Table of Contents

Crosscutting Issue #2: Align and expand capacity-building efforts across all three core pillars for those seeking assistance.

Problem Statement: Making Sense of the Nebulous Term “Capacity-Building”

The 2016 Bangladesh incident was a wake-up call for central banks and financial authorities around the world that the threat landscape had evolved beyond criminal activity, and certain threats could now pose systemic risk. The aftermath of the incident also revealed a significant gap in capacity to address cybersecurity. The IMF received significantly more requests from member states for guidance and assistance, and central banks and government agencies even in some G7 member states only had one or two staff members focusing on cybersecurity. Since the 2016 wake-up call, organizations have been busy staffing up, updating regulatory and policy frameworks, and integrating new technologies.

Cybersecurity capacity-building has therefore become a growing priority, especially considering the rising numbers of state-sponsored attacks and the increase in fraud during the coronavirus pandemic. At the same time, “capacity-building” is an amorphous term and requires clarification before we can progress from concept to action. Key questions are: What is it? Who does it? How is it done?

What is it? Capacity-building can be defined as “a way to empower individuals, communities and governments to achieve their developmental goals by reducing digital security risks stemming from access and use of Information and Communication Technologies.”1 It can cover the spectrum from prevention to response, as illustrated in Figure 12.

Who does it? Capacity-building can involve a variety of actors ranging from national to international figures and from government to nongovernmental stakeholders.

How is it done? This depends on whether the capacity-building in question focuses on policy, regulation, standards, organizational culture, or training. A growing literature on cybersecurity capacity-building offers frameworks,2 principles,3 and lessons learned.4 Scholars also point to well-known challenges in other capacity-building efforts, ranging from overall questions about effectiveness,5 asymmetric power dynamics, and the political interests of funders.6

In the context of this strategy document, cybersecurity capacity-building with respect to the financial system can be further broken down into how it aligns with the various core pillars. Table 4 provides a partial mapping of ongoing efforts in terms of the strategies laid out in this report. The IMF’s capacity-building, for instance, focuses on increasing resilience, whereas the capacity-building efforts of the UNODC and the World Bank focus on strengthening law enforcement capacity.7 UNIDIR offers materials for diplomats focusing on cybersecurity norms, and the AFI provides a guide on cybersecurity in the context of DFS.8 Capacity-building in the private sector includes efforts by the major cloud service providers to help their clients build capacity through dedicated education and training programs.9 And in some parts of the world, industry carries out its own private capacity-building due to local governments’ limited ability to provide such services.

To narrow the focus, this strategy report provides a mapping but will not focus in depth on capacity-building efforts to tackle cyber crime or capacity-building efforts focusing on the diplomatic corps. Such efforts already date back at least a decade, are more mature, and have already received attention from initiatives like the aforementioned WEF Partnership Against Cybercrime,10 Third Way’s Cyber Enforcement Initiative, and the Global Forum on Cyber Expertise (GFCE).11 The biggest challenge for these efforts is how they interconnect with each other, a challenge that several of the recommendations outlined in this report hope to address.

Table 4: Map of Existing Capacity-Building Efforts
PRIORITY AREA TYPE OF ACTOR EXAMPLE
OPERATIONAL RESILIENCE State actors
  • CPMI-IOSCO: Guidance on cyber resilience12
  • IMF: Annual workshops and technical assistance training13
  • FSB: Lexicon and cyber incident response practices14
  • BIS: Cyber resilience tool kit15
  • World Bank: Workshops and exercises16
  • OAS: Report and convenings17
Multistakeholder
  • Carnegie: Capacity-building tool box18
  • Global Cyber Alliance: Cybersecurity tool kit19
Nonstate actors
  • SWIFT: Customer Security Program20
  • Cyber Risk Institute: Maturity-based model*21
  • FS-ISAC: Summits and training22
  • Cloud service providers: Cloud migration training23
INTERNATIONAL NORMS State actors
  • UNIDIR: Conference series and cyber policy portal24
  • UNODA: Training for diplomats from UN member states25
  • UN GGE/OEWG: Dedicated process and preparatory sessions26
  • OSCE: Dedicated process and preparatory sessions27
  • OAS: Dedicated process and preparatory sessions28
  • ASEAN: Dedicated process and preparatory sessions29
Multistakeholder
  • GFCE: Cybil portal30
Nonstate actors
  • Microsoft: Awareness-raising and Cyber Peace Institute31
  • DiploFoundation: Educational material32
  • ICT4Peace: Educational material33
COLLECTIVE RESPONSE State actors
  • UNODC: Global Program on Cybercrime and Cybercrime Tools34
  • World Bank: Combatting Cybercrime Tool Kit35
  • Council of Europe: Cybercrime Program Office36
  • Europol: Training and capacity-building program37
  • INTERPOL: Project Cyber Americas II38
  • AU: Forum on Cybercrime39
Multistakeholder
  • NCFTA: U.S.-based partnership to tackle cyber crime40
  • CDA: UK-based partnership to tackle cyber crime41
Nonstate actors
  • FSARC: Project Indigo42
FINANCIAL INCLUSION State actors
  • AFI: Cybersecurity for financial inclusion framework and guide43
  • UNSGSA: Briefing on cybersecurity44
Multistakeholder
  • World Economic Forum: Consortium on FinTech Cybersecurity45
Nonstate actors
  • Mastercard: Innovation lab46

