While Basel III is an international regulatory accord that primarily aims to improve regulation, supervision, and financial risk management within the global banking sector, the publication also carries cybersecurity implications as it attempts to standardize the cyber-intensive operations of all internationally active banks.
The main requirements of the accord are financially focused and set standards for the leverage ratios, reserve capital, and reserve buffers banks possess throughout their investment lifecycle. However, the publication also indirectly empowers financial institutions to maintain robust cyber resilience by providing capital-based incentives to organizations that prioritize cyber hygiene and install adequate data security controls.
The Switzerland-based Basel Committee on Banking Supervision (BCBS) started laying the foundation for improved banking procedures in 1975 with the publication of the Basel Concordat and then introduced the Basel Accords in 1988. The committee resides in the Switzerland-based Bank for International Settlements (BIS) and includes central banks from 28 countries, including the United States Federal Reserve, the Bank of England, and the Bank of Canada.
Basel III Standards
With the publication of Basel III, the Basel Committee aimed to address several banking issues, prominently in response to the financial crisis of 2007-2008.
Basel III builds upon the standards set forth by Basel I and Basel II to improve the banking system’s ability to cope with rapid financial system fluctuations, improve risk management, and promote transparency.
The BCPS organizes the standards and requirements imposed by Basel III into four sections:
- Capital requirements,
- Liquidity requirements,
- Capital buffers, and
- Cybersecurity standards
While this article will touch upon all four pillars of the publication in some capacity, its primary focus will be on the cybersecurity standards and incentives Basel III carries. For a complete breakdown of the capital, liquidity, and buffer requirements the publication sets, visit the Bank of International Settlements’ webpage on Basel III.
The Cybersecurity Standards of Basel III
The cyber-intensive daily operations of the international financial sector often expose banks and other financial institutions to severe cyber threats. The cybersecurity standards set by Basel III aim to strengthen the banking industry’s collective cyber resilience and facilitate a culture of healthy cyber hygiene.
Since the release of Basel III, the BCBS has also released several newsletters and press releases to promote cybersecurity best practices. In 2021, the BCBS released two notable documents related to cyber resilience: Principles for the Sound Management of Operational Risk (PSMOR) and the Principles for Operational Resilience (POR).
By publishing these secondary documents alongside Basel III, the BCBS has continued to communicate standards for the following three cybersecurity principles:
- Information and communication technology (ICT),
- Cyber incident response and reporting, and
- Third-party risk management (TPRM)
The BCBS has also incentivized financial institutions to adopt more robust cybersecurity frameworks by including the resilience of a bank’s operational controls in the bank’s overall risk exposure calculation.
Since Basel III’s capital, liquidity, and buffer initiatives depend on a bank’s overall risk exposure, the publication incentivizes banks to maintain cybersecurity best practices to avoid stricter financial requirements. In other words, Basel III empowers banks to safeguard personal data and strengthen their operational resilience through capital-based rewards.
Information and Communication Technology (ICT)
ICT security measures are essential to ensure information confidentiality and protect sensitive data from unauthorized use. Most effective ICT security systems include three fundamental operations:
- Monitor and control access to confidential information,
- Ensure data is transmitted safely and securely and
- Maintain secure data storage and safely dispose of data
BCBS's POR states that banks should maintain a documented ICT policy that outlines the organization’s oversight requirements, risk ownership, ICT security measures, incident response plans, and business continuity and disaster recovery plans.
In addition, the BCBS communicates that banks should identify their critical information assets and the critical infrastructures (including any cloud services) they depend on. The BCBS also mentions that banks should continually monitor their attack surfaces to assess the ongoing strength of their ICT systems.
Cyber Incident Response Plans and Recovery
A cyber incident response plan outlines the steps organization personnel should take during a data breach or other cyber attack. Organizations that maintain a comprehensive incident response plan are typically better equipped to deal with cyber threats and mitigate the damage an information security breach can cause to their reputation, daily operations, and market infrastructures.
The BCBS requests that banks develop aggressive security requirements and frameworks for rapid incident response and data recovery. This methodology minimizes the harm cyber disruptions and other events can cause to business continuity or consumer activities.
The Basel Committee references the Financial Stability Board’s (FSB) Effective Practices for Cyber Incident Response and Recovery released in 2020 to provide banks context into the exact standards it is imposing.
The report provides an incident response toolkit that features 49 best practices across the following seven components:
- Planning and preparation
- Restoration and recovery
- Coordination and communication
Third-Party Risk Management (TPRM)
Third-party risk management (TPRM) is the process organizations use to identify, assess, and mitigate risks associated with their vendors and third-party suppliers. There are several types of third-party risks, including financial, reputational, operational, legal, and cybersecurity risks.
