The Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have jointly published an assessment of financial market infrastructures' (FMIs) cyber resilience.
The report, ‘Implementation monitoring of the PFMI: Level 3 assessment on Financial Market Infrastructures' Cyber Resilience’, presents the results of an assessment of the state of cyber resilience at 37 FMIs from 29 jurisdictions.
The report finds one 'serious issue of concern' and four 'issues of concern'.
The serious issue of concern relates to a small number of FMIs which have not yet developed their cyber response and recovery plans to meet the established two-hour RTO target.
The four issues of concern among some of the assessed FMIs were:
- Shortcomings in established response and recovery plans for meeting the two-hour RTO target;
- A lack of cyber resilience testing (e.g. integrity of backup data, vulnerability assessments or penetration testing) after a significant system change;
- A lack of comprehensive scenario-based testing;
- Inadequate involvement of relevant stakeholders (e.g. FMI participants, critical service providers or linked FMIs) in testing of their responses.
Considering their aggregate impact, these issues of concern seem to pose clear challenges for FMIs' cyber resilience. The CPMI and IOSCO urge the relevant FMIs and their supervisors to address these issues 'with the highest priority'.