Restricted

Guidance on cyber resilience for financial

market infrastructures

Global Payments Week 2016

Turin, 22 September 2016

Emanuel Freire

Member of CPMI Secretariat

* Views expressed are those of the presenter and not necessarily those of the BIS or CPMI

Restricted 2

Cyber Guidance released on 29 June 2016

Guidance on cyber resilience for financial market

infrastructures

www.bis.org/cpmi/publ/d146.htm

Restricted 3

Outline

Why should we care about cyber resilience in FMIs?

Cyber Guidance: design considerations

Issues for consideration

Restricted 4

Why should we care about cyber resilience

in FMIs?

Restricted 5

Are cyber risks special?

Traditional operational risk

Scenario-based

Identification less complex

Effective business continuity protocols

Potential costs can be reckoned by risk forecast

Cyber risk

Constantly evolving

Pervasive scope

Recovery path not clear

Entry points are multiplying

No limit to the damage a cyber attack can do

Restricted 6

Are cyber risks in FMIs different?

Time-criticality of recovery

Interlinkages between FMIs, service providers and participants

FMIs should not compete over cyber resilience

you cannot be cyber resilient alone…

Restricted 7

The transaction chain

RTGS

CCP

CSD RTGS

TR

Restricted 8

Transaction chain

“the term refers to the

sequence of events and

linkages covering the

entire life cycle of a

financial transaction,

involving multiple entities,

from origination to final

settlement.”

CPMI, Cyber resilience in financial market

infrastructures, November 2014.

RTGS

CCP

CSD RTGS

TR

Restricted 9

Cyber guidance: design considerations

Restricted 10

Previous CPMI work on cyber: key points

Interviews were useful to create cyber awareness for FMIs

Sophisticated cyber attacks do challenge 2-hour recovery time

objective (2h-RTO) and end of day settlement

Industry was focusing primarily on measures against attacks targeting

availability such as DDoS attacks. Such investments are not effective in

case of a system or data integrity breach

Need to revisit the design of FMI systems with a view to increase cyber

resilience

Transaction chain: interconnections & interdependencies

Restricted

MITRE: 4 levels of maturity

Anticipate

• Maintain a state of

informed

preparedness

Withstand

• Continue essential

functions despite

successful attacks

Recover

• Restore functions to

fullest extent

Evolve

• Change functions to

minimize adverse

effects in future

NIST: 5 functions

Identify

• Systems, assets,

data,

capabilities

Protect

• Critical

infrastructure

services

Detect

• Timely

discovery

events

Respond

• Contain impact

of potential

event

Recover

• Timely recovery

to normal

operations

CPMI: 3 dimensions

Scope

• Confidentiality

• Availability

• integrity

Governance

• People

• Processes

• Technology

• Communication

Range of

measures

• Prevention

• Detection

• Recovery

Restricted 12

Key PFMI principles informing the Cyber Guidance

Principle 2: Governance – An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.

Principle 3: Framework for the comprehensive management of risks – An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.

Principle 8: Settlement finality – An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time.

Principle 17: Operational risk – An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption.

Principle 20: FMI links – An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks.

Restricted 13

Settlement finality

Irrevocable and unconditional transfer of an asset or financial

instrument;

Allocation of credit, liquidity and legal risks among the parties

to payment and securities transactions hinges on the credibility

of finality;

Offsetting rather than reversing transactions.

Restricted 14

2h-RTO: timely but safe resumption

PFMI Principle 17:

“An FMI should identify the plausible sources of operational risk, both internal and external,and mitigate their impact through the use of appropriate systems, policies, procedures, andcontrols. Systems should be designed to ensure a high degree of security and operationalreliability and should have adequate, scalable capacity. Business continuity managementshould aim for timely recovery of operations and fulfilment of the FMI’s obligations,including in the event of a wide-scale or major disruption.”

PFMI Principle 17, Key Consideration 6:The business continuity plan “should be designed to ensure that critical informationtechnology (IT) systems can resume operations within two hours following disruptiveevents”. Moreover, the plan “should be designed to enable the FMI to complete settlement bythe end of the day of the disruption, even in the case of extreme circumstances”.

PFMI Principle 17, Explanatory Note 3.17.13:

“A business continuity plan should have clearly stated objectives and should include policies and procedures that allow for the rapid recovery and timely resumption of criticaloperations following a disruption to a service, including in the event of a wide-scale or major disruption.”

Restricted 15

What does the 2-hour RTO really mean?

key consideration 17.6 of PFMI

A detection of a disruption triggers the clock

The detection of a successful cyber attack or an attack attempt

may or may not characterise a disruption

Safe resumption of critical operations (make sure risks are not

escalating when deciding on resumption)

Complete settlement by the end of the day of the disruption

The 2h-RTO apply even in the case of extreme but plausible

scenarios

Should be planned for an tested against

Plan for scenarios in which the 2h-RTO is not achieved.

Restricted 16

Cyber Guidance components

Restricted 17

Issues for consideration

Restricted 18

Governance

Cyber resilience strategy and framework

Cyber is more than just ICT

Role of the board and senior management

Ultimate responsibility

Culture

Accountability

Restricted 19

Other issues for consideration

Given the extensive interlinkages and interdependencies in the financial system,

adequate practices at the FMI level do not necessarily ensure cyber resilience in

the markets it serves;

Achieving market-wide timely and safe recovery of operations also imposes

challenges on traditional testing.

Widespread collaboration across the financial industry is therefore important;

The range of threats to FMIs include those with systemic implications

Cyber risk is constantly changing and requires continuous assessment of

interlinkages, vulnerabilities and mitigation plans;

Role of overseers, supervisors and intelligence agencies;

Restricted 20

Other issues for consideration

Worst case scenarios and potential quick recovery mechanisms;

Cross-regulators information sharing;

Effective solutions may necessitate collaboration between FMIs and their

stakeholders;

Interactions between connected entities under cyber attack scenarios;

Need to revisit the design of FMI systems with a view to increase cyber

resilience;

Financial stability implications.

Restricted 21

Thank you !

www.bis.org/cpmi/publ/d146.htm