Element 1: Cyber Security Strategy and Framework
Establish and maintain a cyber security strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.
Element 2: Governance
Define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cyber security strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).
Element 3: Risk and Control Assessment
Identify functions, activities, products, and services—including interconnections, dependencies, and third parties—prioritise their relative importance, and assess their respective cyber risks. Identify and implement controls—including systems, policies, procedures, and training—to protect against and manage those risks within the tolerance set by the governing authority.
Element 4: Monitoring
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.
Element 5: Response
Timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and (d) coordinate joint response activities as needed.
Element 6: Recovery
Resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
Element 7: Information Sharing
Engage in the timely sharing of reliable, actionable cyber security information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defences, limit damage, increase situational awareness, and broaden learning.
Element 8: Continuous Learning
Review the cyber security strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.