The unique nature of cyber threats and the actions necessary to better protect the global financial system against them require strengthening the connections between different actors and initiatives. However, many public and private actors remain unaware of the full range of efforts in this domain. The fact that this report is the most comprehensive analysis to date of the efforts underway to protect the global financial system against cyber threats is a telling example of the disconnect.
This background report therefore complements the strategy outlined in Part I and aims to raise readers’ awareness of processes taking place in other communities. The following sections outline the analysis and context for each recommendation in the strategy and its supporting actions. Each section offers an overview of the challenges specific to the priority area as well as a mapping of ongoing initiatives and relevant stakeholders in government, industry, and the financial supervisory community. We hope that readers will focus not on the sections they are most familiar with, but on those discussing less familiar issues.
For example, for central bank officials who are already very familiar with ongoing efforts to increase the sector’s resilience, the sections on international norms and collective response will offer new information about how the recommendations focusing on diplomatic initiatives and the national security community can help support their resilience-focused efforts. Similarly, for diplomats focused on advancing international norms, the section on cyber resilience will point to opportunities for implementing these norms. And the challenges with respect to workforce and capacity-building are often neglected but essential to strengthen the system’s weakest links.
The main challenge, outlined in the overarching recommendations, is how best to organize the protection of the financial system against cyber threats. These overarching recommendations therefore focus on strengthening international mechanisms for coordination, placing the G20 and the G7 at the center and pairing them with more active industry engagement.
- Recommendation 0.1: G20 heads of state should create interagency processes within their respective governments, co-led by the ministry of finance and the central bank/monetary authority (or other relevant entity representing the government in international finance bodies), to explore options for better protecting their domestic as well as the international financial system against cyber threats. Ideally these processes will focus on the six priority areas identified in this report and take into account the report’s recommendations. (The co-leadership is designed to avoid disruptions caused by the frequent turnover of politically appointed ministers of finance; including central banks/monetary authorities as co-leads will allow greater continuity of effort.)
- Supporting Action 0.1.1: To help increase trust and confidence, G20 Finance Ministers and Central Bank Governors should consider creating a G20 Finance Track process emulating the confidence-building measures undertaken by the member states of the Organization for Security and Co-operation in Europe (OSCE), which includes the United States and Russia.
Although the G20 member states tend to emphasize their shared interest—the stability of the global financial system—that shared interest has not been sufficient to overcome a profound lack of trust, which has hampered coordination and cooperation among the G20 member states. To develop more trust when discussing cybersecurity in the context of the financial system, G20 member states could consider emulating the process at the OSCE. Given that the OSCE’s fifty-seven participating states, including the United States and Russia, were able to agree on confidence-building measures in 2013 and 2016, this seems a promising model to emulate in the G20 Finance Track.
Established during the Cold War, the OSCE was created to help build trust and increase confidence between the United States and the Soviet Union. In 2012, the OSCE’s member states decided to launch a new work stream specifically designed to reduce mistrust in the area of cybersecurity and conflict. They launched a working group focusing on developing “confidence-building measures (CBMs) to enhance interstate cooperation, transparency, predictability, and stability, and to reduce the risks of misperception, escalation, and conflict that may stem from the use of ICTs [information and communications technologies].” A first set of CBMs was adopted in 2013, followed by an expanded set adopted in 2016.
Similar actions could be taken through the G20 Finance Track, considering that a major cyber incident involving the financial system is likely to require international cooperation at a global level. As a starting point, G20 member states could assess which of these measures are already in place, whether through the FSB’s actions initiated in 2017 or other relevant entities such as the BIS. The following table lays out possible CBMs for the G20 modeled after the set created by OSGE.
