Cyber Risk – Financial Market

Infrastructures: Cyber Resilience

Introduction
Imagine a world in which you could not use your credit card, withdraw money from
an ATM or make payments via online banking. Imagine if money was taken from your
accounts without your knowledge and authorisation. Or if transfers of money and
financial instruments among financial institutions suddenly became unavailable. Such
scenarios, in extremes, could bring economic activities and financial markets to a halt
and could happen if financial market infrastructures (FMIs) suffered a severe
cyberattack.

Given the threats, FMIs should enhance their cyber resilience capabilities and manage
their cyber risks within a comprehensive cyber resilience framework. As banks use FMIs
extensively, are connected to them and so can also be impacted by cyberattacks on that
infrastructure, they and their supervisors must understand the nature of cyber risks
facing FMIs. Bank supervisors need to work with the relevant authorities in charge
of FMI supervision to address FMI cyber risks.

This tutorial introduces the concept of cyber resilience and the cyber resilience
framework for FMIs based on guidance published by the Committee on Payments and
Market Infrastructures (CPMI) and the International Organization of Securities
Commissions (IOSCO) in June 2016.

Financial Market Infrastructures (FMIs)

FMIs refer to systemically important payment systems, central securities depositories, securities
settlement systems, central counterparties and trade repositories.

Around The World - Global Cyberattack: WannaCry

On Friday, 12 May 2017, the “WannaCry” ransomware attack began. Within a day, it had
affected more than 200,000 organisations in at least 150 countries. As is common with
this type of cyberattack, hackers lured a victim to click a link that downloaded malicious
software onto a device within the computer system. Once infected, the cyber criminals
were able to take control of the entire computer system and block access to files and
data until a ransom was paid.

© Bank for International Settlements. All rights reserved. Page 1 of 11

Cyber Resilience for FMIs
Cyber resilience is an FMI’s ability to anticipate, withstand, contain and rapidly recover
from a cyberattack. Cyber resilience is broader in scope than cyber security. Cyber
security focuses on security measures and technology, such as firewalls, antivirus
software or strict controls on passwords and access, to protect systems from
cyberattack, whereas cyber resilience covers additional critical elements, such as people
and processes.

The safe and efficient operation of FMIs is essential to maintaining and promoting
financial stability and economic growth. If cyber risks to an FMI are not properly
managed, the FMI may not be able to function as it should and when it should (for
example, as a shock absorber against a default of its participants), or it could become a
major channel through which cyber risks are transmitted across domestic and
international financial markets.

Ultimately, cyber resilient FMIs are central to the overall resilience of the financial
system and the broader economy.

© Bank for International Settlements. All rights reserved. Page 2 of 11

Cyber Resilience Frameworks for FMIs
Cyber resilience frameworks consist of the policies, procedures and controls that an FMI
has established to identify, protect, detect, respond to and recover from extreme
but plausible sources of cyber risk it faces.

Key Elements of a Sound Cyber Resilience Framework

An FMI should put in place a cyber resilience framework that is consistent with its
enterprise operational risk management framework. The framework should be guided by
an FMI’s cyber resilience strategy, consisting of high-level principles and medium-term
plans to achieve its objective of managing cyber risk. The key elements of a sound cyber
resilience framework are outlined below.

Objectives

The framework should aim to maintain and promote an FMI’s ability to anticipate,
withstand, contain and recover from cyberattacks. This is to limit the likelihood and
impact of a successful cyberattack on its operations and the broader financial system.

Content

The framework should clearly articulate how an FMI determines its cyber resilience
objectives and cyber risk tolerance and how it identifies, manages and mitigates its
cyber risk. The framework should also cover communication plans with the relevant
stakeholders so that an FMI can effectively respond to and recover from a cyberattack.

Scope

The framework should not only cover an FMI’s IT systems, but also the relevant people
and processes. For example, limiting physical access can help mitigate cyber risk.

Control Functions

A senior executive with the necessary knowledge and competence should be appointed
to be responsible and accountable for executing the cyber resilience framework. This
person should have sufficient authority, independence, resources and access to the
board. The internal audit and compliance functions of an FMI should assist the board
and senior management in assessing compliance with the framework and the
framework’s effectiveness.

Relevance

An FMI should review and update the framework periodically to ensure it remains
effective in terms of actively mitigating the cyber risk that it bears from and poses to its
participants and other stakeholders. In doing so, the FMI can refer to international,
national and industry standards or guidelines that reflect current best approaches.

© Bank for International Settlements. All rights reserved. Page 3 of 11

Adaptability

The framework should keep pace with the dynamic nature of cyber risk and the rapid
evolution of cyber threats. To achieve this, an FMI should identify and distil key lessons
from past cyber events within and outside its organisation, not only from actual attacks
but also from near misses. It should acquire new knowledge and capabilities to counter
new forms of cyberattacks. It should try to put in place predictive capabilities that can
anticipate future cybersecurity incidents.

© Bank for International Settlements. All rights reserved. Page 4 of 11

Key Characteristics of FMIs
There are two key characteristics of FMIs that are particularly relevant in the context of
FMI cyber resilience: the time-critical nature of transactions and the interconnectedness
that FMIs create within the financial ecosystem.

Time-critical Transactions

Processing high-value transactions is typically time-critical. Transactions need to be

cleared and settled within a predefined time period of a day – or even on a real-time
basis. Financial stability may depend on an FMI’s ability to settle obligations when they
are due. For that reason, it is crucial that an FMI’s arrangements should be designed to
enable it to resume critical operations rapidly, safely and with accurate data.

