The Bank for International Settlement (BIS) Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) last week issued the first internationally agreed-upon guidance on cybersecurity for the financial industry and Financial Market Infrastructures (FMIs). “FMIs should take action immediately to implement its recommendations,” CPMI Chairman Benoît Cœuré stated in a press release accompanying the guidance document (Guidance).
The report, Guidance on cyber resilience for financial market infrastructures, is targeted primarily at systemically important payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories. The stated purpose of the Guidance is to set global standards for preparations and measures that FMIs should undertake to enhance their “cyber resilience” and limit the vulnerabilities posed by increasingly dangerous cyber threats.
The Guidance defines “cyber resilience” as an FMI’s “ability to anticipate, withstand, contain and rapidly recover from a cyber attack.” International authorities likely will rely on it to conduct consistent and effective oversight and supervision of FMIs in the area of cyber risk.
The Guidance outlines five overall risk management categories for FMIs to address:
-
Governance: The report recommends that FMIs establish clear and transparent mechanisms for establishing, implementing, and reviewing their approach to cyber risks.
-
Identification: The report explains how FMIs must identify which systems are most critical to their business operations, and how to understand the cyber risks posed by each system.
-
Protection: The report discusses how FMIs can implement effective controls and how to design systems to prevent, limit, and contain the impact of threats to critical systems previously identified.
-
Detection: The report outlines certain monitoring and process tools FMIs can use to detect anomalies and events that indicate a potential cyber incident is occurring, with an emphasis on detecting such threats as early as possible.
-
Response and Recovery: The report recommends that all FMIs implement systems and processes to enable “safe resumption of critical operations within two hours of a disruption” for the purpose of allowing settlement of transactions by the end of the day, even in the event of an extreme cyber attack.
In addition, the Guidance discusses three “overarching components” to be incorporated into an FMI’s cyber resilience framework:
-
Testing: Once the recommendations in the categories above have been implemented, FMIs should rigorously test the effectiveness of their cyber resilience framework on an ongoing basis and identify any gaps in protection.
-
Situational Awareness: FMIs should implement processes to better understand the current cyber threat landscape, and, in turn, reassess the adequacy of their cyber risk mitigation measures as necessary.
-
Learning and Evolving: FMIs should employ systems that evolve with the constant changes to the threat landscape, and implement appropriate safeguards into their systems to combat the newest threats and vulnerabilities.
The BIS and IOSCO recommend that FMIs take immediate steps to implement the Guidance, and be prepared to meet the two-hour resumption of operations requirement within one year. As the Guidance recognizes, the setting of international standards for cybersecurity is of critical importance, as the overall health of the global financial system is increasingly dependent on interconnected financial entities. However, the Guidance also recognizes that FMIs will need to implement the recommendations in a way that is consistent with applicable laws and regulations, including U.S. financial laws and regulations, such as the Gramm-Leach-Bliley Act.