Guidance on cyber resilience for financial market infrastructures
The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures ("Cyber Guidance"). This builds on an earlier version of the report that underwent a three-month public consultation.
The safe and efficient operation of financial market infrastructures (FMIs) is essential to maintaining and promoting financial stability and economic growth. The Cyber Guidance aims to add momentum to and instil international consistency in the industry's ongoing efforts to enhance its cyber resilience. This includes the ability of FMIs to pre-empt cyber attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if the attacks succeed. In addition, the Cyber Guidance provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.
At its core, the Cyber Guidance requires FMIs to instil a culture of cyber risk awareness and to demonstrate ongoing re-evaluation and improvement of their cyber resilience posture at every level within the organisation. Furthermore, while the guidance is directly aimed at FMIs, it is important for them to take on an active role in reaching out to their participants and other relevant stakeholders to promote understanding and support of resilience objectives and their implementation. Effective solutions may require collaboration between FMIs and their stakeholders as they seek to strengthen their own cyber resilience.
The Cyber Guidance does not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).