U.S. Department of the Treasury

WASHINGTON—The G7 Cyber Expert Group (CEG) – which U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure (OCCIP) co-chairs alongside the Bank of England – recently released two reports addressing ransomware and third-party risk within the financial sector. These free and publicly available resources are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.  

The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing the ransomware threat. The document is part of a series of Fundamental Elements produced by the CEG, all of which are non-prescriptive and non-binding, and provide an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7. The aim of this document is for financial institutions – both public and private – to use its guidance for their own internal ransomware mitigation activities. Additionally, the collaboration between the G7 jurisdictions on producing this report highlights global efforts to promote the resilience of the financial sector. 

The CEG’s other product for 2022, The Fundamental Elements of Third-Party Risk Management for the Financial Sector, updates a previous version published in 2018. Due to the increasing use of service providers by financial institutions in central operational functions and the subsequent vulnerabilities created by this reliance, the G7 CEG deemed this update necessary to keep pace with the ever-changing cyber threat landscape. The update includes explicit recommendations for monitoring risks along the supply chain, identifying systemically important third-party providers, and concentration risks.

These reports were announced in October 2022 by Bundesbank, as part of Germany’s presidency of G7, after they were adopted by the G7 Finance Ministers and Central Bank Governors. They were published on Bundesbank’s website alongside previous Fundamental Elements on such topics as cybersecurity in the financial sector, penetration testing, and cyber exercises. 

The G7 CEG was founded in 2015 to serve as a multi-year working group that coordinates cybersecurity policy and strategy across the eight G7 jurisdictions. In addition to policy coordination, the G7 CEG also acts as a vehicle for information sharing, cooperation, and incident response.