On 10 April 2018, the European Central Bank (ECB) published a consultation on draft guidance concerning cyber resilience expectations for financial market infrastructures (FMIs). The ECB sees cyber resilience as an important aspect of FMIs’ operational resilience and is also a factor affecting the overall resilience of the financial system and the broader economy.
The draft guidance leverages off the existing CPSS-IOSCO Principles for financial market infrastructures. This guidance requires FMIs to immediately take the necessary steps to implement it, in concert with relevant stakeholders, to ensure that they enhance their levels of cyber resilience. While cyber risks should be managed as part of an FMI’s overall operational risk management framework, some unique characteristics of cyber risk, as noted in the guidance, present challenges to FMIs’ traditional operational risk management frameworks.
The purpose of the draft ECB guidance is to:
- set out clear criteria against which overseers assess the FMIs for which they are responsible, helping them to determine the FMIs’ level of resilience against cyber threats;
- provide FMIs in the euro area with steps to implement the guidance and enhance their cyber resilience over a prolonged period of time; and
- provide the basis for a meaningful discussion between the FMIs and their respective overseers.
The draft guidance is presented in chapters that outline five primary risk management categories and three overarching components that should be addressed across an FMI’s cyber resilience framework. The risk management categories are: (i) governance; (ii) identification; (iii) protection; (iv) detection; and (v) response and recovery. The overarching components are: testing, situational awareness and learning and evolving.
The deadline for comments on the consultation is 5 June 2018.