23 Feb 2016 – New global standards on cyber resilience will soon be adopted to complement the oversight Principles for financial market infrastructures (FMIs).
Responding to a consultation released by the CPMI and IOSCO on 24 November 2015, ECSDA highlighted four main issues which global regulators should take into consideration before finalising the new “Cyber Guidance”:
- There should be more emphasis on the principle of proportionality, acknowledging that smaller infrastructures with a lower risk profile cannot be expected to have the same level of detail and sophistication in their cyber resilience framework as large, cross-border infrastructures.
- Conversely, less emphasis should be put on the formalisation and documentation of plans, policies and procedures. CSDs generally agree with the description of the different components of the cyber resilience framework provided in the Guidance but believe that regulators should not systematically require separate formal documents for each of these components. In the case of smaller CSDs in particular, the various plans, policies and procedures could in some instances form part of the cyber resilience framework document to avoid introducing unnecessary paper work and complexity.
- The notion of criticality should be included in those parts of the Guidance dealing with the relationships between infrastructures and their service providers. This is essential to ensure that the Guidance can realistically be implemented. Market infrastructures should definitely be encouraged to adopt a holistic approach to cyber resilience and to involve stakeholders and all relevant players in their “ecosystem”. Regulators should nonetheless be aware that CSDs will not always be in a position to impose their own cyber resilience standards to other entities, including third party providers. Focusing resources on critical providers will be a more efficient way to enhance overall cyber resilience.
- Global regulators should make it clear that the Cyber Guidance is not meant to be translated into binding legislation at local level. To be effective, it should remain principles-based and allow CSDs to adapt to the dynamic nature of cyber threats. This is especially true of benchmarks such as the 2-hour recovery objective in case of a cyber attack.