U.S. Department of the Treasury

ABOUT THE G7 CYBER EXPERT GROUP (CEG)

The G7 CEG was founded in 2015 to serve as a multi-year working group that coordinates cybersecurity policy and strategy across the eight G7 jurisdictions. In addition to policy coordination, the G7 CEG also acts as a vehicle for information sharing, cooperation, and incident response. 

The CEG conducts two types of workstreams, recurring and ad hoc. Recurring workstreams include annual incident response tests and quadrennial cross-border cyber exercises. Ad hoc workstreams produce reports to address specific cybersecurity topics of interest to the financial sector. All CEG workstreams seek to improve the cyber resiliency of the financial sector through preparedness, a consensus of the threat landscape, and a shared approach to mitigating risk.

The CEG Co-Chairs and Members meet four times a year – both virtually and in person – to discuss the progress of the workstreams and discuss the cyber threat landscape. The Co-Chairs report the CEG’s progress to the G7 Finance Ministers and Central Bank Governors.      

G7 CEG MEMBER ORGANIZATIONS

The following organizations are members of the G7 CEG:

• Canada
  • Bank of Canada
  • Department of Finance Canada
  • Office of the Superintendent of Financial Institutions
• France
  • Banque de France
  • Directorate General of the Treasury
  • Prudential Supervision and Resolution Authority
• Germany
  • Deutsche Bundesbank 
  • Federal Financial Supervisory Authority
  • Federal Ministry of Finance 
• Italy
  • Bank of Italy (Banca d'Italia) 
  • CONSOB (Commissione Nazionale per le Societa e la Borsa) 
  • Ministry of Economy and Finance
• Japan
  • Bank of Japan
  • Financial Services Agency 
  • Japanese Ministry of Finance 
• United Kingdom
  • Bank of England
  • Financial Conduct Authority
  • His Majesty’s Treasury 
• United States
  • Department of the Treasury
  • Federal Reserve Board of Governors
  • Securities and Exchange Commission

The following organizations are non-enumerated members of the G7 CEG:

• European Union
  • European Banking Authority
  • European Central Bank 
  • European Commission

FUNDAMENTAL ELEMENTS

Fundamental elements are free and publicly available resources produced by the CEG to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus. 

• G7 Fundamental Elements of Cybersecurity for the Financial Sector [Japanese] – 10/11/2016
  • The G7 Fundamental Elements of Cybersecurity for the Financial Sector is a high-level framework for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements. There are eight elements to this framework: Cybersecurity Strategy and Framework; Governance; Risk and Control Assessment; Monitoring; Response; Recovery; Information Sharing; and Continuous Learning. These serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.
• G7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector  [Japanese] – 10/26/2017
  • The G7 Fundamental Elements for Effective Assessment promote the effective practices outlined in the previous fundamental element by focusing on how well these practices are performed and assessed. An entity’s cybersecurity strategy and operating framework can be most impactful if they are accompanied by a set of desirable outcomes (Part A) and a process for their assessment and review (Part B). Part A describes five desirable outcomes that a mature entity would likely exhibit and that less mature entities can aim for. Part B sets out five assessment components which assessors can use to develop their approach to assessing progress as entities build and enhance their cybersecurity.
• G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector – 10/24/2018
  • The G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector considers the Third Party Cyber Risk Management Life Cycle within an individual entity and system-wide monitoring of cyber risk. Entities and third parties can use them as part of their cyber risk management toolkit. In doing so, entities should apply a proportionate approach that takes into account the size, nature, scope, complexity and potential systemic significance of cyber risks. Authorities within and across jurisdictions can use the Fundamental Elements to inform their public policy, regulatory and supervisory efforts to address third party cyber risks.
• G7 Fundamental Elements for Threat-LED Penetration Testing [French] [Japanese] – 10/24/2018
  • The G-7 Fundamental Elements for Threat-Led Penetration Testing provide entities with a guide for the assessment of their resilience against malicious cyber incidents through simulation and a guide for authorities considering the use of Threat-Led Penetration Testing within their jurisdictions. These fundamental elements are intended to complement a wider suite of cyber resilience assessment tools and techniques and are not meant to be considered as a singular approach.
• G7 Fundamental Elements of Cyber Exercise Programmes [Japanese] – 11/01/2020
  • The G-7 Fundamental Elements of Cyber Exercise Programmes are non-binding, high-level building blocks that serve as tools to guide the establishment of cyber exercise programmes with internal and external stakeholders. They may also serve as guide for establishing cyber exercise programmes across jurisdictions and sectors. Part A of this report outlines the fundamental elements for developing a multi-year exercise programme that comprises multiple exercise types and formats that build upon each other to increase the organization’s incident response and recovery posture and capabilities. Part B of this report outlines the fundamental elements for building, conducting, and assessing individual exercises within a cyber exercise programme.
• G7 Fundamental Elements of Ransomware Resilience for the Financial Sector [French] [Japanese] – 10/13/2022
  • The G7 Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing the ransomware threat. It is non-prescriptive and non-binding, and is meant to incorporate the current policy approaches, industry guidance, and best practices in place throughout the G7 member countries. While focusing primarily on private sector financial entities and their critical third party providers, this document may also be used by financial authorities for their own internal ransomware mitigation activities as well as their efforts to promote the resilience of the financial sector.
• G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector [French] [Japanese] – 10/13/2022
  • To address industry developments since 2018, the G7 CEG has revised the Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector to focus not only on the management of third-party relationships but also on ICT supply chain management. The updated Fundamental Elements stress the importance of extensive information sharing and transparency to cope with an ever-changing threat landscape. To draw attention to the increasingly important role of third parties in the financial sector, a new fundamental element (Element 7) has been added.

Press Releases

• G7 Cyber Expert Group Conducts Cross-Border Coordination Exercise in the Financial Sector
• G7 Cyber Expert Group Releases New Reports on Ransomware and Third-Party Risk – 12/05/2022