CPMI and IOSCO release cyber resilience guidance for financial market infrastructures
- Published: Thursday, 30 June 2016 07:33
The Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) have published a new document, ‘Guidance on cyber resilience for financial market infrastructures’. This is the first internationally agreed guidance on cyber security for the financial industry. It has been developed against the backdrop of a rising number of cyber-attacks against the financial sector and in a context where attacks are becoming increasingly sophisticated.
“This is a landmark report for the financial industry. Financial market infrastructures [FMIs] have come to the fore as financial sector hubs at a time when cyber resilience is a key priority for the financial industry. This is indeed a timely document, and FMIs should take action immediately to implement its recommendations,” said Benoît Cœuré, chairman of the CPMI.
The aim of the guidance is to add momentum to the industry’s ongoing efforts to enhance FMIs’ ability to pre-empt cyber-attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if the attacks succeed. Another goal is to ensure that these efforts to build resilience are similar from one country to another.
Guidance on cyber resilience for financial market infrastructures provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.
Key concepts built into the guidance include the following:
- Sound cyber governance is key. Board and senior management attention is critical to a successful cyber resilience strategy.
- The ability to resume operations quickly and safely after a successful cyber attack is paramount.
- FMIs should make use of good-quality threat intelligence and rigorous testing.
- FMIs should aim to instil a culture of cyber risk awareness and demonstrate ongoing re-evaluation and improvement of their cyber resilience at every level within the organisation.
- Cyber resilience cannot be achieved by an FMI alone; it is a collective endeavour of the whole ‘ecosystem’.