BCBS – Calls for improved cyber resilience, reviews financial risks, and discusses impact of digitalization

September 20, 2021 – Cyber threats and incidents, such as ransomware attacks, have emerged as a growing concern for banking sector, posing risks to individual banks and the financial system. Since the onset of the Covid pandemic, these concerns have heightened. Remote working and increased digitalization of financial services have enlarged banks’ attack surfaces and are providing more points of access to banks’ systems. Targeted attacks on banks’ third-party service providers, including third-party software banks commonly use and intragroup entities, are a stark reminder that cyber security measures should consider operational dependencies on such providers. Ransomware is one of the key cyber security threats facing the banking industry. Reflecting its growing importance, cyber security is a key element of BCBS’s workplan.

Operational Resilience Principles: In March 2021, Basel issued principles on operational resilience and risk. These were revised in part to take better account of operational risks associated with information and communication technology, including vulnerability to cyber threats. A key component of a bank’s ability to deliver critical operations through a disruption is resilience to cyber incidents, including those arising from outsourcing arrangements. To attain resilience banks must identify/protect against threats and potential failures.Also respond, adapt to and recover, learn from, disruptive events to minimize impact. Important all banking authorities encourage institutions they oversee to adopt tools, effective practices, and frameworks, including provisions for testing their efficacy, for cyber risk management that are aligned with widely accepted industry standards. Adopting such approaches will allow banks to better identify, assess, manage, mitigate exposures to cyber risks, including those arising from third-party service providers. Use of such cyber risk management approaches puts banks’ efforts to address cyber security threats and incidents on a sound footing and can facilitate supervisory oversight and help further alignment of supervisory assessments across jurisdictions.

Industry Standards: BCBS does not endorse any particular tool, effective practice, or framework, but welcomes adoption of those in use globally that align with widely accepted industry standards. These include National Institute of Standards and Technology (NIST) Cybersecurity Framework, ISO 2700x, and the Center for Internet Security Critical Security Controls. Also referred to FSB’s Cyber Incident Response and Recovery toolkit and cyber lexicon. Many tools, effective practices, and frameworks are freely available to banks. Banks must continually strive to improve resilience to cyber security threats and incidents. Widespread adoption based on widely accepted industry standards should strengthen banks’ cyber security by improving fundamental elements that include effective cyber risk management, diligent cyber hygiene practices, appropriate methods for identifying and protecting against cyber threats, and enhanced response/recovery capabilities. BCBS will continue to monitor, assess developments in banks’ cyber risk management and resilience to safeguard banks’ systems/data against cyber threats.

Digitalization: BCBS members also discussed the impact of the ongoing digitalization and disintermediation of finance on banking system, with an initial focus on retail banks. A thematic analysis considered drivers of banks’ strategic decisions regarding fintech. Reviewed the competitive landscape for the provision of retail banking, including non-bank financial and technological institutions, particularly supervisory challenges, and risks.

For more information, visit www.bis.org.

Discover More Regulatory Insights

Visit the AxiomSL resource center for recent Regulatory Changes for financial institutions, InsideView Blog, and Thought Leadership.

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.