Capacity-building efforts focused on cyber resilience are still nascent and are therefore the focus of the remainder of this section. The main challenge is that demand outpaces supply. In the wake of the 2016 Bangladesh incident, the IMF’s five-person staff dedicated to the issue was inundated with requests for guidance and assistance from its member states. CGAP’s vision was developed by a team of two. Such efforts are dwarfed by what SWIFT put behind the update of its Customer Security Program—out of self-interest, clearly, but nevertheless an impressive undertaking. Despite its importance, cybersecurity capacity-building is also still struggling to find its way into existing ODA budgets.

As demand for cybersecurity capacity grows, financial resources to increase supply are limited. In fact, financial resources are likely to shrink because of the coronavirus pandemic, which has ripped a hole in the coffers of governments that fund multilateral organizations and are the main contributors of ODA. As budgets get tighter, pressure to use limited resources more effectively will grow, raising questions about how best to organize cybersecurity capacity-building efforts for the financial system.

Spotlight

One standout example of public-private partnerships on cybersecurity capacity-building in the financial system is the Commonwealth Cyber Declaration Programme. This initiative arose out of the 2018 Commonwealth Cyber Declaration, an intergovernmental commitment to build cybersecurity capacity throughout Commonwealth states. Citigroup partnered with the UK government, Microsoft, and Templar Executives, a cybersecurity consultancy, to train over 1,000 individuals across the Commonwealth. Citigroup’s contributions specifically focused on “strengthen[ing] resilience in the financial sector” of various Commonwealth states.47 According to the UK Foreign, Commonwealth & Development Office, Citigroup provided valuable “training and information gathering support.”48

Mapping the Status Quo: Nascent Efforts to Build Cyber Resilience Capacity

The International Monetary Fund’s Vision

The IMF recognizes capacity development, in addition to surveillance and lending, as a core function for helping member countries “build strong economic institutions.”49 Well-trained supervisors and regulators are fundamental to bolstering cyber resilience in emerging financial markets. The IMF’s cybersecurity technical assistance program is critical to developing a cadre of financial supervisors and regulators that can keep pace with the financial sector’s increasing interconnectedness and reliance on information technology.

Over the last three years, after it declared cybersecurity to be a financial stability risk, the IMF has incorporated into its capacity development efforts a program to assist financial regulators and supervisors with cybersecurity risk management.50 The IMF’s cybersecurity technical assistance program, implemented by the Monetary and Capital Markets Department, has three pillars:

  1. Annual Workshops: These annual workshops, hosted at IMF headquarters in Washington, DC, bring together financial supervisors and regulators, industry representatives, and technical experts to share best practices, raise awareness about emerging risks, and implement cybersecurity exercises. The workshops have been hosted every December since 2017, and have focused on cyber hygiene, response and recovery, and operational resilience, respectively.
  2. Regional Technical Assistance Center Workshops: These cyber security capacity-building workshops are hosted in all of the IMF’s ten regional technical assistance centers,51 in partnership with leading central banks in the region. The workshops serve member countries across twelve jurisdictions.
  3. Bilateral Technical Assistance Missions: Bilateral technical assistance missions are undertaken at the request of member countries, and IMF experts work directly with financial regulators and supervisors to conduct a risk assessment and provide hands-on training.

