LogoRegulatory Alerts
2023-01-01

Cyber Resilience Principles

The Financial System Stability Committee of Jamaica has issued ten Cyber Resilience Principles to safeguard financial stability against systemic cyber threats. These principles require regulated entities to integrate cyber risk management into business strategy, ensure board-level oversight, and implement technical controls such as defense in depth and security by design. Implementation must be proportionate to risk and complexity, fostering collaboration and information sharing across the financial sector to enhance preparedness and recovery capabilities.

Bank of Jamaica logo

Jamaica

Bank of Jamaica

Click to view thumbnail

FINANCIAL SYSTEM STABILITY COMMITTEE 1

FINANCIAL SYSTEM STABILITY COMMITTEE 2 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 2 Table of Contents

  1. Background and Context .....................................................................................3 1.0 About the Financial System Stability Committee ........................................................................ 3 1.1 Context........................................................................................................................................ 4 1.2 Objective ..................................................................................................................................... 5 1.3 Proportionality ............................................................................................................................ 6 1.4 Relevant Legislation (Jamaica and Other Jurisdictions) .............................................................. 6
  2. Definitions...........................................................................................................8
  3. Cyber Resilience Principles...................................................................................9 Principle 1. Not Just an IT Issue............................................................................................................. 9 Principle 2. Legal Basis........................................................................................................................ 10 Principle 3. Adequate Attention on Agenda ....................................................................................... 10 Principle 4. Accountability with Expertise........................................................................................... 11 Principle 5. Transparent, Thorough and Targeted .............................................................................. 11 Principle 6. Defence in Depth ............................................................................................................. 12 Principle 7. Need-to-know .................................................................................................................. 12 Principle 8. Least Privilege .................................................................................................................. 12 Principle 9. Segregation of Duties....................................................................................................... 13 Principle 10. Security by Design .......................................................................................................... 13
  4. Conclusion.........................................................................................................14 Additional Reference Material

FINANCIAL SYSTEM STABILITY COMMITTEE 3 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 3

  1. Background and Context 1.0 About the Financial System Stability Committee ͳǤͲǤͳ The Financial System Stability Committee (FSSC) provides support to the Bank in respect of the identification, mitigation and control of systemic macroprudential threats to the financial system. The FSSC is largely tasked with: ȋ‹Ȍ undertaking assessments in relation to developments in the financial system and international markets as well as the links between the financial sector and developments in other sectors of the Jamaican economy and the global economy; and ȋ‹‹Ȍ giving oversight to the design and conduct of periodic stress tests regarding plausible systemic threats to the stability of Jamaica’s financial system. ͳǤͲǤʹ The FSSC comprises of the Bank of Jamaica (BOJ), Financial Services Commission (FSC) and the Jamaica Deposit Insurance Corporation (JDIC), the Ministry of Finance as well as two members appointed by the Minister of Finance and the Public Service on the recommendation of the Governor of BOJ. ͳǤͲǤ͵ The FSSC contributes to the development of prescriptive rules, standards and codes for financial institutions which specifically address gaps and imbalances that could threaten the stability of the financial system. On the passage of the amendments to the Bank of Jamaica Act in 2020, the FSSC began to make recommendations to the Bank via the Financial Policy

FINANCIAL SYSTEM STABILITY COMMITTEE 4 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 4 Committee in respect of policies related to its financial system stability mandate. ͳǤͲǤͶ In general, these objectives focus on policies and procedures appropriate to the strengthening and regulation of the financial system including: • Licensees under the Banking Services Act • Licensees under the Insurance Act • Licensees under the Pensions Act • Licensees under the Securities Act 1.1 Context ͳǤͳǤͳ The Financial System Stability Committee recognises that cyber resilience is essential for safeguarding financial stability. The highly interconnected nature of financial institutions and financial market infrastructures, locally and globally, means the potential impact of a cyberattack could spread beyond one financial institution and affect entire industries, sectors and the economy. ͳǤͳǤʹ Cyber resilience is important because cyberattacks are no longer a matter of 'if' but 'when.’ In fact, financial institutions must assume a breach has already occurred but remains undetected. ͳ Rather than waiting on a cyberattack to happen, financial institutions must be cyber-resilient. ͳǤͳǤ͵ Resilience to cyber risk comprises of the capacity to withstand cyberthreats, maintain functioning of critical systems during a cyber incident and the capabilities to restore safely and quickly after a cyber incident and end up stronger. ͳǤͳǤͶ In light of the evolving nature and scope of cyber risks, regulated entities within the financial sector must prioritize cyber resilience and a risk-based approach to strengthen cybersecurity. ͳǤͳǤͷ As the first Principle points out, cyber risk is not solely an IT issue. It impacts everybody. The importance of spotting phishing 1 According to a 2023 study by IBM, the average time to detect and response to a breach is 277 days.

