On 18 June 2019, the International Organisation of Securities Commissions ("IOSCO") published the final report of its Cyber Task Force ("CTF"). The purpose of this report was to identify how three prominent and internationally-recognised cyber frameworks were being used by IOSCO member jurisdictions. IOSCO currently has 224 member nations worldwide.

The three frameworks, known as Core Standards, are not used in isolation, but in combination with other cyber guidance. The frameworks are:

  • the National Institute of Standards and Technology ("NIST") Cybersecurity Framework – a voluntary risk-based framework of industry standards and best practice recommendations;
  • the Committee on Payments and Market Infrastructures ("CPMI") and IOSCO guidance on Cyber Resilience for Financial Market Infrastructures ("FMIs") – a principles-based framework, which can be applied to different sectors, not just the financial sector; and
  • the International Organisation for Standardisation ("ISO") and the International Electrotechnical Commission ("IEC") – organisations that set standards for firms to be information security certified, such as the ISO 27001 certification, if they successfully complete an audit.

The CTF found that no one Core Standard predominates around IOSCO jurisdictions. In that light, the report emphasised that it was not proposing new standards, but rather supporting and promoting the existing standards. This was based on the CTF's main findings, which were the following:

  • many IOSCO member jurisdictions consider cyber as one of the most important risks faced by regulated firms, such as financial institutions;
  • jurisdictions' domestic regulations are "generally" or "entirely" consistent with the Core Standards;
  • almost one half of respondents indicated flexibility as to which cyber standard they utilise in order to comply with domestic regulation, whether it was a Core Standard or otherwise;
  • national cyber frameworks share common elements despite jurisdictional differences; and
  • most jurisdictions have publicly declared plans to issue new regulation, guidance, or practices.

In conclusion, the CTF noted that, although the findings generate a positive picture in relation to regulated firms' readiness to confront cyber issues, there are still gaps to be filled. Since global financial markets are only as strong as their weakest link, the sector still has work to do in order to ensure that the financial sector is adequately prepared for any event that either jeopardises an information system's cyber security or violates security policies and procedures.

For further information, please see the CTF's final report.

Andrew Moir photo

Andrew Moir

Partner, Intellectual Property and Head of Cyber Security and Data, London

Related categories

Key contacts

Andrew Moir photo

Andrew Moir

Partner, Intellectual Property and Head of Cyber Security and Data, London

Andrew Moir