/news/2015/20151105-1/01.pdf.
90 Japan Cybercrime Control Center, “Establishment of ‘Japan Cybercrime Control Center,’ a New Organization for Fighting Cybercrime,” Press Release, November 13, 2014, https://www.jc3.or.jp/media/pdf/pressreleaseEnglish.pdf.
91 Europol, “Joint Cybercrime Action Taskforce (J-CAT),” accessed July 22, 2020, https://www.europol.europa.eu/activities-services/services-support/joint-cybercrime-action-taskforce.
92 “DNB Publishes Hacking Guide for Cyber Security Exercises,” Central Banking, November 20, 2017, https://www.centralbanking.com/node/3322436.
93 G Odinot et al., “Organised Cybercrime in the Netherlands,” The Ministry of Justice and Security of the Netherlands, 2017.
94 Government of the Netherlands, “Investigation and Prosecution of Criminals,” Ministerie van Algemene Zaken, December 14, 2011, https://www.government.nl/topics/crime-and-crime-prevention/investigation-and-prosecution-of-criminals.
95 G Odinot et al., “Organised Cybercrime in the Netherlands,” The Ministry of Justice and Security of the Netherlands, 2017.
96 G Odinot et al., “Organised Cybercrime in the Netherlands,” The Ministry of Justice and Security of the Netherlands, 2017.
97 Nigeria Electronic Fraud Forum, “2016 Annual Report,” Central Bank of Nigeria, July 5, 2016, https://www.cbn.gov.ng/documents/NeFFar.asp.
98 North Atlantic Treaty Organization, “Collective Defence - Article 5,” November 25, 2019, http://www.nato.int/cps/en/natohq/topics_110496.htm.
99 NATO Cooperative Cyber Defence Centre of Excellence, “CCDCOE - About Us,” accessed July 22, 2020, https://ccdcoe.org/about-us/.
100 North Atlantic Treaty Organization, “Cyber Defence,” accessed July 22, 2020, http://www.nato.int/cps/en/natohq/topics_78170.htm.
101 G20/OECD Task Force on Financial Consumer Protection, “G20/OECD Policy Guidance on Financial Consumer Protection Approaches in the Digital Age,” G20/OECD Policy Guidance, OECD, 2018, http://www.oecd.org/daf/fin/financial-education/G20-OECD-Policy-Guidance-Financial-Consumer-Protection-Digital-Age-2018.pdf.
102 OSCE, “Cyber/ICT Security,” accessed July 22, 2020, https://www.osce.org/cyber-ict-security.
103 Organization of American States, “Welcome to the Inter-American Cooperation Portal on Cyber-Crime.,” accessed July 22, 2020, https://www.oas.org/juridico/english/cyber.htm.
104 France Diplomatie, “Cybersecurity: Paris Call of 12 November 2018 for Trust and Security in Cyberspace,” https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in.
105 Central Bank of Russia, “Guidelines for the Advancement of Information Security in the Financial Sector for 2019-2021,” http://www.cbr.ru/Content/Document/File/103460/onrib_2021_e.pdf.
106 Central Bank of Russia, “Guidelines for the Advancement of Information Security in the Financial Sector for 2019-2021,” 3, http://www.cbr.ru/Content/Document/File/103460/onrib_2021_e.pdf.
107 Central Bank of Russia, “Financial Cybersecurity: Bank of Russia Report,” October 10, 2019, http://www.cbr.ru/eng/press/event/?id=3937.
108 Central Bank of Russia, “Guidelines for the Advancement of Information Security in the Financial Sector for 2019-2021.”
109 SANS Institute, “Cyber Workforce Academy Maryland,” accessed July 22, 2020, https://www.sans.org/cybertalent/cyber-workforce-academy-maryland.
110 SANS Institute, “Introduction to the Cyber Retraining Academy,” accessed July 22, 2020, https://www.sans.org/ukcyberacademy.
111 SIFMA, “Cybersecurity Exercise: Quantum Dawn V.”
112 Alex Grigsby, “The United Nations Doubles Its Workload on Cyber Norms, and Not Everyone Is Pleased,” CFRBlog (blog), November 15, 2018, https://www.cfr.org/blog/united-nations-doubles-its-workload-cyber-norms-and-not-everyone-pleased.
113 FS-ISAC, “FS-ISAC and CSA Partner to Enhance Cybersecurity in Singapore.”
114 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest.”
115 “Consultation Paper on Proposed Revisions to Business Continuity Management Guidelines.”
116 SWIFT, ‘Customer Security Programme Terms and Conditions,’ June 30, 2017, https://www2.swift.com/uhbonline/books/public/en_uk/cst_sec_prog_trm_cond/index.htm.