FINANCIAL SYSTEM STABILITY COMMITTEE 5 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 5 emails or verify with whom we converse on the telephone, for example have been two of the most prolific vectors of attack. ͳǤͳǤ͸ Dialogue about how the 10 Cyber Resilience Principles can be applied are therefore critical at all levels: from the board room, to the back office and the front desk receptionist as well as third party service providers. ͳǤͳǤ͹ The financial sector is a prime target for cyberattacks due to its significant economic importance and the wealth of valuable sensitive data it holds. As a result, a significant cyber incident can have far-reaching consequences, including: • Direct financial loss • Theft of intellectual property • Software/data deletion or destruction • Physical damage • Business disruption/interruption • Reputational loss • Investigation/response costs • Third-party liabilities (customers, employees, shareholders, regulators) ͳǤͳǤͺ The FSSC recognizes that only collective action and partnership can meet the systemic cyber-risk challenge effectively. It is no longer sufficient just to ensure the cybersecurity of a financial institution is intact. Cyber resilience demands that financial institutions work in concert using the Cyber Resilience Principles outlined in this document as a guide to guard themselves and mature their cyber risk management framework, cybersecurity preparedness, cyber incident response and recovery programme and overall IT operations. 1.2 Objective ͳǤʹǤͳ The FSSC establishes 10 Cyber Resilience Principles for the financial sector of Jamaica to: • enhance board oversight of cyber risks to assure a cyber￾resilient financial institution. • strengthen cybersecurity preparedness to withstand cyber threats and recover quickly from cyber incidents, thereby safeguarding financial system stability.

FINANCIAL SYSTEM STABILITY COMMITTEE 6 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 6 • foster collaboration across the financial sector with public and private stakeholders to ensure that each regulated entity supports the overall resilience of the interconnected whole. 1.3 Proportionality ͳǤ͵Ǥͳ The Cyber Resilience Principles applies to all regulated entities within the financial sector. These include banks, non-banks and financial market infrastructures such as clearing and settlement systems operating in Jamaica’s National Payment System. ͳǤ͵Ǥʹ These high-level principles are aligned with relevant international standards including principles and guidelines provided by the Bank of International Settlement (BIS), International Organization of Securities Commissions (IOSCO) and Financial Stability Board (FSB). ͳǤ͵Ǥ͵ The extent and degree to which regulated entities and operating financial market infrastructures implement these 10 Cyber Resilience Principles should be commensurate with the level of risk and complexity of the financial services offered and the technologies supporting such services. ͳǤ͵ǤͶ Implementation of these principles is to ensure that institutions are positioned to identify, protect, detect, respond and recover in a timely and effective manner to assure cyber resilience for the overall financial system. ͳǤ͵Ǥͷ Focus areas are highlighted under each Principle for regulated entities to prioritize within context towards the effective management of cyber risks, strengthened cybersecurity preparedness and adequately tested recoverability measures to assure high availability of critical systems. 1.4 Relevant Legislation (Jamaica and Other Jurisdictions) ͳǤͶǤͳ Cybercrimes Act (2015). Provides a legal framework aimed at combating cybercrime and protecting the country's digital infrastructure ͳǤͶǤʹ Jamaica Data Protection Act (2020). Provides companies that collect, process, and store data for people in Jamaica with a set of

