Banks Get (Yet Another) Cybersecurity Framework, This Time from G-7

WASHINGTON — Financial authorities from the Group of Seven countries on Tuesday released cybersecurity recommendations for private and public entities operating in the financial sector.

The document lists eight elements that authorities believe characterize an effective cybersecurity program, ranging from the establishment of a cybersecurity strategy to governance and information sharing.

"The fundamental elements announced today are a significant achievement in our efforts to cooperate and improve cybersecurity within our countries," Treasury Deputy Secretary Sarah Bloom Raskin said in a statement. "They are also a testament to the growing international resolve to counter cyberattacks and I encourage private and public sector leaders alike to use them to drive and fortify their institutions' cybersecurity and resiliency."

Many of the document's principles echo earlier frameworks already followed by many financial institutions, including one developed by the National Institute of Standards and Technology and the Federal Financial Institutions Examination Council's cybersecurity assessment tool. In a letter to NIST last month, financial industry groups complained that banks are being saddled with a growing number of competing cybersecurity guidelines.

However, Treasury officials said the G-7 framework stands out because it is international in scope and has a flexible approach, which is necessary to keep pace with a dynamic threat environment. For example, the eighth element recommended by the document is "continuous learning," which advises institutions to review their strategy periodically in response to changes in the type of cybersecurity threats they face.

"The challenge with cybersecurity is that the threat vectors can be difficult to discern and are constantly morphing in search of financial sector vulnerabilities," Raskin said in a phone call with reporters. "These elements were designed with that particular complexity in mind."

The guidelines, Raskin added, were first discussed at a May meeting of G-7 leaders in Japan, and sought to address the vulnerabilities in interbank communication exposed by a series of hacks that came to light this year.

"The recent incidents involving the Swift network and other cyberattacks really underscore the imperative for robust cybersecurity throughout the global financial sector," Raskin said. "And we believe that we have crafted a set of thematic, universally applicable principles here that have the potential to transcend the financial sectors of just the G-7 countries."