The European Central Bank (ECB) has published a speech by Marc Bayle de Jessé, Director General Market Infrastructure and Payments, ECB. The speech is entitled ECB views on the regulation of cyber security.

In his speech Mr Jessé reminds his audience that the ECB’s Governing Council approved the Eurosystem’s cyber resilience strategy for financial market infrastructures (FMIs) in March 2017, which is intended to support the implementation of the CPMI-IOSCO guidance on cyber resilience for FMIs.

Mr Jessé explains that the cyber resilience strategy aims to develop a range of tools that can be used by the regulators and markets, to facilitate effective cyber resilience and marry regulation with actual structures, solutions and processes to implement the right actions.

Mr Jessé states that the strategy is centred on three main pillars:

  • Pillar 1: the ECB working with financial firms and FMIs to ensure they build their defences and enhance their level of cyber maturity. The ECB is developing a range of tools that can be used by FMI operators to enhance their cyber resilience maturity. One of these tools was a cyber survey, which the ECB sent out to all payment systems in the Eurosystem. Another assessment tool the ECB is developing is a European Red Team Testing Framework – a concept derived from the military practice of targeting “friendly” installations to test their security;
  • Pillar 2: strengthening the resilience of the sector, through cross-regulatory collaboration, information sharing, improved threat intelligence, close collaboration with European law enforcement agencies, market-wide exercises based on cyber-attack scenarios and a deeper understanding of third parties and the supply chain. Mr Jessé mentions that in order to strengthen the FMI sector’s cyber resilience, it is important to understand the operational interdependencies through sector mapping, fostering cross-border and cross-authority collaboration, establishing effective information-sharing and implementing market-wide business continuity exercises. Linked to this is efficient information sharing on threats among market participants, between market participants and regulators, and among regulators. Mr Jessé states that the availability of reliable data is essential to support the coordination and development of relevant policies and the ECB has established a cyber incident reporting database; and
  • Pillar 3: establishing strategic dialogue between the industry and regulators to catalyse joint initiatives and develop effective solutions. Mr Jessé states that the EU recognises the importance of establishing a forum which brings together market actors, competent authorities and cybersecurity service providers. A number of Member States are leading the way, having established formal public-private partnerships or industry associations for cybersecurity. However, there is no pan-European equivalent at present.

View ECB views on the regulation of cyber security, 21 November 2017