FINANCIAL SYSTEM STABILITY COMMITTEE 7 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 7 requirements for protecting that data and maintaining the privacy of individuals. ͳǤͶǤ͵ GDPR (2018). Sets out data protection and privacy measures for organizations handling the personal data of EU citizens. ͳǤͶǤͶ UK Data Protection Act (2018). The UK’s implementation of the General Data Protection Regulation (GDPR) ͳǤͶǤͷ Canada Personal Information Protection and Electronic Documents Act (PIPEDA). Sets out the rules for the collection, use, and disclosure of personal information in commercial activities. ͳǤͶǤ͸ Clarifying Lawful Overseas Use of Data (CLOUD) Act, 2018 of the United States. Address issues related to cross-border data access and law enforcement investigations, particularly in the context of cloud computing and data storage. ͳǤͶǤ͹ Digital Operational Resilience Act (DORA), 2022 of the European Union. Creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector.

FINANCIAL SYSTEM STABILITY COMMITTEE 8 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 8 2. Definitions ‘Š‡’’‘•‡‘ˆŠ‡•‡ ‹†‡Ž‹‡•ǡŠ‡ˆ‘ŽŽ‘™‹‰†‡ˆ‹‹‹‘•ƒ‡’‘‹†‡†Ǥ Cyber Incident …›„‡‡‡Šƒǣ ‹Ǥ Œ‡‘’ƒ†‹œ‡• Š‡ ›„‡•‡…‹› ‘ˆ ƒ ‹ˆ‘ƒ‹‘ •›•‡ ‘ Š‡ ‹ˆ‘ƒ‹‘ Š‡ •›•‡ ’‘…‡••‡•ǡ •‘‡• ‘ƒ•‹•Ǣ‘ ‹‹Ǥ‹‘Žƒ‡• Š‡ •‡…‹› ’‘Ž‹…‹‡•ǡ •‡…‹› ’‘…‡†‡• ‘ ƒ……‡’ƒ„Ž‡ •‡ ’‘Ž‹…‹‡•ǡ ™Š‡Š‡ ‡•Ž‹‰ ˆ‘ ƒŽ‹…‹‘• ƒ…‹‹›‘‘Ǥ Cyber Resilience Š‡ƒ„‹Ž‹›‘ ‡…‘‡‹…Ž›ƒ† †‡Ž‹‡‹‡†‡†•‡‹…‡• ƒ†‘…‘‡•†‡•’‹‡…›„‡‹…‹†‡•Ǥ Cyber Risk ‹•‘ˆˆ‹ƒ…‹ƒŽŽ‘••ǡ‘’‡ƒ‹‘ƒŽ†‹•’‹‘ǡ‘†ƒƒ‰‡ǡˆ‘ Š‡ˆƒ‹Ž‡‘ˆŠ‡†‹‰‹ƒŽ ‡…Š‘Ž‘‰‹‡•‡’Ž‘›‡†ˆ‘ ‹ˆ‘ƒ‹‘ƒŽƒ†Ȁ‘‘’‡ƒ‹‘ƒŽˆ…‹‘•‹‘†…‡†‘ƒ •›•‡‹ƒ ‡Ž‡…‘‹…‡ƒ•ˆ‘Š‡ƒŠ‘‹œ‡†ƒ……‡••ǡ•‡ǡ †‹•’‹‘ǡ‘†‹ˆ‹…ƒ‹‘ǡ‘†‡•…‹‘‘ˆŠ‡ •›•‡Ǥ Cyber Risk Governance ‡ˆ‡•‘Š‡ƒƒ‰‡‡• ’‹’Žƒ…‡‘‡•ƒ„Ž‹•Šǡ‹’Ž‡‡ ƒ†‡‹‡™‹•ƒ’’‘ƒ…Š‘ƒƒ‰‹‰…›„‡‹•• ƒ†•’’‘ …›„‡‹…‹†‡ ‡•’‘•‡ƒ† ‡…‘‡›ƒ…‹‹‹‡• ‘™ƒ†…›„‡ ‡•‹Ž‹‡…‡Ǥ Cybersecurity ȋƒȌŠ‡•›•‡•ǡ‡…Š‘Ž‘‰‹‡•ǡ ’‘…‡••‡•ǡ‰‘‡‹‰’‘Ž‹…‹‡• ƒ†Šƒƒ…‹‹›Šƒƒ‘‰ƒ‹œƒ‹‘•‡•‘•ƒˆ‡‰ƒ† ‹•†‹‰‹ƒŽƒ••‡•Ǥȋ ƒ‡Ȍ ȋ„ȌŠ‡’ƒ…‹…‡‘ˆ’‘‡…‹‰…‹‹…ƒŽ•›•‡•ƒ†•‡•‹‹‡ ‹ˆ‘ƒ‹‘ˆ‘†‹‰‹ƒŽƒƒ…•Ǥ™Š‡Š‡Š‘•‡Š‡ƒ• ‘‹‰‹ƒ‡ˆ‘‹•‹†‡‘‘•‹†‡‘ˆƒ‘‰ƒ‹œƒ‹‘Ǥȋ Ȍ ȋ…Ȍ‡•‡ƒ‹‘‘ˆconfidentialityǡƒ†availability ‘ˆ ‹ˆ‘ƒ‹‘ ƒ†Ȁ‘ information systems Š‘‰Š Š‡ cyber ‡†‹Ǥ ƒ††‹‹‘ǡ‘Š‡’‘’‡‹‡•ǡ•…Šƒ•authenticityǡ accountabilityǡ non-repudiation ƒ†reliability …ƒƒŽ•‘„‡ ‹‘Ž‡†Ǥ ȋ Ȍ

