The G-7 has adopted a set of cybersecurity principlesto help defend the financial sector from destabilizing threats.
The group of countries agreed on eight high-level elementsnecessary for strong defense of the sector, crafted to apply to entities of allsizes, from banks to payment systems to third-party providers, according toDeputy Treasury Secretary Sarah Bloom Raskin. The principles, designed to beflexible and tailored for different financial institutions, also pertain toinsurance companies.
Publication of the new principles was spurred by, amongother things, the onslaughtof hacking attacks on the SWIFT money transfer network used by banks, hacksthat alarmed Congressand federal agencies. Attacks on the SWIFT network and other cyberattacksunderscore the need for cybersecurity throughout the financial sector, Raskinsaid on a conference call with reporters.
With these principles in place, a company board member canpick up two pages and have a sense of what questions to ask their leadership,Treasury officials who spoke on background to reporters said. Best practicesoutlined in the document are meant to shore up any potential gaps andvulnerabilities, they added.
Treasury officials also made clear that they hope thecybersecurity principles will drive other jurisdictions and the U.S. to adopt asimilar approach. The elements have the potential to transcend the G-7countries and gain use by public and private organizations, according to Raskin.She called the document a "singular and historic accomplishment."
One official said the document goes beyond the NationalInstitute of Standards and Technology's cybersecurity frameworkand explicitly calls for effective governance and a continuous learningelement. It starts with establishing cybersecurity strategies and operatingframeworks tailored to specific cyber risks, and how institutions shouldrespond to, recover from, and share information on cyber incidents.
The document is dynamic, the Treasury official noted, and isopen to development and re-evaluation in the face of change and betterstrategies.
Getting buy-in from insurance companies could be difficult,though. The NAIC, the state regulatory standard-setting organization, is stillstruggling to gain acceptance among the insurance industry for its draftInsurance Data Security Model Law to address cybersecurity threats againstinsurers.
Many organizations staunchlyoppose the draft for various reasons, including uniformity and harm triggerconcerns. Without industry support, the model law draft is unlikely to make itthrough state legislatures and be enacted.