Good Practices in Cyber Risk Regulation and Supervision

The paper synthesizes global experiences and key lessons in the regulation and supervision of cyber risk in the financial sector. It draws on the IMF’s financial stability surveillance and technical assistance work. It underscores the increasing frequency and complexity of cyber threats. These threats present systemic risk as financial institutions and market infrastructures become more reliant on digital technologies. The paper delineates established good practices for effective, proportionate, and outcome-oriented regulatory frameworks. To build these, authorities need to: (1) ensure frameworks address information and communication technology and comprehensive cyber risk management; (2) establish clear governance arrangements and rigorous risk management protocols; (3) conduct systematic testing and ensure robust oversight of third-party service providers; (4) apply good supervisory practices in supervision and oversight —including offsite and onsite supervision, thematic reviews, simulation exercises; and (5) develop strategies for sector-wide operational resilience. The findings advocate for a calibrated approach blending principles-based and prescriptive regulation, adaptable to the maturity of individual institutions. Ongoing supervisory visibility and capacity development remains essential. By providing actionable recommendations, the paper seeks to support authorities worldwide in enhancing cyber resilience, promoting financial stability, and preserving the integrity of the digital financial ecosystem.