Implementation monitoring of the PFMI: Level 3 assessment on Financial Market Infrastructures' Cyber Resilience

The Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) continue to closely monitor the implementation of the Principles for financial market infrastructures (PFMI).

This CPMI-IOSCO report reviews the state of cyber resilience (as of February 2021) at a sample of 37 financial market infrastructures (FMIs) from 29 jurisdictions. The report finds a reasonably high adoption of the June 2016 CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures by FMIs. However, it identifies one serious issue of concern relating to a small number of FMIs not fully meeting expectations regarding the development of cyber response and recovery plans to meet the two-hour recovery time objective (2hRTO).

The report also highlights four additional issues of concern among some of the assessed FMIs that relate to: (i) shortcomings in established response and recovery plans to meet the 2hRTO under extreme cyber-attack scenarios; (ii) a lack of cyber resilience testing after a significant system change; (iii) a lack of comprehensive scenario-based testing; and (iv) inadequate involvement of relevant stakeholders in testing of their responses.

Collectively, these findings highlight clear challenges for FMIs' cyber resilience that should be addressed with the highest priority.