On 10 April 2018, the European Central Bank (ECB) launched a public consultation on the ECB’s draft report with proposed Cyber Resilience Oversight Expectations (CROE) for Financial Market Infrastructures (FMIs). The CROE includes the ECB’s expectations in terms of cyber resilience, based on existing global guidance. This paper constitutes ECSDA’s response to the consultation, focusing on the perspective of European Central Securities Depositories (CSDs). The draft report forms an excellent basis for improving cyber resilience of FMIs. It also supports FMIs in the implementation and operationalisation of the existing global guidance, i.e. the “Cyber Guidance” issued by the CPMI and IOSCO in 2016 as a complement to the 2014 Principles for Financial Market Infrastructures.
We are appreciative of the ECB fostering the principle of proportionality and taking a reasonable approach which will contribute to meaningful discussions between FMIs and their overseers, as:

• The CROE correctly identifies that there should be a degree of flexibility when dealing with a heterogeneous group of FMIs. Even though a CSD is an FMI, there are substantial differences with other FMIs and amongst CSDs which justify a proportional approach.
• The CROE is to be considered a set of practices that can contribute to an FMI’s compliance with the Guidance. We welcome the acknowledgement that the CROE is not put forward as a checklist of measures FMIs need to strictly comply with and that there is a graduation in the level of compliance to be reached.
• The CROE is meant to be used as a reference document which has been aligned with global and international standards and frameworks. Global CSDs are governed by multiple overseers and thus confronted with a regulatory fragmented landscape. The CROE will contribute to supervisory convergence as it can be used as a single reference document across multiple jurisdictions.

Nonetheless, we believe that a few issues require further consideration by the ECB before the CROE is published in its final form. In particular:

• The ECB’s oversight is limited to payment systems and T2S. For ‘other’ FMIs like CSDs, the ECB refers to the National Competent Authorities (NCAs) to decide how they will need to apply the CROE and what is the maturity level they expect the FMI to reach. This could open the door to more regulatory fragmentation for CSDs and an unequal level playing field depending on the views local authorities take. We would like to encourage the ECB to ensure further alignment with ESMA, to avoid that each NCA takes its own view on this matter.
• We ask for greater alignment between the CROE and inherent risk assessment models, like the Cybersecurity Capability Maturity (C2M2) model. Concrete explanations are provided in the consultation’s feedback table. However, we would like to avoid that CSDs become exposed to multiple and divergent expectations from the NCAs depending on whether they align with CROE and/or other inherent risk models.
• We have no doubt that Eurosystem will ensure that appropriate actions are taken to prevent a cyber-attack at the level of T2S. However, when speaking about CSDs, the CROE does not appear to consider the current situation of dependency of CSDs on the Eurosystem in terms of cyber security exposure and requirements.
• The Eurosystem (as T2 and T2S provider) is a key provider to the CSDs and thus there is an important dependence to ensure an appropriate level of CSD cyber resilience. Particularly when an attack occurs at the level of the Eurosystem and directly or indirectly impacting securities transactions, the response, responsibilities and consequences for CSDs need to be cleared. In addition, there are further ramifications on the CSDs liability in view of the T2S Framework Agreement.
• In our view it would be beneficial if CROE could clarify the expectations for regulated entities belonging to a group or being part of a corporation.

Detailed comments are provided in the consultation’s feedback table.

Please read the full consultation.