117 “Huge Data Theft Hits South Korea,” BBC News, January 20, 2014, https://www.bbc.com/news/technology-25808189.
118 Korean Institute of Criminology, Cybercrime in the Republic of Korea II: Criminal Justice and International Coopeeration for Cybercrime Prevention (Seoul, Republic of Korea: KyungSung Publishing, 2014), https://eucyberdirect.eu/wp-content/uploads/2019/10/cybercrime-in-the-republic-of-korea-ii.pdf.
119 Christine Kim, “North Korea Hacking Increasingly Focused on Making Money More than Espionage: South Korea Study,” Reuters, July 28, 2017, https://www.reuters.com/article/us-northkorea-cybercrime-idUSKBN1AD0BO.
120 GEANT, “TF-CSIRT: Computer Security Incident Response Teams - GÉANT,” accessed July 20, 2020, https://www.geant.org:443/People/Community_Programme/Task_Forces/Pages/TF-CSIRT.aspx.
121 Bank of England and Financial Conduct Authority, “Building the UK Financial Sector’s Operational Resilience.”
122 Bank of England, “CBEST Implementation Guide.”
123 Founding institutions include Barclays, Standard Chartered, Deutsche Bank and Banco Santander. Other members now include Bank of Ireland, Allied Irish Banks, Lloyds Banking Group, and Metro Bank. See: “Banks Join Forces to Crack Down on Fraudsters,” August 8 2017, https://www.ft.com/content/6c9030ca-7937-11e7-90c0-90a9d1bc9691.
124 Europol, “The Cyber Defence Alliance and Europol Step up Cooperation in the Fight Against Fraudsters,” October 2018, https://www.europol.europa.eu/newsroom/news/cyber-defence-alliance-and-europol-step-cooperation-in-fight-against-fraudsters.
125 Bank of England and Financial Conduct Authority, “Building the UK Financial Sector’s Operational Resilience,” July 2018, https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf.
126 Katherine Griffiths, “Banks Man the Barricades to See off Cyberattacks,” The Times, October 2018, https://www.thetimes.co.uk/article/banks-man-the-barricades-to-see-off-cyberattacks-qz63v5wwk.
127 Robert Hannigan, “Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre,” Occasional Paper, Royal United Services Institute for Defence and Security Studies, February 2019, https://rusi.org/sites/default/files/20190227_hannigan_final_web.pdf.
128 National Cyber Security Centre, “Cyber Security Information Sharing Partnership (CiSP).”
129 Robert Hannigan, “Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre.”
130 Bank of England and Financial Conduct Authority, “Building the UK Financial Sector’s Operational Resilience.”
131 UK Finance, “About Us | UK Finance,” accessed July 22, 2020, https://www.ukfinance.org.uk/about-us.
132 UN Department of Economic and Social Affairs, “Financing for Sustainable Development,” accessed July 22, 2020, https://www.un.org/esa/ffd/events/event/high-level-dialogue-on-financing-for-development.html.
133 United Nations Office on Drugs and Crime, “Cybercrime.”
134 United Nations Secretary-General’s Special Advocate for Inclusive Finance for Development, Fintech Sub-Group on Cybersecurity, “Briefing on Cybersecurity,” accessed January 22, 2020, https://www.unsgsa.org/files/2815/3575/0134/Cybersecurity.pdf.
135 United Nations Security Council, “Letter Dated 31 July 2019 from the Panel of Experts Established Pursuant to Resolution 1874 (2009) Addressed to the Chair of the Security Council Committee Established Pursuant to Resolution 1718 (2006).”
136 Financial Services Sector Coordinating Council, “The Financial Services Sector Cybersecurity Profile,” October 25, 2018, https://fsscc.org/files/galleries/Financial_Services_Sector_Cybersecurity_Profile_Overview_and_User_Guide_2018-10-25.pdf.
137 Financial Services Sector Coordinating Council, “The Financial Services Sector Cybersecurity Profile,” October 25, 2018, https://fsscc.org/files/galleries/Financial_Services_Sector_Cybersecurity_Profile_Overview_and_User_Guide_2018-10-25.pdf.
138 Federal Reserve System, “Enhanced Cyber Risk Management Standards,” Advance Notice of Proposed Rulemaking, Fall 2019, 7100-AE61, Office of Information and Regulatory Affairs, OMB, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=7100-AE61.
139 United States Secret Service, “Electronic Crimes Task Forces (ECTF),” White House Archived Web Pages, https://obamawhitehouse.archives.gov/files/documents/cyber/United%20States%20Secret%20Service%20-%20Electronic%20Crimes%20Task%20Forces.pdf.
140 United States Secret Service, “United States Secret Service Electronic Crimes Task Forces,” U.S. Department of Homeland Security, accessed July 22, 2020, https://www.dhs.gov/sites/default/files/publications/USSS_Electronic-Crimes-TaskForces.pdf.
