Cyber Incidents: Guidelines for Response and Recovery

The BCRA has issued Communication A7266 to establish a series of guidelines on cyber incident response and recovery. According to the definition included in the lexicon published in the BCRA’s website, a cyber incident is an event relating to an information infrastructure of interactions among persons, processes, data, and information systems that jeopardizes the cyber security or violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not.

These guidelines aim at curtailing financial stability risks and boosting cyber resilience of the ecosystem as a whole in line with the recommendations of the Financial Stability Board (FSB) included in the final report on Effective Practices for Cyber Incident Response and Recovery.

The guidelines provided for in Communication A7266 are the following:

Governance. The aim of governance is to define a decision-making framework for assigning the roles and responsibilities necessary to ensure the engagement of internal and external stakeholders in the presence of a cyber incident. It is also concerned with the setting of a scheme to organize and manage response and recovery activities; and to foster a culture that acknowledges, faces and appropriately handles potential cyber incidents.

Planning and preparation. This section involves preparatory activities before an incident occurs and plays a significant role in the response and recovery effectiveness. This guideline focuses on the establishment and maintenance of planning and preparation capabilities to respond to and recover from cyber incidents, and to restore critical activities, systems and data affected by cyber incidents to resume normal operations. Plans and procedures have a key role in this section as they include the relevant criteria for determining the cases in which measures should be implemented and the way to respond to cyber incidents.

Analysis. This guideline refers to the forensic analysis, and the determination of the severity, impact and root cause of cyber incidents. In this regard, a taxonomy needs to be defined for classifying cyber incidents.

Mitigation. This section focuses on mitigation measures intended to prevent the aggravation of the situation and to eradicate or eliminate cyber incidents in a timely manner so that their impact on business operations and services be lessen. It contains containment, isolation and eradication measures of significant importance.

Restoration and recovery. This guideline deals with the restoration of systems and assets affected by a cyber incident and the safely recovery of data, operations and services affected to resume their normal status.

Coordination and communication. This section refers to the appropriate coordination of the organization with relevant internal and external stakeholders, including authorities. Across the life cycle of a cyber incident, stakeholders must be given a response and uniform assistance on a coordinated basis, thus enhancing the cyber resilience of the system. It is important to define a communication language and frequency appropriate to the type of audience.

Continuous improvement. This guideline refers to the processes that must be implemented to improve response and recovery activities and capabilities through lessons learnt from past cyber incidents and proactive tools, such as exercises, tests, and drills.

These guidelines are aimed at financial institutions, payment service providers that offer payment accounts and financial market infrastructures. However, given the general nature of these guidelines, they may also be adopted by any institution in the financial system, as well as IT and communication service providers, among others.

As regards implementation, the stakeholders that fall under the scope of these guidelines may adopt the practices that are most suitable to the size, complexity or risk exposure of their business model in terms of the financial ecosystem. Financial institutions must keep record of the reasons underlying the implementation criteria adopted and make them available to the Superintendence of Financial and Foreign Exchange Institutions (Superintendencia de Entidades Financieras y Cambiarias, SEFyC) upon request.

April 16, 2021.

Compartilo en Facebook   Compartilo en Twitter    Compartilo en Linkedin    Compartilo en WhatsApp