|Table 2: Possible Measures to Build Confidence Among the G20|
|G20 member states will nominate a 24/7 contact point to facilitate pertinent communications on cyber incidents with respect to the financial sector. G20 member states will update contact information annually and share any changes with other members no later than thirty days after a change has occurred.|
|G20 member states will voluntarily provide contact information for existing official national structures that manage ICT-related incidents relevant to the financial sector; member states will also coordinate responses to enable direct dialogue and facilitate interaction among responsible national bodies and experts.|
|G20 member states will voluntarily establish measures to ensure rapid communication at policy levels of authority.|
|G20 member states will voluntarily provide their national views on various aspects of national and transnational cyber threats targeting the financial system. The extent of such information will be determined by the member states.|
|G20 member states will voluntarily facilitate cooperation among the competent national bodies as well as exchange of information relevant to protecting the financial sector against cyber threats.|
|G20 member states will, on a voluntary basis and at the appropriate level, hold consultations in order to protect the integrity of the global financial system.|
|G20 member states will voluntarily share information on measures that they have taken to protect the integrity of the global financial system.|
|G20 member states will use the FSB as a platform for dialogue, exchange of best practices, awareness-raising, and information on capacity-building regarding cybersecurity in the financial sector. The participating states will explore further developing the FSB role in this regard.|
|G20 member states are encouraged to have in place modern and effective frameworks and policies to facilitate voluntary bilateral cooperation and effective, time-sensitive information exchange among competent authorities of the participating member states, including law enforcement agencies, in order to respond to malicious cyber activity.|
|G20 member states will voluntarily share information on their national organization, strategies, policies, and programs (including those involving cooperation between the public and the private sector) relevant to cybersecurity in the financial sector; the extent of this information sharing will be determined by the providing member states.|
|G20 member states will, on a voluntary basis, share information and facilitate inter-state exchanges in different formats, including workshops, seminars, and roundtables; these exchanges are aimed at allowing member states to investigate the spectrum of cooperative measures as well as other processes and mechanisms that could enable them to better protect the global financial system against cyber threats.|
|G20 member states will, on a voluntary basis and consistent with national legislation, promote public-private partnerships and develop mechanisms to exchange best practices of responses to common cybersecurity challenges in the financial sector.|
|G20 member states will, on a voluntary basis, encourage responsible reporting of vulnerabilities affecting cybersecurity in the financial sector with the goal of increasing cooperation and transparency among G20 member states.|
|G20 member states will, at the level of designated national experts, meet at least three times each year to discuss information exchanged and explore appropriate development of these measures.|
|*Certain steps taken at the OSCE have already occurred in the G20 Finance Track. For example, the cyber lexicon developed by the FSB mirrors a similar effort at the OSCE.|
|Source: OSCE, “Confidence-Building Measures to Reduce the Risks of Conflict Stemming From the Use of Information and Communication Technologies,” OSCE Permanent Council Decision No. 1202, March 10, 2016, https://www.osce.org/pc/227281.|
- Recommendation 0.2: Financial services firms should expand their engagement and dedicate more resources to strengthening the protection of the sector overall. In particular, firms should support capacity-building efforts for weaker links in the system and become more active in efforts complementary to firms’ core focus on resilience, such as advancing international norms, facilitating collective response, and tackling workforce challenges.
- Recommendation 0.3: G7 Finance Ministers and Central Bank Governors should renew the mandate of the G7 CEG starting in 2021; the mandate should include expanding the number of participant states and initiating a G7+ process, for example, emulating the one that established the FATF in the early 1990s, or another process for involving members outside its current remit. (In addition to the European Commission, which is already included, this expanded group could include financial centers such as Switzerland and Singapore and other relevant partner countries. Appendix A provides an outline of stakeholders that could be included in such an enlarged process.)
The creation of the FATF provides useful insight into how to expand the important work that the G7 CEG commenced in 2016. A similar G7+ enlarged group could include other major financial centers such as Switzerland and Singapore. Rather than creating a formalized membership like that of the FATF, this new group could issue standing invitations to a small number of countries, similar to those extended by the G20 presiding member state each year.
Figure 3 shows the three phases of expansion for FATF’s membership, as the organization shifted over time from its original open membership model to one that invited additional countries to join based on a consensus-driven process. Membership of a group focusing on cybersecurity in the context of the financial system would likely differ from FATF’s original membership. Appendix A outlines which countries may be most relevant to include and which financial institutions would be particularly important to consult for such an effort.