Market infrastructures must work with tech firms to combat cyber-threats
Financial market infrastructures must work with the “broader ecosystem” to improve the resilience of the international financial system in the face of “inevitable” cyber-attacks.
The latest guidance document from the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions – Guidance on cyber resilience for financial market infrastructures – looks to instil international consistency in efforts to enhance FMIs’ ability to pre-empt cyber-attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if they succeed. It provides authorities with “a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber-risk”.
According to the report, overall cyber resilience is dependent not only on the resilience of a single FMI, but also on that of interconnected FMIs, of service providers and of the participants … authorities and FMIs may need to call upon technology companies and other firms to help identify and develop efficient and effective solutions”.
Greg Medcraft, chairman of IOSCO said: “Cyber resilience cannot be achieved by individual institutions alone in our highly interconnected financial sector. The broader ecosystem needs to work in unison. The guidance calls upon the ecosystem to do just that. We hope to collaborate with all stakeholders to meaningfully enhance the cyber resilience of our financial system as we refine these proposals and later implement them.”
Key concepts of the guidance include:
- Board and senior management attention is critical to a successful cyber-resilience strategy.
- The ability to resume operations quickly and safely after a successful cyber-attack is paramount.
- FMIs should make use of good-quality threat intelligence and rigorous testing.
- Cyber-resilience requires a process of continuous improvements.
“This is an important report because cyber-attacks in the financial sector have the potential to create widespread financial instability,” said Benoît Cœuré, chairman of the CPMI. “Nobody should assume they will be able to prevent cyber-attacks in all circumstances. Therefore, the Cyber Guidance addresses the need for an FMI to resume its operations quickly and safely after an attack has occurred. This is not an easy task and may require innovative thinking that goes beyond the traditional approaches to operational resilience.”
The consultative report is available on the websites of the Bank for International Settlements (www.bis.org) and IOSCO (www.iosco.org). Comments should be emailed to both the CPMI Secretariat (firstname.lastname@example.org) and the IOSCO Secretariat (email@example.com) by 23 February 2016.