The BCBS suggests banks construct and maintain rigid TPRM programs to protect their information technology and critical operations. The TPRM standards of the committee include:
- Banks should perform comprehensive risk assessments and due diligence before entering a third-party agreement,
- Banks should verify and assess the operational resilience of a third party before entering a contract,
- Banks should develop business continuity plans and install exit strategies to protect their operations in the event of a third-party failure and
- Banks should limit the number of third-party dependencies they utilize for daily operations
Implementation of Basel III
Although the BCBS first released Basel III in December 2010, the publication has yet to take effect fully.
Several provisions of Basel III have already gone into effect in certain countries. However, newer revisions and requirements began to undergo implementation on January 1, 2023, and banks will phase the standards over the next five years.
Basel III in the United States
In 2011, the US Federal Reserve announced its intentions to implement nearly all standards set forth by Basel III. Since this time, U.S. banks have refined several internal standards while experiencing delays in implementation brought on by several factors, including the COVID-19 pandemic.
On July 27, 2023, the federal banking agencies (Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) announced the Basel III endgame.
This proposal would replace the federal banking agencies’ risk-based capital framework and require banks to adhere to several other standards. If finalized, this proposal will include a three-year transition period beginning on July 1, 2025.
Basel III in Europe
The European Union has been busy implementing Basel III since July 2013 with its CRD IV package. This package installed most of the standards communicated by the Basel III publication, including liquidity ratios and net stable funding ratios.
Europe has also developed several other regulation packages since 2013. The European Parliament’s 2019 CRR2/CRD5 package is the most notable publication.
The UK has implemented some Basel III standards, while the Prudential Regulation Authority (PRA) published a consultation paper in November 2022 to outline how the remaining standards will be implemented.
While several challenges delayed the implementation of Basel III, the BCBS continued to refine several aspects of its work. The result of this toil was Basel IV, or what is also commonly referred to as Basel 3.1.
The revisions, some of which are highly technical, proposed by Basel 3.1 include the following:
- Improving the standardized approaches for credit risk, credit valuation adjustment (CVA) risk (derivative instruments), and operational risk introduced by previous accords
- A response to the bias of internal models that would require banks to follow the standardized approaches for calculating capital requirements set by the accords
- Introducing new leverage ratios to constrain the leverage of global systemically important banks by requiring most banks to keep additional buffers to strengthen their capital reserves
- Updating the output floor standard set forth by Basel II by requiring banks to hold regulatory capital equivalent to 72.5 percent of the amount indicated by the Basel Accords standardized model by the start of 2027
Basel III FAQs
Basel III requires banks and other financial institutions to adhere to various regulations to mitigate operational risk. These supervisory requirements include some terms and concepts outside the parameters of typical cybersecurity conversations.
The following section includes several frequently asked questions that can help clarify the scope and impact of Basel III.
Who Does Basel III Apply To?
The standards set by Basel III are minimum requirements for all internationally active banks.
What are the Capital Requirements of Basel III?
Basel III requires banks to maintain a minimum total capital ratio of eight percent of their risk-weighted assets (RWAs). This capital ratio must also comprise a minimum tier 1 capital ratio of six percent. The remaining two percent can be composed of tier 2 capital.
What are the Liquidity Requirements of Basel III?
Basel III established these liquidity-related provisions:
- Liquidity Coverage Ratio (LCR): Banks must maintain a significant reserve of high-quality liquid assets (HQLA) to safeguard their operations during substantial periods of financial stress.
- Net Stable Funding Ratio (NSFR): Banks must maintain a level of available stable funding that matches the liquidity, liability, outstanding maturities, and risk level of their assets.
What are the Capital Buffer Requirements of Basel III?
Under the capital buffer section of Basel III, banks must save away portions of their available capital during periods of rapid economic expansion. The hope is that banks can use countercyclical capital buffers (CCyB) as an “emergency fund” during a recession or when they face the potential for significant losses.
What are High-Quality Liquid Assets (HQLA)?
High-quality liquid assets (HQLA) refer to low-risk investments that possess a high quality of credit and are quickly convertible into cash with minimal capital loss. HQLAs are essential to banking regulations and most regulatory frameworks because they allow banks to manage market risk and develop strong capital standards.
What is the Basel Committee on Banking Supervision (BCBS)?
The Basel Committee on Banking Supervision (BCBS) is the “primary global standard setter” for international banking regulations and capital frameworks. The committee resides within the Bank for International Settlements (BIS), which is European-based and located in Switzerland.
The BCBS includes 45 members from 28 financial markets around the world. Its members are prominent figures from central banks around the world.
How Can UpGuard Help?
UpGuard can help financial institutions and their security teams manage their attack surface, mitigate third-party risk, achieve regulatory compliance, prevent data leaks, and install continuous monitoring across their supply chain.
The standards set by Basel III impact all areas of a financial institution’s operation, including its third-party risk management programs and vendor risk strategies. Since the financial initiatives of Basel III consider risks affecting an institution’s reputation, operation, and data, managing known vulnerabilities is essential in any financial institution’s Basel transition.