Cyber resilience and financial market infrastructures
Cyberattacks on financial market infrastructures (FMIs) have the potential to impact the entire financial ecosystem. This is because FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or, given the high level of interconnectivity, a major channel through which these shocks can be transmitted across domestic and international markets, putting financial stability at risk.
The threat of cyberattacks is further accentuated by their dynamic, evolving nature and because they are borderless. It is therefore essential that financial institutions and FMIs have an adequate level of cyber resilience to ensure their own safety as well as that of the entire ecosystem.
What's the ECB's role?
The ECB is responsible for overseeing a number of systemically important payment systems (SIPS) operating in the euro area. As these systems clear and settle payments across Europe, they are fundamental to the smooth functioning of the financial markets in the euro area.
As an overseer, the ECB needs to ensure that not only the individual SIPS have a strong level of cyber resilience, but the financial ecosystem as a whole is resilient against cyber threats.
What is being done at the international and European levels?
A significant amount of work has been undertaken internationally with regard to cyber risk and FMIs. In June 2016, the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures was published, providing FMIs with guidance on how to establish and operationalise a cyber resilience framework.
At the G7 level, the G7 Cyber Expert Group (G7 CEG) – of which the ECB is a member – is actively focusing on cybersecurity risks for the financial sector. Established in November 2015, the G7 CEG aims to identify and develop fundamental elements of cybersecurity in order to help financial entities address the risk of cyberattacks. The G7 CEG has published the following fundamental elements, representing a major step forward in this field:
- 13 October 2022
- 13 October 2022
- 1 November 2020
- 24 October 2018
- 24 October 2018
- 26 October 2017
- 11 October 2016
In terms of legislation, the European Commission adopted the Directive on security of network and information systems (NIS Directive) in July 2016, which contains legal measures and incentives aimed at making the EU's online environment secure by strengthening preparedness, cross-border cooperation, cyber incident reporting and information exchange.
These initiatives all provide the basis for our work at the ECB and across the Eurosystem.
Eurosystem cyber resilience strategy for FMIs
In March 2017 the Governing Council approved the “Eurosystem cyber resilience strategy for FMIs”. The objective of this strategy is to improve the cyber resilience of the euro area financial sector as a whole by enhancing the “cyber readiness” of individual FMIs that are overseen by the Eurosystem central banks, and to foster collaboration among FMIs, their critical service suppliers and the authorities. Specifically, the strategy aims to put the CPMI-IOSCO guidance into practice and comprises three pillars.
- FMI readiness: Work with FMIs to enhance their cyber resilience, with a view to ensuring their safety and soundness in the face of increasingly sophisticated threats.
- Sector resilience: Enhance the overall cyber resilience of Europe’s financial sector through cross-border/cross-authority collaboration, information sharing and business continuity exercises.
- Strategic regulator-industry engagement: Develop a joint strategic and Board-level pan-European regulator-industry forum, with a view to establishing trust and collaboration among participants, catalysing joint initiatives for enhancing sector capabilities, and increasing cyber awareness.
Pillar 1 - FMI readiness
The evolving nature of cyberattacks makes it necessary to ensure that payment systems strengthen their individual level of cyber maturity.
Pillar 1 aims to ensure that the CPMI-IOSCO guidance is put into practice in a consistent manner, by implementing a harmonised approach to assessing payment systems in the euro area against the guidance. In addition, the Eurosystem is developing a range of tools that can be used by FMIs to enhance their cyber resilience.
One of these tools is a European red team testing framework, which gives guidance on how to carry out “friendly attacks” that mimic the tactics, techniques and procedures of real attackers, based on bespoke threat intelligence. These friendly attacks target the processes, technologies and staff of an FMI, without prior warning, in order to test its protection, detection and response capabilities.
Overseers will also use other tools, such as cyber surveys and focused assessments, to assess the level of cyber maturity of Eurosystem payment systems and to develop cyber resilience oversight expectations to provide more detailed guidance to payment system operators.
Pillar 2 - Sector resilience
Given the high degree of interconnectedness in the ecosystem, an FMI depends not only on its own readiness, but also on that of its participants, service providers and interconnected FMIs. Subsequently, it is essential that there is a high level of cyber resilience across the ecosystem as a whole.
Pillar 2 focuses on strengthening the sector’s cyber resilience, by understanding the operational interdependencies through sector mapping, fostering cross-border and cross-authority collaboration, establishing effective information-sharing and implementing market-wide business continuity exercises.
Pillar 3 - Strategic regulator-industry engagement
To address the growing threat of cyber risk, it is imperative to ensure collaboration among all relevant participants, both regulators and market participants, in a trusted environment.
Pillar 3 aims to ensure regular pan-European cyber forums take place with Board-level participation by regulators and market participants. In this vein, the Euro Cyber Resilience Board for Pan-European Financial Infrastructures has been established. The group’s first meeting was held on 9 March 2018.