On 29 November 2022, the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO) published a report, ‘Implementation monitoring of the Principles of financial marketing infrastructures (PFMI): level 3 assessment on financial market infrastructures’ cyber resilience’.

In April 2012, the CPMI and IOSCO published the PFMI, which set out expectations for the design and operation of key financial market infrastructures (FMIs) in order to enhance their safety and efficiency and, more broadly, to limit systemic risk and foster transparency and financial stability.

Following the publication of the PFMI, the CPMI and IOSCO agreed to monitor their implementation in 28 CPMI and IOSCO members’ jurisdictions via a dedicated standing group, the implementation Monitoring Standing Group (IMSG). Implementation is being monitored on three levels. Level 1 self-assessment reports on whether a jurisdiction has completed the process of adopting legislation and other policies that will enable it to implement the principles and responsibilities. Level 2 assessments are peer reviews of the extent to which the content of the jurisdiction’s implementation measures are complete and consistent with PFMI. Level 3 peer reviews examine consistency in the outcomes of implementation of the principles by FMIs and implementation of the responsibilities by authorities.

This report represents the fourth Level 3 assessment of consistency in the outcomes of FMIs’ implementation of the PFMI and focuses on cyber resilience.

The report finds the following:

  • A reasonably high adoption of the ‘Guidance on cyber resilience for financial market infrastructures’ by FMIs.
  • One serious issue of concern and four issues of concern. The serious issue of concern relates to a small number of FMIs not fully meeting expectations regarding the development of cyber response and recovery plans to meet the two-hour recovery time objective. The four additional issues of concern relate to shortcomings in established response and recovery plans to meet the two-hour recovery time objective under extreme cyber-attack scenarios; lack of cyber resilience testing after major system changes; lack of comprehensive scenario-based testing; and inadequate involvement of relevant stakeholders in testing.