FINANCIAL SYSTEM STABILITY COMMITTEE 9 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 9 3. Cyber Resilience Principles Š‡ ͳͲ›„‡‡•‹Ž‹‡…‡‹…‹’Ž‡• ™‡‡‡•ƒ„Ž‹•Š‡†„›Š‡ ‹ƒ…‹ƒŽ›•‡ƒ„‹Ž‹› ‘‹‡‡ ‹ʹͲʹ͵ ‘ •‡‡ƒ•ˆ‘†ƒ‹‘‰‹†‡Ž‹‡•ˆ‘ƒŽŽ ˆ‹ƒ…‹ƒŽ‹•‹‹‘• ‹

ƒƒ‹…ƒ ‘‡Šƒ…‡…›„‡‹•‘‡•‹‰ŠƒŠ‡„‘ƒ†ǦŽ‡‡Žǡ•‡‰Š‡…›„‡•‡…‹› •ƒ‡‰›ƒ Š‡ƒƒ‰‡‡ǦŽ‡‡Žǡƒ†’‘‘‡‡ˆˆ‡…‹‡ …ƒ’ƒ„‹Ž‹‹‡•‘‡•’‘† ‘ ƒ†‡…‘‡ˆ‘…›„‡‹…‹†‡• Š‘‰Š•‡…‘Ǧ™‹†‡…‘‘’‡ƒ‹‘Ǥ The 10 Cyber Resilience Principles are: Principle 1. ‘ •ƒ  ••‡ Principle 2. ‡‰ƒŽƒ•‹• Principle 3. †‡ƒ‡‡‹‘‘‰‡†ƒ Principle 4. ……‘ƒ„‹Ž‹›™‹Šš’‡‹•‡ Principle 5. ƒ•’ƒ‡ǡŠ‘‘‰Šƒ† ƒ‰‡‡† Principle 6. ‡ˆ‡…‡‹‡’Š Principle 7. ‡‡†Ǧ‘Ǧ‘™ Principle 8. ‡ƒ•‹‹Ž‡‰‡ Principle 9. ‡‰‡‰ƒ‹‘‘ˆ‹‡• Principle 10. ‡…‹›„›‡•‹‰ Š‡’‹…‹’Ž‡•ƒ‡‘’‡•…‹’‹‡‹ƒ‡ǤŠ‡›‹‡†‘‰‹†‡Š‡„‡Šƒ‹‘‘ˆ Š‡ „‘ƒ†ǡ ƒƒ‰‡‡ ƒ† •ƒˆˆ ‘ˆ ‡ƒ…Š ‡‰Žƒ‡† ˆ‹ƒ…‹ƒŽ ‹•‹‹‘ ƒ† „› ‡š‡•‹‘Š‹†Ǧ’ƒ›‡†‘•ƒ†…•‘‡•Ǥ Š‡’‹…‹’Ž‡•ƒ‡‹‡ƒŽŽ›…‘•‹•‡ǡ ‡ƒ‹‰Šƒ‘’‹…‹’Ž‡…‘ƒ†‹…•ƒ›‘Š‡’‹…‹’Ž‡Ǥ ‘™‡‡ǡ‹’ƒ…‹…‡Š‡‡ ƒ›„‡ ‹‡•™Š‡ Š‡’‹…‹’Ž‡•…ƒ‘‡Žƒ’Ǥ †‡‡ƒ…Š’‹…‹’Ž‡ǡ‘‡‘‘‡ ˆ‘…•ƒ‡ƒ•ƒ‡Š‹‰ŠŽ‹‰Š‡†ƒ•’‹‘‹›…‘•‹†‡ƒ‹‘•Ǥ Principle 1. Not Just an IT Issue Ensure the strategies and measures in a financial institution’s cyber risk management framework is not restricted to securing the viability of its information technology operations alone, but should also cover people, processes, data and facilities. Focus Areas: • Cyber Risk-Aware Culture. Foster a culture of risk awareness and responsibility throughout the organization, emphasizing the importance of identifying and mitigating cyber risks. • Integration with Business Strategy. Align cyber risk management with the organization's business strategy, ensuring that technology initiatives