The IMF’s long-term vision is to build the capabilities of financial regulators and supervisors managing cybersecurity risk to help ensure more stable financial and monetary systems in low-income and developing countries. In order to scale this work, the IMF plans to build out and leverage its network of technical assistance centers and partner with regional champions. Future work through this network includes:

  • Developing a durable training curriculum, with a focus on hands-on training.
  • Making financial supervisors and regulators aware of existing cybersecurity risk management frameworks and best practices so that they do not have to write their own rules from scratch.
  • Cultivating partnerships and “buddy” systems between countries with mature cybersecurity risk management and low-income and developing countries with less experience. These partnerships are designed to encourage hands-on development.

CGAP’s Vision

CGAP, an independent think tank focused on financial inclusion housed at the World Bank, has developed a concept for regional cyber security resource centers to help low-income countries address cybersecurity risks in DFS.52 The concept, illustrated in Figure 13, proposes addressing the cybersecurity resources and capabilities gap through shared cybersecurity resource centers so that multiple countries can pool resources and talent. Specifically, CGAP proposes that:

  • Regional cybersecurity response centers “facilitate cross-border exchange, operate early warning systems, and share regional trends, threats and good practices with other regions and global platforms.”53 These centers would act as a neutral platform for policymakers and financial services providers to collaborate and exchange threat intelligence.
  • Continental cybersecurity coordination centers would function as hubs for international and regional collaboration as well as for knowledge and intelligence sharing, including guidance on implementing cybersecurity regulations and standards. Regional cybersecurity response centers would support in-country incident response teams with crisis management, training, and capacity-building services. In-country centers would field security operations teams that focus on operationalizing services like information sharing, 24/7 security monitoring, and emergency response.
  • The centers would build on and complement existing service structures like national CERTs and CSIRTs. Additionally, centers would collaborate with local universities for research and development projects and leverage local technical expertise and talent pipelines. Emphasis would be placed on recruiting female students to reduce the gender disparities in IT hiring.
  • The centers are intended to become self-sustaining after a few years of reliance on start-up funding as their efficiency increases through economies of scale, in part from mutualizing resources and expenses across regions and countries. Initial feedback from DFS providers and central banks is positive and reflective of the demand for more cybersecurity resources.54

The World Bank’s Activities

The World Bank has undertaken a number of initiatives to strengthen cybersecurity in the financial sector. This work can be seen across three broad categories: (1) capacity-building for financial regulators and supervisors, (2) Financial Sector Assessment Programs led jointly by the World Bank and the IMF, and (3) capacity-building to counter cyber crime in the financial system.

  • Capacity-building for financial regulation and supervision:55 This is the World Bank’s main line of work around cybersecurity in the financial sector. It is led by the World Bank’s Financial Sector Advisory Center within the Finance, Competitiveness & Innovation Global Practice.56
  • “Financial Sector’s Cybersecurity: A Regulatory Digest”: According to the World Bank, this publication is “intended to be a live, periodically updated compilation of recent laws, regulations, guidelines and other significant documents on cybersecurity for the financial sector.”57 The most recent edition, the fifth, was published in July 2020.
  • Regional Workshop on Financial Cyber Resilience: This workshop discussing cyber resilience was hosted in Mexico City in November 2019 by the World Bank and the Center for Latin American Monetary Studies.58
  • Cybersecurity: A Simulation Exercise: This exercise was hosted at the Financial Inclusion Global Initiative 2019 Symposium.59
  • Capacity-building to counter cyber crime in the financial system: This stream of work was driven by the Global Cybersecurity Capacity Program (2016–2019), launched by the World Bank in partnership with the Global Cybersecurity Center for Development (operating under the Korea Internet & Security Agency) and Oxford University’s Global Cybersecurity Capacity Centre. The World Bank also developed a specific tool kit dedicated to combating cyber crime.60

Cyber Risk Institute’s Vision

After a survey of CISOs reported spending 40 percent of their time reconciling various global cybersecurity regulations, the FSSCC, led by the BPI and the ABA, developed a tool to simplify the compliance process: the Financial Services Sector Cybersecurity Profile (the Profile).61 The Profile is intended to address the concern that “if national level approaches are developed in isolation, without global coordination, the resulting fragmentation will inhibit the strengthening of the financial sector’s operational resilience and result in inefficiencies or confusion that increase the cross-border impacts of disruptive events.”62

