The Group of Seven advanced economies reached an agreement for bolstering cybersecurity in the financial sector, set to be unveiled Tuesday. The deal comes against the backdrop of increasing cyberattacks against public and private targets.
While it is nonbinding, the agreement establishes a set of common strategies for fortifying financial infrastructure, combating cyberattacks and coordinating a rapid response system to mitigate their impact. The framework isn’t a formal treaty and doesn’t impose any new regulations on companies.
Rather than treating cybersecurity as a new and discrete responsibility for firms and government agencies, the guidance places it within the context of risk management—laying out the proper governance, risk-assessment and recovery mechanisms for entities defending against attacks.
The risk-focused approach could be helpful in reframing cyber issues for senior management at financial firms, said David Finn, the former head of cybercrime at Microsoft Inc.
“What could be oddly reassuring is that cyber issues should be treated like another risk management issue,” he said, noting that firms were acutely aware that they could be the next in a long line of cyberattack victims, including J.P. Morgan Chase & Co., Wells Fargo & Co. and the federal Office of Personnel Management.
“Every week that goes by and you hear about another hack, most people have the mind-set of, ‘There but for the grace of God go I,’” Mr. Finn added.
Other high-profile hacking attacks involving the Society for Worldwide Interbank Financial Telecommunication, or Swift, suggest better global coordination is needed.
Sarah Bloom Raskin, the deputy Treasury secretary who led U.S. efforts among the G-7, said it was crucial to change the conversation around cybersecurity from one focused on dueling state actors to one focused on improving defenses and infrastructure.
“The way cyber has been approached traditionally has been to immediately ask, ‘Who did it?’” Ms. Raskin said in an interview. “We instead have focused on the defensive posture and how to prepare for, protect against and respond to attacks. We also focused on having entities understand this as an issue of financial stability.”
The G-7 reached the agreement after each country took stock of the current state of its cyberdefenses. The results of that process were shared at the May G-7 meeting of finance ministers and central bankers in Japan.
Based on those findings, the group drafted the framework, a set of eight principles intended to apply to small private firms and large federal agencies alike. Ms. Raskin noted that the G-7 cyber working group would continue to meet periodically to review the agreement’s progress and discuss possible improvements and changes.
Many companies said they were happy to have a common framework for the entire financial sector as well as its supervisory agencies and provided input to the Treasury Department and the Federal Reserve as work progressed.
“The U.S. government has gone out of its way to learn from the marketplace and to share in this effort, said Gene Ludwig, chief executive of Promontory Financial Group, a consulting firm. “This is a national-defense type of exercise, and everyone is in it.”