The Bank for International Settlements puts out this press release on a new CPMI (Committee on Payments and Market Infrastructures) report on dealing with cyber attacks. This report is a reminder that the modern financial system is ALWAYS under threat from a crippling attack. Below I have pasted in the press release.-----------------------------------------------------------------------------------------------
CPMI-IOSCO consultative paper "Guidance on cyber resilience for financial market infrastructures"
24 November 2015
The Committee on Payments and Market Infrastructures (CPMI)1 and the Board of the International Organization of Securities Commissions (IOSCO)2 today released the consultative paper Guidance on cyber resilience for financial market infrastructures ("the Cyber Guidance").3
Financial market infrastructures (FMIs) play a critical role in promoting the stability of the financial system. Thus, the cyber risks faced by FMIs and their level of readiness to effectively deal with worst case scenarios have been considered top priorities by industry leaders and authorities alike. The Cyber Guidance aims to add momentum to and instil international consistency in the industry's ongoing efforts to enhance FMIs' ability to pre-empt cyber attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if they succeed.
Key concepts built into the Cyber Guidance include the following:
- Board and senior management attention is critical to a successful cyber resilience strategy.
- The ability to resume operations quickly and safely after a successful cyber attack is paramount.
- FMIs should make use of good-quality threat intelligence and rigorous testing.
- Cyber resilience requires a process of continuous improvements.
- Cyber resilience cannot be achieved by an FMI alone; it is a collective endeavour of the whole "ecosystem".
The Cyber Guidance builds on previous studies conducted in this area by both the CPMI and IOSCO.4 When finalised, the Cyber Guidance will not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).
The proposed Cyber Guidance sets out the preparations and measures that FMIs should undertake to enhance their cyber resilience capabilities with the aim of limiting the escalating risks that cyber threats pose to individual FMIs and thereby to financial stability. It also provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.
The Cyber Guidance is primarily intended to create meaningful shifts in the FMI industry towards greater cyber resilience. In this regard, Mr Benoît Cœuré, Chairman of the CPMI, stated: "This is an important report because cyber attacks in the financial sector have the potential to create widespread financial instability. Nobody should assume they will be able to prevent cyber attacks in all circumstances. Therefore, the Cyber Guidance addresses the need for an FMI to resume its operations quickly and safely after an attack has occurred. This is not an easy task and may require innovative thinking that goes beyond the traditional approaches to operational resilience."
Mr Greg Medcraft, Chairman of IOSCO, added: "The proposed Cyber Guidance is the culmination of extensive collaboration between IOSCO and the CPMI. It reflects an urgency to address the increasing risks that cyber threats pose to FMIs and financial stability, as well as the need for a coordinated approach. At the FMI level too, cyber resilience cannot be achieved by individual institutions alone in our highly interconnected financial sector. The broader 'ecosystem' needs to work in unison. The Guidance calls upon the ecosystem to do just that. We hope to collaborate with all stakeholders to meaningfully enhance the cyber resilience of our financial system as we refine these proposals and later implement them."
The consultative report is available on the websites of the Bank for International Settlements and IOSCO. Comments on the report should be submitted by Tuesday 23 February 2016 via e-mail to both the CPMI Secretariat and the IOSCO Secretariat.
All comments may be published on the websites of the Bank for International Settlements and IOSCO unless a commenter specifically requests confidential treatment.