Globe-spanning financial market infrastructures (FMIs) that transfer electronic payments must boost their cybersecurity measures to prevent attacks from spreading to banking and corporate stakeholders, according to a new report.
Published by industry policy-setting group the Committee on Payments and Market Infrastructures (CPMI), the document sets out a series of risk management recommendations for governance, identification, protection, detection and response.
By observing its measures, says the group, FMIs will not only be better prepared for cyberattacks, but able to react to them in ways that will minimise their broader impacts on financial markets and affiliates.
“Given FMIs’ systemic importance and extensive interconnections,” notes the report, “and hence potential for risk contagion between FMIs and entities within their ecosystems, [they] should take appropriate, swift and sustained actions to enhance their cyber-resilience.”
With that in mind, it says, early detection must be prioritised to provide “useful lead time to mount appropriate countermeasures” against potential breaches. As such, FMIs require “advanced capabilities” to monitor for anomalous actions.
Most importantly, though, the report urges FMIs to adopt a universal, two-hour recovery time objective (2hRTO) that should be observed during any serious, systemic attack that leads to a cessation of activity.
“Financial stability may depend on the ability of an FMI to settle obligations when they are due, at a minimum by the end of the value date,” it says.
On that basis, an FMI “should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption, and to enable itself to complete settlement by the end of the day of disruption – even in the case of extreme, but plausible, scenarios.”
It advises: “FMIs should exercise judgement in effecting resumption so that risks to itself or its ecosystem do not thereby escalate, while taking into account that completion of settlement by the end of day is crucial.”
The report stresses that FMIs should also plan for suboptimal emergency scenarios in which the desired 2hRTO is not achieved – and says that closer collaboration between FMIs and their stakeholders will be required to devise effective solutions, as payment communities have a shared interest in ensuring high standards of cyber-resilience.
“Efforts to coordinate the design of resilience solutions,” says the report, “may bring enhanced strategies forward in a more timely and efficient way.” As such, it notes, “collaboration should be considered in [organisations’] individual and collective strategic planning”.
Regulatory authorities, the report adds, must also embrace that spirit of joint working. “Because the cyber-resilience of FMIs supports broader financial stability objectives,” it says, “and in light of significant interdependencies in clearing and settlement processes, it is important for authorities to cooperate.”
CPMI chairman Benoît Cœuré said: “This is a landmark report for the financial industry. FMIs have come to the fore as financial sector hubs at a time when cyber-resilience is a key priority for the financial industry… FMIs should take action immediately to implement its recommendations.”
Ashley Alder, chairman of the International Organization of Securities Commissions, added that the guidance “represents an important step in strengthening the cyber-resilience of FMIs and the ecosystem within which they operate”.