G7 FUNDAMENTAL ELEMENTS OF CYBERSECURITY
FOR THE FINANCIAL SECTOR
Increasing in sophistication, frequency, and persistence, cyber risks are growing more dangerous
and diverse, threatening to disrupt our interconnected global financial systems and the
institutions that operate and support those systems. To address these risks, the below nonbinding, high-level fundamental elements are designed for financial sector private and public
entities to tailor to their specific operational and threat landscape, role in the sector, and legal and
regulatory requirements.
The elements serve as the building blocks upon which an entity can design and implement its
cybersecurity strategy and operating framework, informed by its approach to risk management
and culture. The elements also provide steps in a dynamic process through which the entity can
systematically re-evaluate its cybersecurity strategy and framework as the operational and threat
environment evolves. Public authorities within and across jurisdictions can use the elements as
well to guide their public policy, regulatory, and supervisory efforts. Working together, informed
by these elements, private and public entities and public authorities can help bolster the overall
cybersecurity and resiliency of the international financial system.
Element 1: Cybersecurity Strategy and Framework.
Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks
and appropriately informed by international, national, and industry standards and guidelines.
The purpose of a cybersecurity strategy and framework is to specify how to identify, manage,
and reduce cyber risks effectively in an integrated and comprehensive manner. Entities in the
financial sector should establish cybersecurity strategies and frameworks tailored to their
nature, size, complexity, risk profile, and culture. Informed by the cyber threat and vulnerability
landscape, a jurisdiction can also establish sector-wide cybersecurity strategies and frameworks
that outline how cooperation occurs between entities and public authorities in the financial
sector, with sectors upon which the financial sector depends, and with other relevant
jurisdictions.
Element 2: Governance.
Define and facilitate performance of roles and responsibilities for personnel implementing,
managing, and overseeing the effectiveness of the cybersecurity strategy and framework to
ensure accountability; and provide adequate resources, appropriate authority, and access to the
governing authority (e.g., board of directors or senior officials at public authorities).
Effective governance structures reinforce accountability by articulating clear responsibilities
and lines of reporting and escalation. Effective governance also mediates competing objectives
and fosters communication among operating units, information technology, risk, and controlrelated activities. Consistent with their missions and strategies, boards of directors (or similar
oversight bodies for public entities or authorities) should establish the cyber risk tolerance for
their entities and oversee the design, implementation, and effectiveness of related cybersecurity
programs.
1