The Cyber Risk Institute (CRI), grew out of the FSSCC’s work on the Profile. The CRI will maintain and update the Profile, which consolidates more than 2,300 regulations into 277 diagnostic statements to help financial institutions speed up compliance. Moreover, the Profile uses “impact tiering” to tailor its recommendations based on a financial institution’s systemic importance.63 Over the next three years, the CRI plans to road test the Profile among financial institutions and regulators, as well as promoting alignment between the Profile and future standards and regulations.64 The Profile currently incorporates frameworks from the ISO, the National Institute of Standards and Technology (NIST), and CPMI-IOSCO, and the CRI is mapping additional regulations at the request of other financial authorities. The CRI is additionally working on a “maturity methodology,” which is expected to be released by 2021.65

Global Forum for Cyber Expertise

The GFCE is a nonprofit coalition whose mission is “to strengthen cyber capacity and expertise globally through international collaboration and cooperation.”66 The GFCE was envisioned in Seoul at the third Global Conference on Cyber Space; it was officially established in 2015 at the fourth Conference in The Hague by the Dutch government and forty-one ministers and senior representatives from industry and international organizations.67

The GFCE is the primary coordinating platform for cyber capacity-building. Its focus is to coordinate cyber capacity projects, share knowledge and expertise by recommending tools and publications, and act as a clearing house to match needs for cyber capacities with offers of support.68 Its members are primarily international organizations and governments; its only members from the financial system are FS-ISAC and the World Bank, although some member countries work directly through the GFCE on financial sector issues.

The GFCE supports a range of initiatives with partner institutions,69 some of which are related to the financial system. For example, it partners with international organizations like the UNODC and INTERPOL on building capacity to counter financial cyber crime in Africa and Southeast Asia.70 In addition, the GFCE’s Critical Information Infrastructure Protection Initiative supports government policymakers responsible for critical infrastructure protection, including protection of “financial systems and process control systems.”71

The GFCE also maintains a cyber capacity database, Cybil, to collect and archive capacity-building projects, their implementors, and their beneficiaries—this database includes dozens of capacity-building projects geared toward the financial system.72 Cybil and other GFCE products can provide situational awareness, help avoid duplication of work, and align efforts for future sector-specific cyber capacity-building. The GFCE may also provide a potent means of disseminating future capacity-building products among less mature financial institutions and regulators.

Recommendations: Aligning Resources to Maximize Impact

The biggest question in coming years will be how best to organize the still nascent but expanding efforts by multilateral institutions such as the IMF, the World Bank, and the GFCE and those undertaken by industry such as the CRI and FS-ISAC.

  • Recommendation 5.1: The G20 Finance Ministers and Central Bank Governors should adopt a communiqué creating a mechanism to operationalize a coherent approach to cybersecurity capacity-building for the financial sector. Such an approach could emulate and build on the lessons learned from the Global Infrastructure Hub launched during Australia’s G20 presidency or the Global Partnership for Financial Inclusion (GPFI) launched during South Korea’s G20 presidency.
    • Supporting Action 5.1.1: To clarify roles and responsibilities, the G20 Finance Ministers and Central Bank Governors’ communiqué should declare that one of the international financial institutions (ideally the IMF, as the sector-specific multilateral organization) will be the lead coordinating agency for this mechanism, which would also include the World Bank, the Consultative Group to Assist the Poor (CGAP), the Alliance for Financial Inclusion (AFI), and other relevant stakeholders.
    • Supporting Action 5.1.2: Considering ongoing capacity-building efforts by the private sector—for example, the Customer Security Program advanced by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)—and the public sector’s limited financial resources in the wake of the pandemic, the G20 Finance Ministers and Central Bank Governors should invite private sector firms and other relevant stakeholders to participate in and support such capacity-building initiatives, as is the practice in a number of states today.
    • Supporting Action 5.1.3: The G20 Finance Ministers and Central Bank Governors should welcome and encourage the use of the “Cyber Resilience Capacity-building Tool Box for Financial Organizations,” developed by the Carnegie Endowment for International Peace and launched in partnership with the IMF, SWIFT, FS-ISAC, and other organizations.

Models created by the G20, such as those outlined in Recommendation 5.1,73 provide a mechanism to bring together governments, private sector entities, and other relevant stakeholders, including the various multilateral development banks.74 Another option would be to create such a mechanism under the auspices of the GFCE. However, this presents challenges given the GFCE’s more politicized origins through the Global Conference on Cyber Space series.75

“The G20 needs to not walk away from poor countries because it has its own fiscal constraints—we need both capacity-building commitment and a commitment to genuine partnership in information sharing and cooperation.”—Expert at FinCyber Brainstorming Workshop in May 2020.

