Shearman & Sterling LLP | FinReg | European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
  • European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures

    The European Central Bank has launched a consultation on draft "cyber resilience oversight expectations" for financial market infrastructures.

    The CROE use, as a basis, the Guidance on Cyber Resilience for Financial Market Infrastructures that was published jointly in June 2016 by the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions. FMIs were required to implement immediately that Guidance, which was supplemental to the Principles for Financial Market Infrastructures published in 2012 by IOSCO and the Committee on Payment and Settlement Systems. The PFMIs were adopted by the Governing Council of the ECB in June 2013. In developing the CROE, the ECB also took into account existing international guidance documents, in particular the Cyber Security Framework published by the U.S. National Institute of Standards and Technology, the ISO/IEC 27002 good practice standard for information security, the COBIT 5 framework for the governance and management of enterprise IT, the Information Security Forum's Standard of Good Practice for Information Security and the U.S. Federal Financial Institutions Examination Council's Cybersecurity Assessment Tools.

    The Guidance did not add additional standards beyond the PFMI, but instead provided supplementary detail on how FMIs should enhance their cyber-resilience capabilities in connection with principle 2 (governance), principle 3 (risk management framework), principle 8 (settlement finality), principle 17 (operational risk) and principle 20 (FMI links) of the PFMI. The supplemental detail in the Guidance is designed to account for the fact that, while cyber risk is a form of operational risk, it has particular characteristics that mean it can present challenges to a traditional operational risk framework. The Guidance accordingly sets out further cyber-specific guidance on five primary risk management categories and on three overarching components that should be addressed across an FMI's cyber resilience framework. The five primary risk categories are governance, identification, protection, detection and response and recovery. The overarching components are testing, situational awareness and learning and evolving.

    The ECB has developed the CROE for three key purposes: (i) to provide those responsible for FMI oversight with clear expectations to assess and determine the cyber resilience maturity levels of the FMIs they supervise; (ii) to provide FMIs with detailed steps on how to operationalize the Guidance, ensuring they are able to foster improvements and enhance their cyber resilience over a sustained period of time; and (iii) to provide the basis for a meaningful discussion between the FMIs and their respective supervisors. The CROE set out a maturity model which provides supervisors and FMIs with a benchmark against which they can evaluate an FMI's current level of cyber resilience, measure progression and establish priority areas for improvement. Three levels of maturity are included, namely, baseline, intermediate and advanced. Regardless of the level of maturity they fall into, FMIs should engage in ongoing efforts to adapt, evolve and improve their cyber resilience maturity.

    The CROE follow the Guidance in defining FMIs as systemically important payment systems, central securities depositaries, securities settlement systems, central counterparties and trade repositories. The ECB intends that the CROE will be applied by the Eurosystem for the oversight of all payment systems and also T2S, the European platform for securities settlement in central bank money. The ECB notes, however, that central banks and national regulators responsible for oversight of clearing and settlement systems (SSSs, CSDs and CCPs) in the Eurozone may also opt to use the CROE for those FMIs. The ECB also states that, given the interconnectedness of FMIs within the financial system, they should actively reach out to their participants and other relevant stakeholders to promote understanding and support of cyber resilience objectives and their implementation.

    Responses to the consultation are requested, using the comments template provided, by June 5, 2018.

    View the consultation paper.

    View the press release and comments template.

    View the CPMI-IOSCO Guidance on cyber resilience for FMIs.

    View the Principles for Financial Market Infrastructures.