FINANCIAL SYSTEM STABILITY COMMITTEE 10 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 10 across the organization support and enhance the achievement of strategic goals. • Remote Working. As organizations shifted to remote working and non￾IT department are technology enabled, the source of technology and cyber incidents often happens outside of IT. Non-IT areas such as sales, marketing, legal, projects and other business unit are key partners to promote cybersecurity awareness, embed cybersecurity standards in its processes, practices and reporting of cyber incidents. Principle 2. Legal Basis Ensure the board and management understand the legal implications of technology and cyber incidents, including data privacy, as they relate to their company’s specific circumstances. Focus Area: • Legal and Regulatory Compliance. Ensure that cyber risk management practices comply with relevant laws, regulations, and industry standards, minimizing legal and compliance risks. Principle 3. Adequate Attention on Agenda Ensures due attention is given to cyber risk at the board level and allocate adequate discussion time on board meeting agendas to reduce risk exposure to direct losses, legal claims, reputational damage, ICT disruption and misuse of technology. Focus Areas: • Proactive Cybersecurity Strategy. Given the digital nature of cyber risks, prioritize cybersecurity as a critical component of corporate governance, develop a cybersecurity strategy, and maintain policies and protocols that covers preparedness, people, data, infrastructure, applications and service providers. • Regular Reporting. Establish reporting mechanisms that provide regular board and management updates on the effectiveness of investments in penetration testing and vulnerability assessments (technology), cyber hygiene training and simulation tests (people), IT security control and service provider audits (process), backup capacity and testing (data),

FINANCIAL SYSTEM STABILITY COMMITTEE 11 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 11 cyber incident disclosure (communications) and post-incident reviews (lessons learned), all of which enable informed decision-making. Principle 4. Accountability with Expertise Ensures an enterprise-wide cyber risk governance framework integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks, including staffing and budget for cybersecurity expertise, training, response and recovery. Focus Areas: • Clear Roles and Responsibilities. Clearly define the roles and responsibilities of key stakeholders, including the board, executives, technology leaders, and risk management teams, regarding Cyber Risk Governance. • Training and Awareness. Provide regular training and awareness programs for employees, executives, and board members on cyber risks, promoting a well-informed and vigilant approach. Principle 5. Transparent, Thorough and Targeted Ensures board and management discussions about cyber resilience include high visibility reporting on gaps in addressing cyber risks using cyber resilience maturity models and assessments of cybersecurity effectiveness augmented by threat information sharing and penetration testing programmes. Focus Areas: • Transparency. Promote transparency by communicating technology governance principles and cyber risk management practices, related policies, guidelines and outcomes to stakeholders. Ensure accountability for risk management actions and decisions. • Performance Metrics. Define key risk indicators (KRIs) and metrics to measure the effectiveness of cyber risk governance efforts. Use these metrics to guide improvements over time. • Threat Information Sharing. Timely access to threat intelligence allows organizations to detect potential threats before they escalate into full￾blown attacks. Threat information sharing through a financial-sector

