CPMI Reports Highlights “Serious” Cyber Security Concern in FMIs
Posted by Colin Lambert. Last updated: November 29, 2022
The latest Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) assessment of cyber resilience amongst financial market infrastructures (FMIs) shows reasonably high adoption of their Cyber Guidance but also one “serious issue of concern” over response and recovery plans.
The report – Implementation monitoring of the PFMI: Level 3 assessment on Financial Market Infrastructures’ Cyber Resilience – presents the results of an assessment of the state of cyber resilience (as of February 2021) at 37 FMIs from 29 jurisdictions that participated in this exercise in 2020–22. The Level 3 assessment covered all FMI types, systemically important payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories.
The results were anonymised before assessment, therefore the report can only offer broad guidance over areas to be addressed.
The “serious issue of concern” relates to a small number of FMIs, CPMI says, which have not yet developed their cyber response and recovery plans to meet the two-hour recovery time objective, or 2hRTO. That is, it explains, those plans were not designed to enable the FMI to ensure that critical IT systems can resume operations within two hours following disruptive events even in the case of extreme but plausible scenarios.
The report also highlights four issues of concern among some of the assessed FMIs, namely shortcomings in established response and recovery plans for meeting the 2hRTO under extreme cyber-attack scenarios; a lack of cyber resilience testing (e.g. integrity of backup data, vulnerability assessments or penetration testing) after a significant system change; a lack of comprehensive scenario-based testing; and inadequate involvement of relevant stakeholders (e.g. FMI participants, critical service providers or linked FMIs) in testing of their responses.
“Considering their aggregate impact, these (serious) issues of concern seem to pose clear challenges for FMIs’ cyber resilience,” CPMI and IOSCO say in a release. “The CPMI and IOSCO urge the relevant FMIs and their supervisors to address these issues with the highest priority. As set out in the PFMI, the relevant supervisory authorities are responsible for ensuring that individual FMIs implement the Principles [from a 2106 CPMI/IOSCO cyber guidance paper].”
To gain a better understanding of the extent to which the Cyber Guidance has been used by FMIs, CPMI and IOSCO say the assessment also focused on three important components of the cyber resilience framework; governance; testing; and learning and evolving.
As the survey of FMIs was carried out during the Covid-19 pandemic, a section of the report highlights the challenges recognised by FMIs in this period (due to increased remote working arrangements and the use of personal devices) and outlines some of the measures implemented or being implemented to address potentially heightened cyber risks.