Organizing such a mechanism under the auspices of the IMF would free up the capacity of the other sector-agnostic organizations like the World Bank to focus on the many other critical infrastructure sectors, such as health and energy, for which states need support. However, the IMF lacks the country office infrastructure of the World Bank and would therefore still benefit from some support for specific areas and activities.

In 2019, Carnegie launched the “Cyber Resilience Capacity-building Tool Box for Financial Organizations” in partnership with the IMF, SWIFT, FS-ISAC, Standard Chartered, the Cyber Readiness Institute, and the Global Cyber Alliance.76 Available in several languages including Arabic, Dutch, English, French, Portuguese, Russian, and Spanish, this tool box will be updated by the end of 2020 and a new version launched in 2021. Figure 14 shows a page from the tool box.

  • Recommendation 5.2: The member states of the Development Assistance Committee of the Organisation for Economic Co-operation and Development (OECD) should integrate cybersecurity capacity-building into official development assistance (ODA) budgets and significantly increase assistance to countries in need. Even with technical cooperation mechanisms, international financial institutions such as the IMF and World Bank currently do not have the capacity to respond to the disruptions to critical financial services or the hundreds of millions of dollars stolen in countries around the world.
  • Recommendation 5.3: To further expand and strengthen ongoing capacity-building around international cyber norms and to advance the objectives outlined in this report, the UN Institute for Disarmament Research (UNIDIR) and the UN Office for Disarmament Affairs (UNODA) should integrate a specific module focusing on the financial sector into their capacity-building material.
  • Recommendation 5.4: To further expand and strengthen ongoing capacity-building efforts with respect to tackling cyber crime more effectively, state and industry stakeholders should support the efforts by the Council of Europe, Europol, INTERPOL, the UN Office on Drugs and Crime (UNODC), and the World Bank to strengthen capabilities to address cyber crime.

Notes

1 Mirko Hohmann, Alexander Pirang, and Thorsten Benner, “Advancing Cybersecurity Capacity Building,” Global Public Policy Institute, March 2017, https://www.gppi.net/media/Hohmann__Pirang__Benner__2017__Advancing_Cybersecurity_Capacity_Building.pdf.

2 Global Cyber Security Capacity Centre, “Cybersecurity Capacity Maturity Model for Nations,” University of Oxford, May 31, 2016, https://gcscc.web.ox.ac.uk/files/cmmrevisededition090220171pdf.

3 Mirko Hohmann, Alexander Pirang, and Thorsten Benner, “Advancing Cybersecurity Capacity Building.”

4 Global Cybersecurity Capacity Program, “Lessons Learned and Recommendations towards Strengthening the Program,” World Bank Group, 2019, http://documents1.worldbank.org/curated/en/947551561459590661/pdf/Global-Cybersecurity-Capacity-Program-Lessons-Learned-and-Recommendations-towards-Strengthening-the-Program.pdf.

5 Norwegian Institute of International Affairs, “Cybersecurity Capacity Building,” 2015, /nupi_eng/About-NUPI/Projects-centers/Cybersecurity-Capacity-Building.

6 Zine Homburger, “The Necessity and Pitfall of Cybersecurity Capacity Building for Norm Development in Cyberspace,” Global Society 33, no. 2 (April 3, 2019): 224–42, https://doi.org/10.1080/13600826.2019.1569502.

7 United Nations Office on Drugs and Crime, “Global Programme on Cybercrime,” accessed July 22, 2020, //www.unodc.org/unodc/en/cybercrime/global-programme-cybercrime.html; World Bank Group, “Combatting Cybercrime,” accessed July 22, 2020, http://www.combattingcybercrime.org/; World Bank Group and United Nations and International Bank for Reconstitution and Development, “Combatting Cybercrime: Tools and Capacity Building for Emerging Economies,” 2017, http://documents1.worldbank.org/curated/en/355401535144740611/pdf/129637-WP-PUBLIC-worldbank-combating-cybercrime-toolkit.pdf.

8 United Nations Institute for Disarmament Research, “UNIDIR Cyber Policy Portal,” Cyber Policy Portal, accessed July 22, 2020, https://cyberpolicyportal.org/en/; “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” Alliance for Financial Inclusion, October 2019, https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf.

9 Amazon Web Services, Inc., “AWS Educate,” accessed July 22, 2020, https://aws.amazon.com/education/awseducate/.

10 World Economic Forum, “Partnership Against Cybercrime,” accessed July 20, 2020, https://www.weforum.org/projects/partnership-against-cybercime/.

