On October 13, 2017, the Group of Seven countries, including Canada, the United Kingdom and the United States (the “G-7”), issued a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector (the “G7FEA”) to provide guidance for effective cybersecurity assessments by financial sector organizations. The G7FEA supplements the G-7’s 2016 report titled G7 Fundamental Elements of Cybersecurity for the Financial Sector (the “G7FEC”). The guidance is useful for organizations of all kinds and sizes.

G-7 Fundamental Elements of Cybersecurity

The G7FEC describe the following basic building blocks for the design and implementation of a cybersecurity strategy and operating framework for financial sector organizations: (1) strategy and framework; (2) governance; (3) risk and control assessment; (4) monitoring; (5) response; (6) recovery; (7) information sharing; and (8) continuous learning. For more information, see BLG bulletin Cyber Risk Management – G7 Cybersecurity Guidelines for the Financial Sector.

G-7 Fundamental Elements for Effective Assessment

The G7FEA is designed to promote the cybersecurity practices outlined in the G7FEC by specifying desirable cybersecurity outcomes and components of effective cybersecurity assessments.

The desirable outcomes are the following broad, demonstrable characteristics of a mature cybersecurity program: (1) the Fundamental Elements are in place; (2) cybersecurity influences organizational decision-making; (3) there is an understanding that disruption will occur; (4) an adaptive cybersecurity approach is adopted; and (5) there is a culture that drives secure behaviors.

The assessment components are designed to promote the quality of cybersecurity assessments and facilitate continuous improvement. The components are as follows: (1) establish clear assessment objectives; (2) set and communicate methodology and expectations; (3) maintain a diverse toolkit and process for tool selection; (4) report clear findings and concrete remedial actions; and (5) ensure assessments are reliable and fair.

Comment

The G7FEA are generally consistent with cyber risk management guidance issued by Canadian government agencies, regulators and self-regulatory organizations. For example, see Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance; Investment Industry Regulatory Organization of Canada Cybersecurity Best Practices Guide for IIROC Dealer Members and Cyber Incident Management Planning Guide for IIROC Dealer Members, and Securing Personal Information: A Self-Assessment Tool for Organizations published jointly by the Privacy Commissioners of Canada, British Columbia and Alberta.

An organization’s assessment of its cybersecurity maturity may result in the creation of sensitive communications and documents that may be subject to disclosure in connection with contractual audits, regulatory investigations and proceedings and civil lawsuits, unless the communications and documents are protected by legal privilege. For those reasons, organizations should consider implementing a legal privilege strategy designed to establish legal privilege over communications and documents made in the course of cybersecurity assessments. For more information, see BLG bulletins Cyber Risk Management – Legal Privilege Strategy (Part 1), Cyber Risk Management – Legal Privilege Strategy (Part 2) and Legal Privilege for Data Security Incident Investigation Reports.

Read more here.