FINANCIAL SYSTEM STABILITY COMMITTEE 12 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 12 information sharing and analysis centre contributes to an organization's overall cyber resilience. Principle 6. Defence in Depth Ensures multiple layers of security controls and mechanisms exist to protect an organization's information systems and data. These layers are designed to work together to provide comprehensive security, with the assumption that no single security measure is fool proof. If one layer is breached, others should still provide protection. Focus Area: • Incident Response & Recovery. Develop comprehensive incident response plans that outline how the organization will respond to and recover from technology-related incidents, such as data breaches or system outages. Principle 7. Need-to-know Ensures restricted access to information and resources only to individuals who have a legitimate and specific need for that access to perform their job responsibilities. It limits the exposure of sensitive data to the minimum required, reducing the risk of unauthorized access or data breaches. Focus Area: • Risk Assessment and Mitigation. Implement a robust cyber risk assessment process that identifies, evaluates, and prioritizes technology and cyber-related risks. Develop appropriate mitigation strategies, controls, and response plans. Principle 8. Least Privilege Ensures only the minimum level of access or permissions necessary to perform their tasks or functions are granted. This principle limits potential damage or misuse that could occur if users or systems were granted excessive privileges. Focus Area: • Continuous Permissions Right Sizing. Regularly reviewing and adjust access controls to ensure that users have the least privilege necessary to perform their job tasks. This approach helps to reduce the risk of

13 CYBER RESILIENCE PRINCIPLES FINANCIAL SYSTEM STABILITY COMMITTEE security breaches by limiting the access granted to sensitive data and systems. Principle 9. Segregation of Duties Ensures critical tasks or responsibilities are divided among different individuals or systems to prevent a single point of failure or misuse. It helps prevent conflicts of interest and reduces the risk of fraud or unauthorized actions by requiring multiple authorizations for certain actions. Focus Area: • Sufficient Resources. Allocate sufficient resources, including budget and expertise, for effective cyber risk management, ensuring that risks are adequately addressed. Principle 10. Security by Design Ensures security measures and considerations are integrated into the design and development of software, systems, and products from the outset. It prioritizes proactive security planning rather than attempting to retrofit security after the fact. Focus Areas: • Third-Party Management. Establish guidelines for assessing and managing cyber and IT-specific risks associated with third-party vendors and service providers. Ensure that their risk management practices align with your organization's standards. • Privacy as the Default. Privacy should be the default in all systems and processes, where personal data is collected, processed, and retained solely for specified purposes. Users need not opt-out or take action to protect their privacy; systems should proactively offer strong privacy safeguards as the default, allowing users to opt-in for additional data sharing or processing.

FINANCIAL SYSTEM STABILITY COMMITTEE 14 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 14 4. Conclusion The Financial System Stability Committee recognises that cyber resilience is essential for safeguarding financial stability. The highly interconnected nature of financial institutions and financial market infrastructures, locally and globally, means the potential impact of a cyberattack could spread beyond one financial institution and affect entire industries, sectors and economies. The FSSC introduces ten (10) guiding principles for the financial sector to enhance board oversight of cyber risks and strengthen its capacity and capabilities to withstand and recover quickly from cyberattacks. It is also the intention for these principles to encourage information sharing across the sector on cyber threats, improving overall cyber resilience towards safeguarding financial system stability. The 10 Cyber Resilience Principles are: Principle 1. ‘ •ƒ  ••‡ Principle 2. ‡‰ƒŽƒ•‹• Principle 3. †‡ƒ‡‡‹‘‘‰‡†ƒ Principle 4. ……‘ƒ„‹Ž‹›™‹Šš’‡‹•‡ Principle 5. ƒ•’ƒ‡ǡŠ‘‘‰Šƒ†ƒ‰‡‡† Principle 6. ‡ˆ‡…‡‹‡’Š Principle 7. ‡‡†Ǧ‘Ǧ‘™ Principle 8. ‡ƒ•‹‹Ž‡‰‡ Principle 9. ‡‰‡‰ƒ‹‘‘ˆ‹‡• Principle 10. ‡…‹›„›‡•‹‰ The extent and degree to which financial institutions implement these 10 Cyber Resilience Principles should be commensurate with the level of risk and complexity of the financial services offered and the technologies supporting such services.