11 Third Way, “Announcing the Third Way Cyber Enforcement Initiative,” October 29, 2018, https://www.thirdway.org/memo/announcing-the-third-way-cyber-enforcement-initiative.

12 Committee on Payments and Market Infrastructures and The Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures. ”

13 David Lipton, “Cybersecurity Threats Call for a Global Response,” IMF Blog (blog), January 13, 2020, https://blogs.imf.org/2020/01/13/cybersecurity-threats-call-for-a-global-response/.

14 Financial Stability Board, “Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory Practices”; Financial Stability Board, “Cyber Lexicon.”

15 Bank for International Settlements (BIS), “Cyber Resilience: Range of Practices.”

16 World Bank, “Financial Sector Cyber Resilience Workshop” (Workshop, Mexico City, November 6, 2019), https://www.worldbank.org/en/events/2019/11/06/financial-sector-cyber-resilience-workshop.

17 Cyber Security Program of the Inter-American Committee against Terrorism, “State of Cybersecurity in the Banking Sector in Latin America and the Caribbean.”

18 FinCyber Project, “Cyber Resilience and Financial Organizations: A Capacity-Building Tool Box,” Carnegie Endowment for International Peace, accessed July 22, 2020, https://carnegieendowment.org/specialprojects/fincyber/guides.

19 Global Cyber Alliance, “Cybersecurity Toolkit for Small Business,” accessed July 22, 2020, https://www.globalcyberalliance.org/gca-cybersecurity-toolkit/.

20 “Customer Security Programme (CSP),” SWIFT, accessed July 22, 2020, https://www.swift.com/myswift/customer-security-programme-csp.

21 Cyber Risk Insitute, “About Cyber Risk Institute,” accessed July 22, 2020, https://cyberriskinstitute.org/about/.

22 FS-ISAC, “FS-ISAC Summits,” accessed July 22, 2020, https://www.fsisac.com/events#summits.

23 Amazon Web Services, Inc., “AWS Education,” accessed July 22, 2020, https://aws.amazon.com/education/awseducate/.

24 United Nations Institute for Disarmament Research, “UNIDIR Cyber Policy Portal.”

25 UN Office for Disarmament Affairs, “CyberDiplomacy,” accessed July 22, 2020, https://cyberdiplomacy.disarmamenteducation.org/home/.

26 United Nations Office for Disarmament Affairs, “Developments in the Field of Information and Telecommunications in the Context of International Security,” UN.org, accessed July 22, 2020, https://www.un.org/disarmament/ict-security/.

27 OSCE, “Cyber/ICT Security,” accessed July 22, 2020, https://www.osce.org/cyber-ict-security.

28 Organization of American States, “Cyber Security,” OAS.org, accessed July 22, 2020, https://www.oas.org/en/topics/cyber_security.asp.

29 NATO Cooperative Cyber Defence Centre of Excellence, “ASEAN Regional Forum Reaffirming the Commitment to Fight Cyber Crime,” accessed July 22, 2020, https://ccdcoe.org/incyder-articles/asean-regional-forum-reaffirming-the-commitment-to-fight-cyber-crime/.

30 Global Forum on Cyber Expertise, “Cybil Portal,” accessed July 22, 2020, https://cybilportal.org/.

31 Microsoft, “Cyber Crime & Security Content Hub,” accessed July 22, 2020, https://www.microsoft.com/en-us/cybersecurity/content-hub; “CyberPeace Institute - Home.”

32 DiploFoundation, “Cybersecurity,” accessed July 22, 2020, https://www.diplomacy.edu/cybersecurity.

33 ICT4Peace, “Promotion of a Secure and Peaceful Cyberspace,” June 1, 2016, https://ict4peace.org/what-we-do/.

34 United Nations Office on Drugs and Crime, “Cybercrime,” accessed July 22, 2020, //www.unodc.org/unodc/en/cybercrime/index.html.

35 World Bank Group, “Combatting Cybercrime.”

36 Council of Europe, “Worldwide Capacity Building,” accessed July 22, 2020, https://www.coe.int/en/web/cybercrime/capacity-building-programmes.

37 Europol, “Training and Capacity Building,” accessed July 22, 2020, https://www.europol.europa.eu/activities-services/services-support/training-and-capacity-building.

38 INTERPOL, “Capacity Building Projects,” accessed July 22, 2020, https://www.interpol.int/en/How-we-work/Capacity-building/Capacity-building-projects.

