On October 19, 2020, the Financial Stability Board (FSB) published its Final Report on Effective Practices for Cyber Incident Response and Recovery (CIRR).
The toolkit was developed with the aim to provide financial institutions with a set of effective practices (49 exactly) to respond to and recover from a cyber incident to limit any related financial stability risks.
The toolkit focuses on matter such as:
Governance: (i) inclusion of the CIRR governance structure should into the organisation-wide governance framework, (ii) clear definition of roles and responsibilities related to CIRR activities, (iii) identification of an individual or a team to coordinate actions and communications related to a cyber incident (iv) establishment of metrics to measure the impact of a cyber incident and to report to management the performance of CIRR activities ...
Planning and preparation: through, among others, the establishment and maintenance of policies, plans, playbooks, communication strategies that will help respond to cyber incidents, and to recover and restore critical activities, systems and data affected by cyber incidents to normal operations. Organisations’ plans and playbooks should include severe but plausible cyber scenarios and stress tests. Depending on their size, complexity and risks, organisations can operate a 24x7 SOC to detect, identify, investigate and respond to cyber incidents that could impact the organisation’s infrastructure, services and customers.
Analysis: include organisations use of (i) a pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and (ii) a pre-established severity assessment framework that takes into consideration criticality of systems or services to help gauge the severity of the cyber incident.
Mitigation: through containment measures, business continuity measures, isolation (Options for isolation include disconnecting the compromised systems from the network), or eradication measures.
Restoration and recovery: comprise the possibility or organisations to restore data, including data maintained at third-party service providers, to meet business operations or service requirements.
Coordination and communication: through timely escalation to relevant stakeholders and cyber incident reporting to relevant authorities. Organisations can also engage the media using a pre-defined communications strategy and cross-functional communication team formed by representatives from functions such as affected business lines, legal, technology and cyber security as well as the incident coordinator.
Improvement: including through Industry-wide initiatives that enable organisations to share the lessons learnt with their peers, post-incident analysis.
Although it is not intended to create an international standard and it is not a prescriptive recommendation the toolkit will be mainly relevant to and useful for smaller organisations that are looking to strengthen their cyber resilience.
More details on the report can be found here.