FINANCIAL SYSTEM STABILITY COMMITTEE 15 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 15 ADDITIONAL REFERENCE MATERIAL • Banks for International Settlements, Financial Stability Institute (“FSI”) Insights ‘’‘Ž‹…›‹’Ž‡‡ƒ‹‘‘ͷͲ– Banks’ Cybersecurity – ƒ•‡…‘†‰‡‡ƒ‹‘ ‘ˆ‡‰Žƒ‘›ƒ’’‘ƒ…Š‡•– ‡ʹͲʹ͵ǣ Š’•ǣȀȀ™™™Ǥ„‹•Ǥ‘‰Ȁˆ•‹Ȁ’„ŽȀ‹•‹‰Š•ͷͲǤ’†ˆ • ƒ•ˆ‘ ‡ƒ‹‘ƒŽ‡Ž‡‡•ǡ ‹†ƒ…‡‘›„‡‡•‹Ž‹‡…‡ˆ‘ ‹ƒ…‹ƒŽ ƒ‡ ˆƒ•…‡•Ǧ ‡ʹͲͳ͸ https://www.bis.org/cpmi/publ/d146.pdf • ‘‡‡ǡ‘‹‡Ǥ›„‡‹•ˆ‘Š‡ˆ‹ƒ…‹ƒŽ•‡…‘ǣˆƒ‡™‘ˆ‘ ƒ‹ƒ‹‡ƒ••‡••‡Ǥ ‡ƒ‹‘ƒŽ‘‡ƒ› †ǤʹͲͳͺ– https://www.bis.org/publ/work1039.pdf • ‘‡ǡ‡„ƒ•‹ƒǡ‡‘ƒ†‘ ƒ„ƒ…‘ƒǡŠ‘ƒ•‡ƒ…Šǡ‡ƒ†‡‰‘•ǡƒ† ƒ‹†Š›‡Ǥ›„‡‹•‹…‡ƒŽ„ƒ‹‰ǤʹͲʹʹ– https://www.bis.org/publ/work1039.pdf • ‘’‡ƒ‡ƒŽƒǤ›„‡‡•‹Ž‹‡…‡ƒ†ˆ‹ƒ…‹ƒŽƒ‡‹ˆƒ•…‡•Ǧ https://www.ecb.europa.eu/paym/cyber-resilience/fmi/html/index.en.html •  ˆ‘ƒ‹‘‡…Š‘Ž‘‰›šƒ‹ƒ‹‘ ƒ†„‘‘ǣ ˆ‘ƒ‹‘‡…‹›Ǧ ‡’‡„‡ʹͲͳ͸ǣ Š’•ǣȀȀ™™™Ǥˆˆ‹‡…Ǥ‰‘Ȁ’‡••Ȁ’†ˆȀˆˆ‹‡…̴‹̴Šƒ†„‘‘̴‹ˆ‘ƒ‹‘̴•‡…‹›̴„‘‘ Ž‡Ǥ’†ˆ •  Ž‘†‘’‹‰ƒ‡‡ǡ’‹ŽʹͲͳͺǣ Š’•ǣȀȀ™™™Ǥˆˆ‹‡…Ǥ‰‘Ȁ’‡••Ȁ’†ˆȀ ̴Ž‘†̴‘’‹‰̴ƒ‡‡Ǥ’†ˆ • Financial Stability Board (“FSB”) Cyber Incident Reporting: š‹•‹‰’’‘ƒ…Š‡• ƒ†‡š‡’•ˆ‘‘ƒ†‡‘‡‰‡…‡– …‘„‡ʹͲʹͳǣ Š’•ǣȀȀ™™™Ǥˆ•„Ǥ‘‰Ȁ™’Ǧ…‘‡Ȁ’Ž‘ƒ†•ȀͳͻͳͲʹͳǤ’†ˆ • Financial Stability Board (“FSB”) Cyber Lexicon – ʹͲʹ͵’†ƒ‡ https://www.fsb.org/wp-content/uploads/P130423-3.pdf • Ǧ͹ †ƒ‡ƒŽŽ‡‡•ˆ‘Š‡ƒǦ‡†‡‡ƒ‹‘‡•‹‰ǡ…‘„‡ʹͲͳͺǣ Š’•ǣȀȀ™™™Ǥ„†‡•„ƒǤ†‡Ȁ‡•‘…‡Ȁ„Ž‘„Ȁ͹͸Ͷ͸ͻͲȀ͹ͻʹ͹ʹͷƒ„͵‡͹͹ͻ͸ͳ͹ƒʹˆ‡ ʹͺƒͲ͵…͵Ͳ͵ ͻͶͲȀȀʹͲͳͺǦͳͲǦʹͶǦ‰Ǧ͹Ǧˆ†ƒ‡ƒŽǦ‡Ž‡‡•Ǧˆ‘ǦŠ‡ƒǦŽ‡†Ǧ ’‡‡ƒ‹‘Ǧ‡•‹‰Ǧ†ƒƒǤ’†ˆ

