网络风险监管与监督的良好实践

MONETARY AND CAPITAL MARKETS DEPARTMENT Good Practices inCyber Risk Regulation Prepared by Tamas Gaidosch, Emran Islam,Tanai Khiaonarong, Rangachary Ravikumar, and INTERNATIONAL MONETARY FUND MONETARY AND CAPITAL MARKETS DEPARTMENT DEPARTMENTAL PAPERGood Practices in Cyber Risk Regulation and Supervision Prepared by Tamas Gaidosch, Emran Islam,Tanai Khiaonarong, Rangachary Ravikumar,and Chris Wilson Cataloging-in-Publication DataIMF Library Names: Gaidosch, Tamas, author. | Islam, Emran, author. | Tanai Khiaonarong, author. | Ravikumar,Rangachary, author. | Wilson, Christopher (Christopher Lindsay) | International Monetary Title: Good practices in cyber risk regulation and supervision / Tamas Gaidosch, Emran Islam, TanaiKhiaonarong, Rangachary Ravikumar, and Chris WilsonOther titles: International Monetary Fund. Monetary and Capital Markets department.Description: Washington, DC : International Monetary Fund, 2026. | Includes bibliographical references.Identifiers: ISBN: 9798229026185(paper)9798229029735(ePub)9798229029711(WebPDF)Subjects: LCSH: Computer security. | Computer security—Law and legislation. Classification: LCC QA76.9.A25 G3 2026 AcknowledgmentsThe authors appreciate the valuable inputs from Dirk Jan Grolleman, Jay Surti, and Marina Moretti (all from IMF’s Monetary and Capital Markets Department). The Departmental Paper Series presents research by IMF staff on issues of broad regional or cross-countryinterest. The views expressed in this paper are those of the author(s) and do not necessarily represent Publication orders may be placed online or through the mail:International Monetary Fund, Publication ServicesP.O. Box 92780, Washington, DC 20090, USA Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vAcronyms and Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii 2. IMF Work on Cyber Risk Regulation and Supervision in the Financial Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5A. Cyber Risk Assessments in the FSAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Where Does the Cyber Risk Workstream Fit in the Overall FSAP?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3. Good Regulatory Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 A. The Regulation Development Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Success Factors of Cyber Risk Regulation Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Principles-Based versus Prescriptive Regulatory Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12B. Key Expectations that Facilitate Effective Risk Mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Governance and Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Technology and Cyber Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 4. Good Supervision Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18A. Governance and Management of Cyber Risk Supervision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Staffing, Planning, and Resource Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Learning and Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21B. Proportionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Proportionality and Nonfinancial Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .