Guidance on cyber resilience for financial market...
Transcript of Guidance on cyber resilience for financial market...
Restricted
Guidance on cyber resilience for financial
market infrastructures
Global Payments Week 2016
Turin, 22 September 2016
Emanuel Freire
Member of CPMI Secretariat
* Views expressed are those of the presenter and not necessarily those of the BIS or CPMI
Restricted 2
Cyber Guidance released on 29 June 2016
Guidance on cyber resilience for financial market
infrastructures
www.bis.org/cpmi/publ/d146.htm
Restricted 3
Outline
Why should we care about cyber resilience in FMIs?
Cyber Guidance: design considerations
Issues for consideration
Restricted 4
Why should we care about cyber resilience
in FMIs?
Restricted 5
Are cyber risks special?
Traditional operational risk
Scenario-based
Identification less complex
Effective business continuity protocols
Potential costs can be reckoned by risk forecast
Cyber risk
Constantly evolving
Pervasive scope
Recovery path not clear
Entry points are multiplying
No limit to the damage a cyber attack can do
Restricted 6
Are cyber risks in FMIs different?
Time-criticality of recovery
Interlinkages between FMIs, service providers and participants
FMIs should not compete over cyber resilience
you cannot be cyber resilient alone…
Restricted 7
The transaction chain
RTGS
CCP
CSD RTGS
TR
Restricted 8
Transaction chain
“the term refers to the
sequence of events and
linkages covering the
entire life cycle of a
financial transaction,
involving multiple entities,
from origination to final
settlement.”
CPMI, Cyber resilience in financial market
infrastructures, November 2014.
RTGS
CCP
CSD RTGS
TR
Restricted 9
Cyber guidance: design considerations
Restricted 10
Previous CPMI work on cyber: key points
Interviews were useful to create cyber awareness for FMIs
Sophisticated cyber attacks do challenge 2-hour recovery time
objective (2h-RTO) and end of day settlement
Industry was focusing primarily on measures against attacks targeting
availability such as DDoS attacks. Such investments are not effective in
case of a system or data integrity breach
Need to revisit the design of FMI systems with a view to increase cyber
resilience
Transaction chain: interconnections & interdependencies
Restricted
MITRE: 4 levels of maturity
Anticipate
• Maintain a state of
informed
preparedness
Withstand
• Continue essential
functions despite
successful attacks
Recover
• Restore functions to
fullest extent
Evolve
• Change functions to
minimize adverse
effects in future
NIST: 5 functions
Identify
• Systems, assets,
data,
capabilities
Protect
• Critical
infrastructure
services
Detect
• Timely
discovery
events
Respond
• Contain impact
of potential
event
Recover
• Timely recovery
to normal
operations
CPMI: 3 dimensions
Scope
• Confidentiality
• Availability
• integrity
Governance
• People
• Processes
• Technology
• Communication
Range of
measures
• Prevention
• Detection
• Recovery
Restricted 12
Key PFMI principles informing the Cyber Guidance
Principle 2: Governance – An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.
Principle 3: Framework for the comprehensive management of risks – An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.
Principle 8: Settlement finality – An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time.
Principle 17: Operational risk – An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption.
Principle 20: FMI links – An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks.
Restricted 13
Settlement finality
Irrevocable and unconditional transfer of an asset or financial
instrument;
Allocation of credit, liquidity and legal risks among the parties
to payment and securities transactions hinges on the credibility
of finality;
Offsetting rather than reversing transactions.
Restricted 14
2h-RTO: timely but safe resumption
PFMI Principle 17:
“An FMI should identify the plausible sources of operational risk, both internal and external,and mitigate their impact through the use of appropriate systems, policies, procedures, andcontrols. Systems should be designed to ensure a high degree of security and operationalreliability and should have adequate, scalable capacity. Business continuity managementshould aim for timely recovery of operations and fulfilment of the FMI’s obligations,including in the event of a wide-scale or major disruption.”
PFMI Principle 17, Key Consideration 6:The business continuity plan “should be designed to ensure that critical informationtechnology (IT) systems can resume operations within two hours following disruptiveevents”. Moreover, the plan “should be designed to enable the FMI to complete settlement bythe end of the day of the disruption, even in the case of extreme circumstances”.
PFMI Principle 17, Explanatory Note 3.17.13:
“A business continuity plan should have clearly stated objectives and should include policies and procedures that allow for the rapid recovery and timely resumption of criticaloperations following a disruption to a service, including in the event of a wide-scale or major disruption.”
Restricted 15
What does the 2-hour RTO really mean?
key consideration 17.6 of PFMI
A detection of a disruption triggers the clock
The detection of a successful cyber attack or an attack attempt
may or may not characterise a disruption
Safe resumption of critical operations (make sure risks are not
escalating when deciding on resumption)
Complete settlement by the end of the day of the disruption
The 2h-RTO apply even in the case of extreme but plausible
scenarios
Should be planned for an tested against
Plan for scenarios in which the 2h-RTO is not achieved.
Restricted 16
Cyber Guidance components
Restricted 17
Issues for consideration
Restricted 18
Governance
Cyber resilience strategy and framework
Cyber is more than just ICT
Role of the board and senior management
Ultimate responsibility
Culture
Accountability
Restricted 19
Other issues for consideration
Given the extensive interlinkages and interdependencies in the financial system,
adequate practices at the FMI level do not necessarily ensure cyber resilience in
the markets it serves;
Achieving market-wide timely and safe recovery of operations also imposes
challenges on traditional testing.
Widespread collaboration across the financial industry is therefore important;
The range of threats to FMIs include those with systemic implications
Cyber risk is constantly changing and requires continuous assessment of
interlinkages, vulnerabilities and mitigation plans;
Role of overseers, supervisors and intelligence agencies;
Restricted 20
Other issues for consideration
Worst case scenarios and potential quick recovery mechanisms;
Cross-regulators information sharing;
Effective solutions may necessitate collaboration between FMIs and their
stakeholders;
Interactions between connected entities under cyber attack scenarios;
Need to revisit the design of FMI systems with a view to increase cyber
resilience;
Financial stability implications.