International Monetary Fund publishes good practices for cyber risk regulation and supervision in the financial sector

The International Monetary Fund (IMF) has released a Monetary and Capital Markets Department paper setting out “good practices” for cyber risk regulation, supervision, and oversight of financial institutions and financial market infrastructures. Drawing on the IMF’s cyber risk work program since 2017, the paper frames cyber risk as a growing macrofinancial concern and provides practical guidance for authorities on building expectations and supervisory approaches that strengthen sector-wide cyber resilience. The paper recommends integrating information and communication technology (ICT) and cyber-risk-management requirements into a coherent technology-risk-management framework, balancing principles-based and prescriptive elements based on sector maturity, and applying proportionality by firm size, complexity, and systemic importance. It highlights expectations and tools seen as most impactful, including clearer governance and internal control requirements, structured offsite and onsite supervision with rigorous follow-up, cybersecurity testing regimes (including threat-led penetration testing for systemic entities), sectoral cyber simulation exercises, and stronger third-party technology service provider risk management, including the potential need to bring critical providers under an oversight framework. The paper also situates these practices in the IMF’s Financial Sector Assessment Program and technical assistance work, and notes that expanding FSAP cyber assessments beyond policy and supervisory frameworks into other pillars would depend on better data availability and improved quantitative techniques.