141 Shannon Vavra, “Secret Service Merging Electronic and Financial Crime Task Forces to Combat Cybercrime.”
142 Cyber Readiness Institute, “Our Mission,” accessed July 22, 2020, https://www.cyberreadinessinstitute.org/our-mission.
143 Service, “Top Companies Team Up With Federal Agencies and Nonprofit to Launch First-Of-Its-Kind Cyber Talent Initiative To Protect Against Cyberattacks.”
144 Frank C. Cicio, Jr., “How America Is Closing the Cybersecurity Skills Gap,” Knowledge@Wharton (blog), August 16, 2017, https://knowledge.wharton.upenn.edu/article/america-plans-close-skills-gap-cybersecurity/.
145 Frank C. Cicio, Jr.
146 Steven T. Mnuchin, “Statement by Treasury Secretary Steven T. Mnuchin on the Introduction of Legislation to Transfer the Secret Service Back to Its Original Home at the Treasury Department,” statement, Washington, DC, May 6, 2020, https://home.treasury.gov/news/press-releases/sm1004.
147 Internet Crime Complaint Center, “2019 Internet Crime Report,” U.S. Federal Bureau of Investigation, 2019, https://pdf.ic3.gov/2019_IC3Report.pdf.
148 Financial and Banking Information Infrastructure Committee, “FBIIC: Members,” accessed July 22, 2020, https://www.fbiic.gov/fbiic-members.html.
149 FinCEN, “What We Do,” accessed July 22, 2020, https://www.fincen.gov/what-we-do.
150 U.S. Department of the Treasury, “FinCEN Realigns Division to Increase Strategic Capabilities.”
151 Financial Services Sector Coordinating Council, “Financial Sector Cybersecurity Profile.”
152 FS-ISAC, “FS-ISAC Announces The Formation Of The Financial Systemic Analysis & Resilience Center (FSARC).”
153 Chris Bing, “Project Indigo: The Quiet Info-Sharing Program between Banks and U.S. Cyber Command,” CyberScoop, May 21, 2018, https://www.cyberscoop.com/project-indigo-fs-isac-cyber-command-information-sharing-dhs/.
154 The National Cyber-Forensics and Training Alliance, “NCFTA,” accessed July 22, 2020, https://www.ncfta.net/.
155 The National Cyber-Forensics and Training Alliance, “CyFin Program,” accessed July 22, 2020, https://www.ncfta.net/cyfin-program/.
156 National Initiative for Cybersecurity Education (NICE), “The NICE Cybersecurity Workforce Framework,” U.S. National Institute for Standards and Technology, August 2017, https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center/current.
157 National Initiative for Cybersecurity Education (NICE), “The NICE Cybersecurity Workforce Framework,” U.S. National Institute for Standards and Technology, August 2017, https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center/current.
158 New York State Department of Financial Services, “NYDFS 23 NYCRR 500,” 2017, https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf.
159 Sheltered Harbor, “Sheltered Harbor - About,” accessed July 20, 2020, https://shelteredharbor.org/index.php/about#who.
160 Stacy Cowley, “Banks Adopt Military-Style Tactics to Fight Cybercrime,” New York Times, May 20, 2018, https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html.
161 United States Secret Service, “Secret Service Announces the Creation of the Cyber Fraud Task Force,” press release, July 9, 2020, https://www.secretservice.gov/data/press/releases/2020/20-JUL/Secret-Service-Cyber-Fraud-Task-Force-Press-Release.pdf.
162 Juan Zarate and Tim Maurer, “Protecting the Financial System Against the Coming Cyber Storms,” Hill, May 18, 2020, https://thehill.com/opinion/cybersecurity/498244-protecting-the-financial-system-against-the-coming-cyber-storms.
163 World Bank and United Nations, “Combatting Cybercrime: Tools and Capacity Building for Emerging Economies,” 2017, http://documents.worldbank.org/curated/en/355401535144740611/pdf/129637-WP-PUBLIC-worldbank-combating-cybercrime-toolkit.pdf.
164 Finance, Competitiveness & Innovation Global Practice, “Finance, Competitiveness & Innovation,” World Bank, accessed July 22, 2020, https://www.worldbank.org/en/about/unit/fci.
165 Georg Schmitt, “To Prevent a Digital Dark Age: World Economic Forum Launches Global Centre for Cybersecurity,” World Economic Forum, December 19, 2019, https://www.weforum.org/press/2018/01/to-prevent-a-digital-dark-age-world-economic-forum-launches-global-centre-for-cybersecurity/.
166 World Economic Forum, “Partnership Against Cybercrime,” accessed July 20, 2020, https://www.weforum.org/projects/partnership-against-cybercime/.