Skip to main content
Version date: 19 October 2020 - onwards

7. Improvement

Organisations establish processes to improve CIRR activities and capabilities through lessons learnt from both proactive tools, such as CIRR exercises, tests and drills, and past cyber incidents. Lessons learnt are used in the selection and implementation of additional controls and mitigation measures, including changes to CIRR policies, plans and playbooks.

43. Industry-wide initiatives. Organisations collaborate with peers, such as in established forums, on sharing industry-wide knowledge, skill-sets, discussing cyber events and mitigation strategies against existing and potential cyber security vulnerabilities. Organisations also collaborate with authorities to promote information sharing and effective practices for the overall benefit of the industry. Their active engagement in trusted information sharing arrangements contributes to better mutual understanding of their key interdependencies in the financial system and enhances the organisation's capabilities to respond to and recover from cyber incidents.

44. Post-incident analysis. After the closure of a cyber incident, organisations analyse whether established procedures were followed and whether the actions taken were effective. This analysis may include: promptness in responding to security alerts; timeliness in determining the impact of incidents and incident severity; quality and speed in performing forensic analysis; effectiveness of incident escalation within the organisation; and effectiveness of communication (both internal and external).