Interconnectedness

An FMI is typically interconnected to a large number of other entities within its

ecosystem, for example, its participants and linked FMIs. The cyber risks faced by these
entities could be transmitted to and have significant implications for the FMI. Likewise,
the risks faced by the FMI could, if not well managed, threaten these other entities.
Therefore, effective solutions will need to involve good collaboration between an FMI
and all relevant stakeholders. Arrangements that an FMI should consider include:

• Data-sharing arrangements: An FMI should consider setting set up agreements

with the relevant third parties or participants in case it needs to obtain
uncorrupted data from them in the event of a cyberattack.
• Contagion containment: In the event of a cyber incident, an FMI should work
together with its interconnected entities to enable the resumption of critical
services as soon as it is safe and practicable to do so. Resumption of services
must be done without causing unnecessary risk to the wider sector or further
damage to financial stability.

© Bank for International Settlements. All rights reserved. Page 5 of 11

Scope of Cyber Resilience Frameworks for FMIs
The strategies and measures of a cyber resilience framework should not be restricted to
securing IT operations alone, but should also cover people and processes. Deploying
the best technology against cyberattacks would be worthless if it is not supported by
robust processes and competent people.

People

Cyber resilience is not just about IT people. Insider threats from rogue or careless
employees could open up avenues for possible cyberattacks. Thus, 'people' should
mean 'everyone' at all staffing levels, including the board of directors and senior
management. The key aspects of cyber resilience frameworks in relation to people
include the following:

• Knowledge and skills: All employees need appropriate skills and knowledge to
understand and manage the risks posed by cyber threats. They must also ensure
that those skills remain current.
• Responsibility: The board of directors and senior management are ultimately
responsible for setting a cyber resilience framework and for overseeing policies,
procedures and controls that support it. Most importantly, they should lead by
example.

Training

All employees should be trained to develop and maintain relevant competencies.

• FMI staff: All relevant staff should receive training to develop and maintain
appropriate awareness of and competencies for detecting and addressing cyber-
related risks. They should also be trained on how to report any unusual activity
and incidents.
• High-risk groups: High-risk groups, such as those with privileged system access
or in sensitive business functions, should be identified and should receive
targeted information security training.

© Bank for International Settlements. All rights reserved. Page 6 of 11

The Role of an FMI’s Board or Equivalent

Specific responsibilities of the board include:

• reviewing and approving the FMI’s cyber resilience framework

• ascertaining that the framework is in line with the board-approved cyber
resilience strategy
• setting the FMI’s tolerance level for cyber risk and ensuring that the FMI operates
within the risk tolerance level

The senior management of an FMI should keep the board informed of any changes in
the FMI’s cyber risk profile, for example, due to changes in its products, services,
policies or practices. The board and senior management of an FMI are jointly
responsible for cultivating a strong level of awareness among staff from all
organisational levels of the importance of maintaining cyber resilience.

Processes

Processes refer to a series of roles, actions, activities, steps taken, as well as

procedures designed to achieve a cyber resilience objective. Processes are key to the
implementation of an effective cyber resilience framework.

Technology

Cyberattacks would not exist in the first place without technology. But technology is also
a fundamental and critical component in managing cyber risks. Effective tools, software
and other technologies to safeguard against cyber risks can and should be deployed as
part of a resilience framework.

© Bank for International Settlements. All rights reserved. Page 7 of 11

Guidance on Cyber Resilience for FMIs
As mentioned at the beginning of this tutorial, to help enhance the cyber resilience of
FMIs, the CPMI and IOSCO published Guidance on cyber resilience for financial market
infrastructures. The guidance:

• is supplemental to the Principles for financial market infrastructures, also

published by the CPMI and IOSCO, regarding cyber resilience
• does not impose any additional standards on FMIs

The guidance outlines five primary risk management categories and three overarching
components that should be addressed across an FMI’s cyber resilience framework.

The risk management categories are governance, identification, protection, detection,

and response and recovery, while the overarching components relate to testing,
situational awareness, and learning and evolving.

© Bank for International Settlements. All rights reserved. Page 8 of 11

Risk Management Categories and Overarching
Components
The risk management categories and overarching components to be addressed across
an FMI’s cyber resilience framework are presented below.

Governance

Establish, implement and review its approach to managing cyber risks

Identification

Identify which of its critical operations and supporting information assets should be, in
order of priority, protected

Protection

Implement appropriate and effective measures to prevent, limit or contain the impact of a
potential cyber event

Detection

Recognise signs of a potential cyber incident, or detect that an actual breach has taken
place

Response and Recovery

Respond to and resume critical operations rapidly, safely and with accurate data in order
to mitigate potential systemic risks

© Bank for International Settlements. All rights reserved. Page 9 of 11

Testing

Test a cyber resilience framework to determine overall effectiveness before deployment

Situational Awareness

Establish a cyber threat intelligence process, involving analysis and information sharing,
to understand the cyber threat environment

Learning and Evolving

Implement an adaptive cyber resilience framework that evolves with the dynamic nature
of cyber risks

© Bank for International Settlements. All rights reserved. Page 10 of 11

Review Question
Classify the following statements relating to cyber resilience as True or False.

• Cyber resilience is all about IT security measures and technology. (True/False)

• A cyber resilience framework should cover people, processes and technology.

(True/False)

• 'People' in the context of FMI cyber resilience refers to the board, senior
management and employees with privileged system access or in sensitive
business functions. (True/False)

• 'Processes' refer to a series of actions, steps taken and procedures to achieve

cyber resilience objectives. (True/False)

• Technology is a fundamental and critical component in managing cyber risks.

(True/False)

The concept of cyber resilience covers people and processes on top of technology and
is broader in scope than that of cyber security, which focuses on technology. Moreover,
people refers to everyone at all staffing levels in an organisation.

© Bank for International Settlements. All rights reserved. Page 11 of 11