The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have released a consultative document Guidance on cyber resilience for financial market infrastructures.
The consultative document sets out draft supplemental guidance to the CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI), primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20). It is not intended to impose additional standards on FMIs beyond those set out in the PFMI, but instead the guidance details the preparations and measures that FMIs should undertake to enhance their cyber resilience capabilities with the objective of limiting the escalating risks that cyber threats pose to financial stability.
The draft guidance is presented in chapters that outline five primary risk management categories and three overarching components that should be factored across an FMI’s cyber resilience strategy and framework. The risk management categories are: governance; identification; protection; detection; and response and recovery. The overarching components are: testing; situational awareness; and learning and evolving.
Key concepts built into the draft guidance include:
- board and senior management attention is critical to a successful cyber resilience strategy;
- the ability to resume operations quickly and safely after a successful cyber attack is paramount;
- FMIs should make use of good quality threat intelligence and rigorous testing;
- cyber resilience requires a process of continuous improvements; and
- cyber resilience cannot be achieved by an FMI alone; it is a collective endeavour of the whole “ecosystem”.