Guidelines on Cyber Security

Financial services provided through digital channels continue expanding, requiring new technologies and increased interconnection among the participants of the financial system.

This poses challenges to the entire financial ecosystem, irrespective of whether the participants are subject to BCRA regulation or not, such as financial institutions, network operators, clearing houses, third-party service providers, and fintechs. Therefore, planning is essential to face the risks derived from digital expansion.

The following guidelines seek to help organizations to set and include cyber security and cyber resilience into their strategic planning.

BCRA's guidelines on cyber security:

-Cyber security strategy and framework: A strategy and a framework will serve to identify, manage and effectively reduce cyber risks in a comprehensive manner. Financial institutions, third parties and the rest of the financial sector should develop a cyber security strategy and framework tailored to their size, complexity, risk profile and culture, taking into account current threats and vulnerabilities.

-Governance: The organization's governing authority is responsible for the strategy. It is necessary to have clearly defined structures, roles, and responsibilities to handle this issue, and to take preventive measures in each project. It is also advisable to encourage communication among business units, IT, risk and fraud areas, and those areas responsible for control according to their missions and responsibilities.

-Risk and control assessment: It is necessary to analyze the risk posed by natural persons, processes, technology, and any underlying data of the financial institution itself, and to assess the latter's own risks from its functions, activities, channels, products and services. Control assessments should consider the cyber risks that the financial institution faces or presents to the ecosystem, such as service providers, government bodies, financial service users and other organizations with which it may interact.

-Monitoring: The monitoring process should help to maintain risks at a level that is acceptable to the organization's governing body, and to enhance efficiency or overcome any weakness. Testing, cyber exercising and auditing protocols are essential. Depending on the nature of an institution or organization, and its risk profile and control environment, control testing and auditing functions should be reasonably independent from those carried out by personnel responsible for implementing the cyber security program.

-Response: As part of the risk and control assessments, financial institutions should implement incident response processes and other controls to streamline timely and appropriate response. These controls should clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with the internal and external parties involved. Exercising and protocols within and among financial institutions or organizations belonging to the ecosystem are encouraged. Exercising also enables financial institutions and authorities to pinpoint any situation that may affect participants' ability to maintain acceptable levels of services, critical functions and activities, and of any other activities that may affect the financial system.

-Recovery: Once operational stability and integrity are assured prompt and effective recovery of operations should be based on prioritization of critical functions and in accordance with objectives set by the authorities responsible for the financial institution or organization. Maintaining trust and confidence in the financial sector significantly improves when financial institutions or organizations and authorities have ability to assist each other in the resumption and recovery of critical functions, processes, and activities. Establishing and testing contingency plans for essential activities and processes can contribute to a faster and more effective recovery.

-Information sharing: Sharing technical information, such as threat indicators, frauds or how vulnerabilities are being exploited, allows financial institutions to remain up-to-date in their defenses and learn about the most widespread methods used by attackers. This facilitates collective understanding of how attackers may exploit sector-wide vulnerabilities, disrupt critical economic functions and even endanger financial stability. Given its importance, financial institutions, organizations, and authorities will identify and address impediments to information sharing.

-Continuous learning: Threats and vulnerabilities in the cyber ecosystem change at a fast pace, and so do good practices and technical standards. The composition of the financial sector also changes over time as new products and services emerge, and third-party service providers are trusted to a larger extent. Cyber security strategies and frameworks need to be regularly reviewed and updated to address changes in control environments and threats, enhance users' awareness and allocate resources effectively.

Implementation should rely on the organization's characteristic features, risk profiles and business impact analysis (BIA), as applicable. These guidelines are expected to be adopted by all institutions subject to BCRA's regulation in order to build a financial ecosystem committed to cyber security.

In addition to these principles, the BCRA has uploaded the Cyber Lexicon. A document containing definitions so that everyone involved in the cyber security process may share the same language.