Professional Documents
Culture Documents
Given the threats, FMIs should enhance their cyber resilience capabilities and manage
their cyber risks within a comprehensive cyber resilience framework. As banks use FMIs
extensively, are connected to them and so can also be impacted by cyberattacks on that
infrastructure, they and their supervisors must understand the nature of cyber risks
facing FMIs. Bank supervisors need to work with the relevant authorities in charge
of FMI supervision to address FMI cyber risks.
This tutorial introduces the concept of cyber resilience and the cyber resilience
framework for FMIs based on guidance published by the Committee on Payments and
Market Infrastructures (CPMI) and the International Organization of Securities
Commissions (IOSCO) in June 2016.
The safe and efficient operation of FMIs is essential to maintaining and promoting
financial stability and economic growth. If cyber risks to an FMI are not properly
managed, the FMI may not be able to function as it should and when it should (for
example, as a shock absorber against a default of its participants), or it could become a
major channel through which cyber risks are transmitted across domestic and
international financial markets.
Ultimately, cyber resilient FMIs are central to the overall resilience of the financial
system and the broader economy.
An FMI should put in place a cyber resilience framework that is consistent with its
enterprise operational risk management framework. The framework should be guided by
an FMI’s cyber resilience strategy, consisting of high-level principles and medium-term
plans to achieve its objective of managing cyber risk. The key elements of a sound cyber
resilience framework are outlined below.
Objectives
The framework should aim to maintain and promote an FMI’s ability to anticipate,
withstand, contain and recover from cyberattacks. This is to limit the likelihood and
impact of a successful cyberattack on its operations and the broader financial system.
Content
The framework should clearly articulate how an FMI determines its cyber resilience
objectives and cyber risk tolerance and how it identifies, manages and mitigates its
cyber risk. The framework should also cover communication plans with the relevant
stakeholders so that an FMI can effectively respond to and recover from a cyberattack.
Scope
The framework should not only cover an FMI’s IT systems, but also the relevant people
and processes. For example, limiting physical access can help mitigate cyber risk.
Control Functions
A senior executive with the necessary knowledge and competence should be appointed
to be responsible and accountable for executing the cyber resilience framework. This
person should have sufficient authority, independence, resources and access to the
board. The internal audit and compliance functions of an FMI should assist the board
and senior management in assessing compliance with the framework and the
framework’s effectiveness.
Relevance
An FMI should review and update the framework periodically to ensure it remains
effective in terms of actively mitigating the cyber risk that it bears from and poses to its
participants and other stakeholders. In doing so, the FMI can refer to international,
national and industry standards or guidelines that reflect current best approaches.
The framework should keep pace with the dynamic nature of cyber risk and the rapid
evolution of cyber threats. To achieve this, an FMI should identify and distil key lessons
from past cyber events within and outside its organisation, not only from actual attacks
but also from near misses. It should acquire new knowledge and capabilities to counter
new forms of cyberattacks. It should try to put in place predictive capabilities that can
anticipate future cybersecurity incidents.
Time-critical Transactions
Interconnectedness
People
Cyber resilience is not just about IT people. Insider threats from rogue or careless
employees could open up avenues for possible cyberattacks. Thus, 'people' should
mean 'everyone' at all staffing levels, including the board of directors and senior
management. The key aspects of cyber resilience frameworks in relation to people
include the following:
• Knowledge and skills: All employees need appropriate skills and knowledge to
understand and manage the risks posed by cyber threats. They must also ensure
that those skills remain current.
• Responsibility: The board of directors and senior management are ultimately
responsible for setting a cyber resilience framework and for overseeing policies,
procedures and controls that support it. Most importantly, they should lead by
example.
Training
• FMI staff: All relevant staff should receive training to develop and maintain
appropriate awareness of and competencies for detecting and addressing cyber-
related risks. They should also be trained on how to report any unusual activity
and incidents.
• High-risk groups: High-risk groups, such as those with privileged system access
or in sensitive business functions, should be identified and should receive
targeted information security training.
The senior management of an FMI should keep the board informed of any changes in
the FMI’s cyber risk profile, for example, due to changes in its products, services,
policies or practices. The board and senior management of an FMI are jointly
responsible for cultivating a strong level of awareness among staff from all
organisational levels of the importance of maintaining cyber resilience.
Processes
Technology
Cyberattacks would not exist in the first place without technology. But technology is also
a fundamental and critical component in managing cyber risks. Effective tools, software
and other technologies to safeguard against cyber risks can and should be deployed as
part of a resilience framework.
The guidance outlines five primary risk management categories and three overarching
components that should be addressed across an FMI’s cyber resilience framework.
Governance
Identification
Identify which of its critical operations and supporting information assets should be, in
order of priority, protected
Protection
Implement appropriate and effective measures to prevent, limit or contain the impact of a
potential cyber event
Detection
Recognise signs of a potential cyber incident, or detect that an actual breach has taken
place
Respond to and resume critical operations rapidly, safely and with accurate data in order
to mitigate potential systemic risks
Situational Awareness
Establish a cyber threat intelligence process, involving analysis and information sharing,
to understand the cyber threat environment
Implement an adaptive cyber resilience framework that evolves with the dynamic nature
of cyber risks
• 'People' in the context of FMI cyber resilience refers to the board, senior
management and employees with privileged system access or in sensitive
business functions. (True/False)
The concept of cyber resilience covers people and processes on top of technology and
is broader in scope than that of cyber security, which focuses on technology. Moreover,
people refers to everyone at all staffing levels in an organisation.