FINANCIAL SYSTEM STABILITY COMMITTEE 16 CYBER RESILIENCE PRINCIPLES Financial System Stability Committee 16 • ‡ƒ‹‘ƒŽ‘‡ƒ› †ǤŠ‡‰Ž‘„ƒŽ…›„‡Š‡ƒǤʹͲʹͳ– Š’•ǣȀȀ™™™Ǥ‹ˆǤ‘‰Ȁ‡š‡ƒŽȀ’„•ȀˆȀˆƒ††ȀʹͲʹͳȀͲ͵Ȁ‰Ž‘„ƒŽǦ…›„‡ǦŠ‡ƒǦ ‘Ǧˆ‹ƒ…‹ƒŽǦ•›•‡•Ǧƒ‡ǤŠ • ‡†‡œǦƒ‡‹ƒǡ‹…‘‹ƒǤ‹•ƒƒ‰‡‡‡…Šƒ•ǤʹͲʹ͵– Š’•ǣȀȀ™™™Ǥ…‡ƒŽ„ƒ‹‰Ǥ…‘Ȁ„‡…Šƒ‹‰Ȁ‹•Ǧ ƒƒ‰‡‡Ȁ͹ͻͷͺͷͻ͸Ȁ‹•Ǧƒƒ‰‡‡„‡…Šƒ•ǦʹͲʹ͵Ǧ’‡•‡ƒ‹‘ •   ƒ‡™‘ˆ‘ ’‘‹‰‹‹…ƒŽ ˆƒ•…‡›„‡•‡…‹›– ’‹Ž ʹͲͳͺǣŠ’•ǣȀȀŽ’„•Ǥ‹•Ǥ‰‘Ȁ‹•’„•Ȁ…•™’Ȁ‹•Ǥ…•™’ǤͲͶͳ͸ʹͲͳͺǤ’†ˆ •  ’‡…‹ƒŽ„Ž‹…ƒ‹‘ͺͲͲǦͷ͵‡‹•‹‘ͷǣ‡…‹›ƒ†‹ƒ…›‘‘Ž•ˆ‘ ˆ‘ƒ‹‘ ›•‡•ƒ†‰ƒ‹œƒ‹‘•– ‡’‡„‡ʹͲʹͲǣ Š’•ǣȀȀŽ’„•Ǥ‹•Ǥ‰‘Ȁ‹•’„•Ȁ’‡…‹ƒŽ„Ž‹…ƒ‹‘•Ȁ ǤǤͺͲͲǦͷ͵ͷǤ’†ˆ •  ’‡…‹ƒŽ „Ž‹…ƒ‹‘ͺͲͲǦͳͷͲǦ ‹†‡‘Š‡ƒ ˆ‘ƒ‹‘Šƒ‹‰– …‘„‡ʹͲͳ͸ǣ Š’•ǣȀȀŽ’„•Ǥ‹•Ǥ‰‘Ȁ‹•’„•Ȁ•’‡…‹ƒŽ’„Ž‹…ƒ‹‘•Ȁ‹•Ǥ•’ǤͺͲͲǦͳͷͲǤ’†ˆ

Share