39 African Union, “First African Forum on Cybercrime” (Addis Ababa, October 16, 2018), https://au.int/en/newsevents/20181016/first-african-forum-cybercrime.

40 The National Cyber-Forensics and Training Alliance, “NCFTA,” accessed July 22, 2020, https://www.ncfta.net/.

41 Anomali Inc, “Cyber Defence Alliance (CDA) Partners with Anomali to Better Enable Sharing of Threat Intelligence among Banking Members,” GlobeNewswire News Room, March 5, 2020, http://www.globenewswire.com/news-release/2020/03/05/1995533/0/en/Cyber-Defence-Alliance-CDA-partners-with-Anomali-to-better-enable-sharing-of-Threat-Intelligence-among-banking-members.html.

42 Chris Bing, “Project Indigo: The Quiet Info-Sharing Program between Banks and U.S. Cyber Command,” CyberScoop, May 21, 2018, https://www.cyberscoop.com/project-indigo-fs-isac-cyber-command-information-sharing-dhs/.

43 “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” Alliance for Financial Inclusion, October 2019, https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf.

44 UNSGSA Fintech Sub-Group, “Briefing on Cybersecurity,” United Nations Secretary-General’s Special Advocate for Inclusive Finance for Development, 2017, https://www.unsgsa.org/files/2815/3575/0134/Cybersecurity.pdf.

45 World Economic Forum, “World Economic Forum Convenes New Consortium to Address Fintech Cybersecurity,” March 6, 2018, https://www.weforum.org/press/2018/03/world-economic-forum-convenes-new-consortium-to-address-fintech-cybersecurity/.

46 Nicholas Nhede, “Cybersecurity Innovation: Enel, Mastercard Announce a New Lab in Israel,” Smart Energy International (blog), May 15, 2020, https://www.smart-energy.com/industry-sectors/cybersecurity/enel-mastercard-announce-a-new-cybersecurity-innovation-lab-in-israel/.

47 Citi, “Global Citizenship Report,” 2018, https://www.citigroup.com/citi/about/citizenship/download/Global-Citizenship-Report-2018.pdf.

48 Foreign, Commonwealth & Development Office, “UIK Commonwealth Chair-in-Office Report 2018-2020,” September 2020, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/916018/UK-Commonwealth-Chair-in-Office-Report-2018-2020.pdf.

49 Monetary and Capital Markets Department, “Technical Assistance Annual Report 2018,” International Monetary Fund, 2018, https://www.imf.org/en/Publications/Technical-Assistance-Annual-Reports/Issues/2018/10/12/technical-assistance-annual-report-2018.

50 Monetary and Capital Markets Department, “Technical Assistance Annual Report 2018,” International Monetary Fund, 2018, https://www.imf.org/en/Publications/Technical-Assistance-Annual-Reports/Issues/2018/10/12/technical-assistance-annual-report-2018.

51 The ten regional technical assistance centers are: AFRITAC Central (Gabon), AFRITAC South (Mauritius), AFRITAC West (Côte d’Ivoire), AFRITAC West II (Ghana), East AFRITAC (Tanzania), Pacific Financial Technical Center (Fiji), South Asia Regional Training and Technical Assistance Center (India), Middle East Regional Technical Assistance Center (Lebanon), Caribbean Regional Technical Assistance Center (Barbados), Central America, Panama and the Dominican Republic Regional Technical Assistance Center (Guatemala).

52 Detailed plans for the concept drawn from interviews with senior CGAP leadership and “Regional Cybersecurity Resource Centers for Financial Inclusion,” Business Concept, CGAP, June 2020. More details also available at: Silvia Baur-Yazbeck and Jean-Louis Perrier, “Regional Centers Can Help Low-Income Countries Build Cyber Resilience,” CGAP (blog), July 8, 2020, https://www.cgap.org/blog/regional-centers-can-help-low-income-countries-build-cyber-resilience.

53 Silvia Baur-Yazbeck, Judith Frickenstein, and David Medine, “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion,” Consultative Group to Assist the Poor, November 2019, https://www.findevgateway.org/sites/default/files/publications/files/cyber_security_paper_november2019.pdf.

54 Based on input from CGAP representatives.

55 Financial Sector Advisory Center, “Cybersecurity, Cyber Risk and Financial Sector Regulation and Supervision,” World Bank, February 24, 2018, https://www.worldbank.org/en/topic/financialsector/brief/cybersecurity-cyber-risk-and-financial-sector-regulation-and-supervision.

56 Finance, Competitiveness & Innovation Global Practice, “Finance, Competitiveness & Innovation,” World Bank, accessed July 22, 2020, https://www.worldbank.org/en/about/unit/fci.

57 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, July 2020, http://pubdocs.worldbank.org/en/361881595872293851/CybersecDigest-v5-Jul2020-FINAL.pdf.

58 World Bank, “Financial Sector Cyber Resilience Workshop.”

59 Aquiles Almansi, Yejin Carol Lee, and Emiko Todoroki, “World Bank Crisis Simulation Exercises: What Is at Stake in Coordinating and Making Decisions in a Crisis,” World Bank Group, October 2016, https://openknowledge.worldbank.org/bitstream/handle/10986/25192/109243.pdf?sequence=4; Aquiles Almansi and Yejin C. Lee, “Cybersecurity: A Simulation Exercise” (FIGI Symposium 2019: Capacity Building Sessions, Cairo, Egypt, January 22, 2019), https://www.itu.int/en/ITU-T/extcoop/figisymposium/2019/Pages/Programme-2401.aspx.

60 United Nations Office on Drugs and Crime, “Global Programme on Cybercrime”; World Bank Group, “Combatting Cybercrime”; World Bank Group and United Nations and International Bank for Reconstitution and Development, “Combatting Cybercrime: Tools and Capacity Building for Emerging Economies.”

61 Financial Services Sector Coordinating Council, “Financial Sector Cybersecurity Profile.”

62 Global Financial Markets Association and Institute of International Finance, “Discussion Draft Principles Supporting the Strengthening of Operational Resilience Maturity in Financial Services,” October 2019, https://www.gfma.org/wp-content/uploads/2019/10/discussion-draft-iif-gfma-operational-resilience-principles-october-2019.pdf.

63 Cyber Risk Institute, “The Profile,” accessed July 22, 2020, https://cyberriskinstitute.org/the-profile/.

64 Cyber Risk Institute, “The Financial Services Cybersecurity Profile: Ongoing Activity and the Road Ahead,” May 5, 2020.

65 Cyber Risk Institute, “Press Releases,” https://cyberriskinstitute.org/news-events/.

66 Global Forum on Cyber Expertise, “About the GFCE,” accessed July 22, 2020, https://thegfce.org/about-the-gfce/.

67 Global Forum on Cyber Expertise, “About the GFCE,” accessed July 22, 2020, https://thegfce.org/about-the-gfce/.

68 Global Forum on Cyber Expertise, “About the GFCE,” accessed July 22, 2020, https://thegfce.org/about-the-gfce/.

69 Global Forum on Cyber Expertise, “Initiatives Overview,” accessed July 22, 2020, https://thegfce.org/initiatives-overview/.

70 Global Forum on Cyber Expertise, “Preventing and Combating Cybercrime in Southeast Asia—Global Forum on Cyber Expertise,” accessed July 22, 2020, https://thegfce.org/initiatives/preventing-and-combating-cybercrime-in-southeast-asia/.

71 Global Forum on Cyber Expertise, “Critical Information Infrastructure Protection Initiative,” accessed July 22, 2020, https://thegfce.org/initiatives/critical-information-infrastructure-protection-initiative/.

72 Global Forum on Cyber Expertise, “Cybil Portal,” https://cybilportal.org/about-the-gfce/.

73 Global Partnership for Financial Inclusion, “GPFI,” accessed July 20, 2020, https://www.gpfi.org/; Global Infrastructure Hub, “Funders and Strategic Partners,” accessed July 20, 2020, https://www.gihub.org/about/funders-and-strategic-partners/.

74 Global Infrastructure Hub, “Funders and Strategic Partners,” accessed July 20, 2020, https://www.gihub.org/about/funders-and-strategic-partners/.

75 Global Partnership for Financial Inclusion, “GPFI,” accessed July 20, 2020, https://www.gpfi.org/; William Hague, “Foreign Secretary William Hague Addressed the London Conference on Cyberspace on 1 November” (Speech, London Conference on Cyberspace, London; UK, November 1, 2011), https://www.gov.uk/government/speeches/foreign-secretary-opens-the-london-conference-on-cyberspace.

76 FinCyber Project, “Cyber Resilience and Financial Organizations: A Capacity-building Tool Box,” Carnegie Endowment for International Peace, https://carnegieendowment.org/specialprojects/fincyber/guides.