International Cyber Recommendations for the Financial Market: Collaboration is the Name of the Game
On June 29, 2016, the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued “Guidance on cyber resilience for financial market infrastructures” (Cyber Guidance), the first set of concrete recommendations following the 2012 CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI). The new Cyber Guidance makes clear that collaboration is key. Among the many components of a strong cyber resilience framework (i.e., a system of policies and controls aimed at identifying, protecting, detecting, responding to and recovering from cyber risks), intramarket coordination is critical to the success of cybersecurity in a system of interdependent and interconnected participants. Indeed, the prevention of systemic events and the maintenance of economic stability seems weakened without it.
The Cyber Guidance is specifically addressed to “financial market infrastructures” (FMIs), which the PFMI defines as “systemically important payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories, [who] facilitate clearing, settlement and recording of monetary and other financial transactions, such as payments, securities, and derivatives contracts.” In the U.S., FMIs include payment systems operated through the Federal Reserve Banks: the Fedwire Funds Service, the Fedwire Securities Service, and the National Settlement Service.
The Cyber Guidance reinforces two elements of the systemic importance of an FMI: i) its ability to ensure settlements of obligations when due and the finality of those transactions; and ii) its ability to resume operations within two hours of a disruption. Satisfying these principles requires coordination among FMIs, service providers, vendors, and vendor products (an FMI’s “ecosystem”) in the following ways:
• “At a minimum, an FMI should ensure that its outsourced services are accorded the same level of cyber resilience needed if their services were provided by the FMI itself;”
• To facilitate the recovery of data, an FMI should consider data-sharing agreements with relevant third-parties or participants to enable the transfer of uncorrupted data in a timely manner once a successful cyber attack has been identified;
• To prevent contagion risk, an FMI should work with its interconnected entities to enable the resumption of operations as soon as it is safe and practicable without causing unnecessary risk to the wider sector;
• Testing to evaluate one’s framework should include testing of relevant entities in the FMI’s ecosystem and scenarios that cover breaches affecting multiple portions of the ecosystem;
• FMIs should participate in industry-wide testing and exercises organized by relevant authorities; and
• To achieve situational awareness, FMIs should participate in active information-sharing arrangements with stakeholders within and outside the industry – “collecting and exchanging information that could facilitate the detection, response, resumption and recovery of its own systems and those of other sector participants during and following a cyber attack” and participating in “cross-industry, cross-government and cross-border groups to gather, distribute and assess information about cyber practices, cyber threats and early warning indicators relating the cyber threats.”
The Cyber Guidance recommends that FMIs develop concrete plans to improve their resiliency by next June 2017.
While the Cyber Guidance does not create binding obligations on FMIs, the working group that prepared it has expressed that the guidance “provides authorities with a set of internationally agreed guidelines to support consistent oversight and supervision.” The working group includes members from the Securities and Exchange Commission, the Board of Governors of the Federal Reserve System, and the Commodity Futures Trading Commission.
Does the Cyber Guidance establish achievable goals for FMIs? Hopefully. The 2008 macroeconomic crisis taught us that our financial systems are interdependent. A major cybersecurity breach within one FMI has the potential to upset the finality and clearance of financial transactions worldwide.