网络风险监管与监督的良好实践（英）2025

MONETARY AND CAPITAL MARKETS DEPARTMENT Good Practices inCyber Risk Regulationand Supervision Prepared by Tamas Gaidosch, Emran Islam,Tanai Khiaonarong, Rangachary Ravikumar, andChris Wilson INTERNATIONAL MONETARY FUND MONETARY AND CAPITAL MARKETS DEPARTMENT DEPARTMENTAL PAPER Good Practices in Cyber RiskRegulation and Supervision Prepared by Tamas Gaidosch, Emran Islam,Tanai Khiaonarong, Rangachary Ravikumar,and Chris Wilson Cataloging-in-Publication DataIMF Library Names: Gaidosch, Tamas, author. | Islam, Emran, author. | Tanai Khiaonarong, author. | Ravikumar,Rangachary, author. | Wilson, Christopher (Christopher Lindsay) | International MonetaryFund, publisher. Title: Good practices in cyber risk regulation and supervision / Tamas Gaidosch, Emran Islam, TanaiKhiaonarong, Rangachary Ravikumar, and Chris Wilson Other titles: International Monetary Fund. Monetary and Capital Markets department.Description: Washington, DC : International Monetary Fund, 2026. | Includes bibliographical references.Identifiers: ISBN: Subjects: LCSH: Computer security. | Computer security—Law and legislation.Classification: LCC QA76.9.A25 G3 2026 Acknowledgments The authors appreciate the valuable inputs from Dirk Jan Grolleman, Jay Surti, and Marina Moretti (all fromIMF’s Monetary and Capital Markets Department). The Departmental Paper Series presents research by IMF staff on issues of broad regional or cross-countryinterest. The views expressed in this paper are those of the author(s) and do not necessarily representthe views of the IMF, its Executive Board, or IMF management. Publication orders may be placed online or through the mail:International Monetary Fund, Publication ServicesP.O. Box 92780, Washington, DC 20090, USAT. +(1) 202.623.7430publications@IMF.orgIMFbookstore.orgelibrary.IMF.org Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vAcronyms and Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii A. Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1B. Evolution of the Threat Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2C. Why Is Cyber Risk Important?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2. IMF Work on Cyber Risk Regulation and Supervision in the Financial Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 A. Cyber Risk Assessments in the FSAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Where Does the Cyber Risk Workstream Fit in the Overall FSAP?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7B. Cyber Risk Technical Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 3. Good Regulatory Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 A. The Regulation Development Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Success Factors of Cyber Risk Regulation Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Principles-Based versus Prescriptive Regulatory Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12B. Key Expectations that Facilitate Effective Risk Mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Governance and Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Technology and Cyber Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14ICT Service Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Cybersecurity Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .