Cyber resilience in financial market infrastructures

Statement by CPMI Chair Benoît Cœuré

Cyber-related incidents have become more frequent in the last few years, affecting all areas of the economy, with the financial sector being no exception. Cyber threats are increasingly complex and rapidly evolving, with diverse origins and motivations.

Today, the Committee on Payments and Market Infrastructures (CPMI) has issued the report Cyber resilience in financial market infrastructures, which examines some of the evolving practices and concepts that financial market infrastructures (FMIs) are considering and applying in their approaches to enhance cyber resilience.

The report notes that cyber resilience is increasingly becoming a top priority within FMIs, although the CPMI's analysis, which was supported by industry interviews, shows that there are differences as to the form and maturity of FMIs' approaches to cyber resilience.

Those approaches frequently attempt to combine different factors, such as people, technology, processes and communication. Furthermore, a variety of preventive, detective and recovery measures may be deployed to cope with different forms of threats, ranging from threats to confidentiality and availability of services to integrity of data.

The report has found that extreme events may challenge the ability of FMIs to recover within two hours following the detection of a cyber attack and to complete settlement by the end of the day of the disruption (a key element of the operational risk management requirements laid out in the CPMI-IOSCO Principles for Financial Market Infrastructures).

The report concludes that one of the distinctive features of FMIs is their interconnectedness. Disruptions in one FMI may spread to a multitude of other connected entities. Furthermore, cyber threats tend to be cross-jurisdictional in nature, posing challenges for risk mitigation efforts conducted solely at national or single-institution level. These inherent interdependences across industry participants and jurisdictions underline the necessity for cooperation and communication between FMIs, central banks and other regulators on cyber resilience matters.

Cyber security is a topic of critical importance at the global level for FMIs and the broader financial sector. The CPMI is ready to cooperate with other standard setters and international bodies to further analyse critical cyber resilience-related issues for authorities and FMIs as well as to further explore the financial stability implications of cyber attacks.

Notes to editors

The CPMI promotes the safety and efficiency of payment, clearing, settlement and related arrangements, thereby supporting financial stability and the wider economy. The CPMI monitors and analyses developments in these arrangements, both within and across jurisdictions. It also serves as a forum for central bank cooperation in related oversight, policy and operational matters, including the provision of central bank services. The CPMI is a global standard setter in this area. It aims to strengthen regulation, policy and practices regarding such arrangements worldwide. The CPMI secretariat is hosted by the BIS. More information about the CPMI, and all its publications, can be found on the BIS website.

The report Cyber resilience in financial market infrastructures was prepared for the CPMI by a working group consisting of representatives of central banks that are CPMI members plus representatives of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions (IOSCO), the G10 Group of Computer Experts and its Working Party on Security Issues. The working group was chaired by Coen Voormeulen of the Netherlands Bank.