Good Practices in Cyber Risk Regulation and Supervision
January 5, 2026
Download PDF
More Formats on IMF eLibrary
Order a Print CopySummary
The paper synthesizes global experiences and key lessons in the regulation and supervision of cyber risk in the financial sector. It draws on the IMF’s financial stability surveillance and technical assistance work. It underscores the increasing frequency and complexity of cyber threats. These threats present systemic risk as financial institutions and market infrastructures become more reliant on digital technologies.
The paper delineates established good practices for effective, proportionate, and outcome-oriented regulatory frameworks. To build these, authorities need to: (1) ensure frameworks address information and communication technology and comprehensive cyber risk management; (2) establish clear governance arrangements and rigorous risk management protocols; (3) conduct systematic testing and ensure robust oversight of third-party service providers; (4) apply good supervisory practices in supervision and oversight —including offsite and onsite supervision, thematic reviews, simulation exercises; and (5) develop strategies for sector-wide operational resilience. The findings advocate for a calibrated approach blending principles-based and prescriptive regulation, adaptable to the maturity of individual institutions. Ongoing supervisory visibility and capacity development remains essential.
By providing actionable recommendations, the paper seeks to support authorities worldwide in enhancing cyber resilience, promoting financial stability, and preserving the integrity of the digital financial ecosystem.
The paper delineates established good practices for effective, proportionate, and outcome-oriented regulatory frameworks. To build these, authorities need to: (1) ensure frameworks address information and communication technology and comprehensive cyber risk management; (2) establish clear governance arrangements and rigorous risk management protocols; (3) conduct systematic testing and ensure robust oversight of third-party service providers; (4) apply good supervisory practices in supervision and oversight —including offsite and onsite supervision, thematic reviews, simulation exercises; and (5) develop strategies for sector-wide operational resilience. The findings advocate for a calibrated approach blending principles-based and prescriptive regulation, adaptable to the maturity of individual institutions. Ongoing supervisory visibility and capacity development remains essential.
By providing actionable recommendations, the paper seeks to support authorities worldwide in enhancing cyber resilience, promoting financial stability, and preserving the integrity of the digital financial ecosystem.
Subject: Cyber risk, Economic sectors, Financial sector, Financial sector policy and analysis, Financial sector stability, Technology
Keywords: crisis exercise, cyber, cyber resilience, cyber risk, cyber risk oversight, cyber risk regulation, cyber risk supervision, cybersecurity testing, Financial sector, Financial sector stability, financial stability assessment program, financial system, fmi supervision, Global, good practices, oversight authorities, technical assistance
Pages:
62
Volume:
2026
DOI:
Issue:
001
Series:
Departmental Paper No 2026/001
Stock No:
GPCRRSEA
ISBN:
9798229026185
ISSN:
2616-5333
