The G7 Cyber Expert Group is a multi-year working group that coordinates cybersecurity policy and strategy across the eight G7 jurisdictions. The Bank of England and the Department of Treasury are the co-chairs of this working group.
ABOUT THE G7 CYBER EXPERT GROUP (CEG)
The G7 CEG was founded in 2015 to serve as a multi-year working group that coordinates cybersecurity policy and strategy across the eight G7 jurisdictions. In addition to policy coordination, the G7 CEG also acts as a vehicle for information sharing, cooperation, and incident response.
The CEG conducts two types of workstreams, recurring and ad hoc. Recurring workstreams include annual incident response tests and quadrennial cross-border cyber exercises. Ad hoc workstreams produce reports to address specific cybersecurity topics of interest to the financial sector. All CEG workstreams seek to improve the cyber resiliency of the financial sector through preparedness, a consensus of the threat landscape, and a shared approach to mitigating risk.
The CEG Co-Chairs and Members meet four times a year – both virtually and in person – to discuss the progress of the workstreams and discuss the cyber threat landscape. The Co-Chairs report the CEG’s progress to the G7 Finance Ministers and Central Bank Governors.
G7 CEG MEMBER ORGANIZATIONS
The following organizations are members of the G7 CEG:
- Canada
- France
- Germany
- Italy
- Japan
- United Kingdom
- United States
The following organizations are non-enumerated members of the G7 CEG:
FUNDAMENTAL ELEMENTS
Fundamental elements are free and publicly available resources produced by the CEG to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.
- G7 Statement on Planning for the Opportunities and Risks of Quantum Computing – 9/25/2024
- The G7 Statement on Planning for the Opportunities and Risks of Quantum Computing advises G7 Finance Ministers and Central Bank Governors on cybersecurity policy matters of importance for the security and resilience of the financial system. The G7 CEG has identified quantum computing as an area of both potential benefit and risk to the financial system. The CEG encourages jurisdictions to monitor developments in quantum computing, to promote collaboration among relevant public and private stakeholders, and to begin planning for the potential risks posed by quantum computing on some current encryption methods.
- Frequently Asked Questions on Financial Sector Risks from Quantum Computing – 9/25/2024
- G7 Fundamental Elements of Cybersecurity for the Financial Sector [Japanese] – 10/11/2016
- The G7 Fundamental Elements of Cybersecurity for the Financial Sector is a high-level framework for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements. There are eight elements to this framework: Cybersecurity Strategy and Framework; Governance; Risk and Control Assessment; Monitoring; Response; Recovery; Information Sharing; and Continuous Learning. These serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.
- G7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector [Japanese] – 10/26/2017
- The G7 Fundamental Elements for Effective Assessment promote the effective practices outlined in the previous fundamental element by focusing on how well these practices are performed and assessed. An entity’s cybersecurity strategy and operating framework can be most impactful if they are accompanied by a set of desirable outcomes (Part A) and a process for their assessment and review (Part B). Part A describes five desirable outcomes that a mature entity would likely exhibit and that less mature entities can aim for. Part B sets out five assessment components which assessors can use to develop their approach to assessing progress as entities build and enhance their cybersecurity.
- G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector – 10/24/2018
- The G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector considers the Third Party Cyber Risk Management Life Cycle within an individual entity and system-wide monitoring of cyber risk. Entities and third parties can use them as part of their cyber risk management toolkit. In doing so, entities should apply a proportionate approach that takes into account the size, nature, scope, complexity and potential systemic significance of cyber risks. Authorities within and across jurisdictions can use the Fundamental Elements to inform their public policy, regulatory and supervisory efforts to address third party cyber risks.
- G7 Fundamental Elements for Threat-LED Penetration Testing [French] [Japanese] – 10/24/2018
- The G-7 Fundamental Elements for Threat-Led Penetration Testing provide entities with a guide for the assessment of their resilience against malicious cyber incidents through simulation and a guide for authorities considering the use of Threat-Led Penetration Testing within their jurisdictions. These fundamental elements are intended to complement a wider suite of cyber resilience assessment tools and techniques and are not meant to be considered as a singular approach.
- G7 Fundamental Elements of Cyber Exercise Programmes [Japanese] – 11/01/2020
- The G-7 Fundamental Elements of Cyber Exercise Programmes are non-binding, high-level building blocks that serve as tools to guide the establishment of cyber exercise programmes with internal and external stakeholders. They may also serve as guide for establishing cyber exercise programmes across jurisdictions and sectors. Part A of this report outlines the fundamental elements for developing a multi-year exercise programme that comprises multiple exercise types and formats that build upon each other to increase the organization’s incident response and recovery posture and capabilities. Part B of this report outlines the fundamental elements for building, conducting, and assessing individual exercises within a cyber exercise programme.
- G7 Fundamental Elements of Ransomware Resilience for the Financial Sector [French] [Japanese] – 10/13/2022
- The G7 Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing the ransomware threat. It is non-prescriptive and non-binding, and is meant to incorporate the current policy approaches, industry guidance, and best practices in place throughout the G7 member countries. While focusing primarily on private sector financial entities and their critical third party providers, this document may also be used by financial authorities for their own internal ransomware mitigation activities as well as their efforts to promote the resilience of the financial sector.
- G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector [French] [Japanese] – 10/13/2022
- To address industry developments since 2018, the G7 CEG has revised the Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector to focus not only on the management of third-party relationships but also on ICT supply chain management. The updated Fundamental Elements stress the importance of extensive information sharing and transparency to cope with an ever-changing threat landscape. To draw attention to the increasingly important role of third parties in the financial sector, a new fundamental element (Element 7) has been added.
Press Releases
- G7 Cyber Expert Group Recommends Action to Combat Financial Sector Risks from Quantum Computing – 9/25/2024
- G7 Cyber Expert Group Conducts Cross-Border Coordination Exercise in the Financial Sector [Japanese]
- G7 Cyber Expert Group Releases New Reports on Ransomware and Third-Party Risk – 12/05/2022