Out-Law News 2 min. read
25 Nov 2015, 1:10 pm
The Committee on Payments and Market Infrastructures (CPMI), which is a member of international body the Financial Stability Board, together with the Technical Committee of the International Organisation of Securities Commissions (IOSCO) said that "efforts to coordinate the design of resilience solutions may bring enhanced strategies forward in a more timely and efficient way".
"Given the extensive interlinkages and interdependencies in the financial system, adequate cyber resilience is dependent not only on the resilience of a single FMI, but also on that of interconnected FMIs, of service providers and of the participants," the CPMI and IOSCO cyber resilience guidance said. "Achieving effective solutions may require FMIs to collaborate with their stakeholders as they seek to strengthen their own cyber resilience."
"The outcome of such collaboration should be considered in their individual and collective strategic planning. Increased resilience can be achieved if heightened resilience objectives are explicitly incorporated in the ongoing improvement or redesign of systems and processes," it said.
The guidance identified five areas of risk management that FMIs should focus on to improve their cyber resilience, from better governance to measures to identify threats, protect systems and detect "anomalous activity", as well as respond to and recover from successful cyber attacks.
The CPMI and IOSCO said FMIs should "designate a senior executive to be responsible and accountable overall for the cyber resilience framework within the organisation". That person should have "the requisite expertise and knowledge to competently plan and execute the cyber resilience initiatives", their guidance said. Ultimately, however, the board should be responsible for "setting strategy and ensuring that cyber risk is effectively managed", it said.
Organisational culture is important to cyber resilience too, the guidance said.
"An FMI’s board and senior management should cultivate a strong level of awareness of and commitment to cyber resilience," the guidance said. "To that end, an FMI’s board and management should promote a culture that recognises that staff at all levels have important responsibilities in ensuring the FMI’s cyber resilience, and lead by example."
At least some of the people operating on the board and at senior management level at FMIs should have "the appropriate skills and knowledge to understand and manage the risks posed by cyber threats", it said.
On a practical security level, FMIs should deploy "security analytics" to monitor people who have access to their systems so as to "capture and analyse anomalous behaviour", and "conduct screening/background checks on new employees to mitigate insider threats", the guidance said. Similar checks on existing staff should also be carried out at "regular intervals", it said, whilst "access controls" should also be implemented to ensure systems are only accessed by staff who are "appropriately trained and monitored".
The guidance said FMIs' cyber incident response plans should ensure that they can resume "critical operations" within two hours of a disruption, complete the settlement of payments "by day-end" as well as "preserve transaction integrity".
"The safe and efficient operation of FMIs is essential to maintaining and promoting financial stability and economic growth," the CPMI and IOSCO said. "If not properly managed, FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets. In this context, the level of operational resilience of FMIs, including cyber resilience, can be a decisive factor in the overall resilience of the financial system and the broader economy."