Jezper - Fotolia

FAQ: What are the International Cybersecurity Principles?

A consortium of financial services associations is calling for international cybersecurity standards to help avoid conflicting compliance mandates across global markets.

In response to what they say is a lack of international cybersecurity guidelines, several global financial organizations have banded together to push for synchronized global cybersecurity policies. To begin the initiative, the groups have outlined a set of broad principles for mitigating cyber risks associated with the infrastructure at international financial services firms.

In a paper titled "International CyberSecurity, Data and Technology Principles," the group calls on national policymakers, businesses and other stakeholders to find common ground when setting new cybersecurity standards and regulations. The group's goal is to discourage the use of unique, localized approaches to cybersecurity, as well as avoid prescriptive technologies and strict limits on data flows.

This encrypted communications FAQ is part of SearchCompliance's IT Compliance FAQ series.

Who is behind the "International CyberSecurity, Data and Technology Principles," and what issues are the paper's sponsors most concerned with?

Three international financial associations -- the European Banking Federation (EBF), the International Swaps and Derivatives Association (ISDA), and the Global Financial Markets Association (GFMA) -- together published the "International Cybersecurity, Data and Technology Principles." The GFMA alone is made up of three organizations: the Securities Industry and Financial Markets Association (SIFMA), the Asia Securities Industry and Financial Markets Association (ASIFMA) and the Association for Financial Markets in Europe (AFME).

The financial associations that sponsored the paper are concerned that in the absence of globally accepted principles, cybersecurity mandates will proliferate into a patchwork of regulations that force international companies to comply with conflicting rules in different markets. The groups caution that because cybersecurity challenges are intrinsically global, policymakers and interested parties need to work together on an international basis. Without a global cybersecurity policy framework, the group is concerned that businesses may be forced to fragment their technology systems and expose themselves to increased cyber risks.

Related content
Finance associations recommend common global cybersecurity principles
GFMA, other finance groups publish "International Cybersecurity, Data and Technology Principles"

What international cybersecurity strategies does the paper advocate?

The paper emphasizes the importance of openness and transparency during cybersecurity policy development and implementation. It also notes that cybersecurity risks and threats evolve rapidly, making it difficult to develop adequate cybersecurity standards and policies. The paper suggests that regulations not focus on checklist compliance and enforcement, and instead companies should continue to perform their own risk assessments to decide what technology is best suited for their business needs.

In addition, the paper's authors say that policies should not specify technology requirements and regulators should avoid conducting detailed technical reviews. Instead, they recommend policymakers focus on ensuring that companies have sufficient cybersecurity resources in place, including appropriate processes, technologies and personnel.

Related content
Are cybersecurity compliance mandates hindering data protection?
Trade associations propose international cybersecurity, data and tech principles

How fragmented are cybersecurity standards and policies today?

In April 2016, the International Organization of Securities Commissions (IOSCO) published a paper providing an overview of various regulatory approaches to cybersecurity around the world. The paper, titled "Cyber Security in Securities Markets -- An International Perspective," notes that some regulators focus on specific policies and procedures, while others take a more principles-based approach. The paper also notes that regulators have begun performing specific examinations that could result in a growing number of investment managers being sanctioned for inadequate cybersecurity practices.

For trading venues, regulatory scrutiny has grown as threats have become more dangerous and more palpable. Although financial services firms are generally required to have appropriate risk management systems and protections for electronic trading, oversight methods differ from one country to another. In Australia, for example, there is regulatory guidance for preventive measures against cyberattacks. In Canada, there are requirements for controls on systems that support trade reporting, trade clearing, order entry, order routing and data feeds. In Hong Kong, major trading venues are asked to turn in periodic data on monitoring of attacks.

There are also a wide variety of regulatory bodies around the world that monitor compliance with electronic trading mandates. The Malaysia Securities Commission, for example, monitors trading venues' compliance with regulatory requirements as part of its general oversight. In Mexico, the National Banking and Securities Commission has a team that specializes in trading venue supervision.

Related content
IOSCO report: Cyber Security in Securities Markets -- An International Perspective
Military cybersecurity fragmented, industry consensus required

What specific standards and policies do the principles address, and what are the next steps in the push for global cybersecurity policy?

The paper proposes 11 broad principles to guide international cybersecurity policy. In addition, the paper specifically refers to standards and policies for encryption, source code disclosure and intellectual property licensing, all of which become problematic when regulations are inconsistent from jurisdiction to jurisdiction. Rather than allowing local encryption standards to conflict with international encryption practices, internationally accepted approaches to encryption should be applied to minimize inconsistencies for businesses, the paper's sponsors urge.

The principles outlined in the paper are presented as "foundational principles" that the sponsors state are a starting point for guiding policy in the areas of cybersecurity, data and technology. The sponsors emphasize that they "are mainly a means to establish a conversation" and that they will be circulated broadly. The paper was also submitted to two international standard-setting bodies for guidance: the Financial Stability Board and the International Organization of Securities Commissions.

Related content

NIST strives for "global acceptability" of cryptographic standards
Obama administration details Cybersecurity National Action Plan

Next Steps

More SearchCompliance FAQs:

Compliance with Court Orders Act raises questions for encrypted data
FINRA shifts regulatory focus to compliance culture
FTC warns big data analytics creates discrimination risk
Compliance reporting failures blamed in TREAD Act woes

Dig Deeper on Financial services compliance requirements