The World Federation of Exchanges ("WFE"), the global industry group for exchanges and CCPs, has today responded to the ECB’s consultation on Cyber Resilience Oversight Expectations (CROE) for Financial Market Infrastructures (FMIs).
The WFE’s response can be broken down into three categories:
1. Governance
The WFE and its members share the views of the ECB on the importance of having effective arrangements in place to establish, implement and review their approach to managing cyber risk. The WFE believes that FMIs should be able to work on their own cyber resilience strategies, in a flexible way, recognising the different scales, business focuses and cultures within each institution.
The role of the board and senior management in the area of cyber resilience has increased, with Chief Information Security Officers (CISOs) now routinely briefing their Boards on recent developments and of the level of preparedness. The WFE’s view differs to the ECB’s on the topics of formal Cyber Code of Conduct, however, and suggests that cyber should instead be included in the overall FMI’s Code of Conduct.
2. Identification
The industry agrees that identification is a key component of cyber preparedness, resilience and recovery. Indeed, WFE members regularly review, identify and update processes and business functions to ensure they are aware of, and tackling any new risks, and monitoring existing ones. The industry believes that identification efforts should be focused on identifying threat actors and categories, tools, and methods, so defences may be properly positioned and tested.
Focusing on protection is clearly very important, however, the WFE advocates against an overly prescriptive, or one-size-fits-all approach, which it believes is not likely to be successful, particularly as not all FMIs are at the same stage of development. Risk tolerance, threat landscape and systemic roles can vary.
The WFE believes that people management is the key to security analytics, and posits that focusing on behavioural monitoring is critical. It is often ‘insider threats’ from staff members that result in cyber destruction or destabilisation. Indeed, in January 2018, the WFE published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.
3. Detection
The WFE acknowledges the need for strong controls and standards, and further supports the ECB’s perspective that these controls and standards should be proportionate and consistent to the FMI’s relative size, systemic importance, risk tolerance and specific needs.
FMIs’ response and recovery strategies are designed to ensure that critical systems resume full operation as soon as possible and without compromising the orderliness of the market; however. conditions will vary from incident to incident and from FMI to FMI. For this reason, the WFE advocates that resumption of operations within two hours is inappropriate.
The emphasis on information sharing and collaboration is appropriate. In practice, global industry groups are already active, such as the WFE’s GLEX, groups who are already working to connect key individuals at each organisation to ensure there is a continuous and real-time dialogue and knowledge sharing on risks and issues that are specific to FMIs.
Nandini Sukumar, CEO, WFE said: “The WFE and its members are committed to ensuring the trading and clearing environments they operate are secure, stable and designed to withstand shocks. Our response to the ECB today reiterates the WFE’s position on the issue of cyber resilience - one of our strategic priorities for 2018 - and therefore we applaud international initiatives to assist FMIs in their efforts towards cyber preparedness.”
Richard Metcalfe, Head of Regulatory Affairs, WFE added: “This response highlights the practical, proactive steps that the industry is taking. Cyber security continues to be a priority for exchange groups globally and is rightly attracting attention at the international level. While there are clear operational challenges of staying one step ahead, the industry and regulators are working hard to satisfy the shared objectives of ensuring the safety and soundness of the global financial system, which is critical to enhancing investor and consumer confidence."