Safeguarding Europe’s financial markets
As technological advances continue to reshape the financial ecosystem, cyber threats become ever more sophisticated. They cannot be countered by using conventional methods because each attack is unique, affecting not only the operational side of information technology but also people and processes. Particularly in the case of financial market infrastructures (FMIs), cyberattacks could end up destabilising markets and disrupting the broader economy.
Public authorities have recognised these new challenges facing the financial ecosystem and have come together to strategically align their efforts on cyber resilience at global level. In June 2016, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) published the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures. The Guidance offers recommendations on measures that FMIs should take to anticipate, withstand, contain and rapidly recover from cyberattacks.
One month later, the European Commission adopted the Directive on security of network and information systems (NIS Directive). The Directive is the first piece of legislation on cyber security applied to all European Union (EU) Member States.
In October 2016, the G7 Cyber Expert Group published a report on the Fundamental Elements of Cybersecurity for the Financial Sector. The report was adopted by the G7 finance ministers and central bank governors in October 2017 on the margins of the International Monetary Fund’s annual meeting in Washington.
In parallel to these initiatives, the European Central Bank (ECB) has led the development of a common action plan for the European financial sector. The goal is to improve cyber resilience and avoid different standards being developed at national level, which would make the regulatory landscape more fragmented and more complex to navigate. In that context, in 2017 the Governing Council of the ECB approved the Eurosystem Cyber Resilience Strategy for FMIs. The strategy is based on three pillars: FMI readiness, sector resilience and strategic regulatory-industry engagement.
To assess whether FMIs are sufficiently prepared to cope with cyberattacks, the Eurosystem conducted a cyber survey in 2017-18 involving some 80 FMIs in the EU. The results revealed that many of the respondents should improve their approach to cyber governance, training and incident management. With a view to ensuring that FMIs have discussed these issues with their respective overseers and are adopting the relevant best practices, the ECB has developed the Cyber Resilience Oversight Expectations (CROE). The CROE operationalises the CPMI-IOSCO Guidance using a maturity model that gives overseers a benchmark for evaluating the current level of cyber resilience for each FMI, measuring progress and establishing priority areas for improvement. The CROE describes and explains five primary risk management categories (governance, identification, protection, detection, response and recovery) and three overarching components (testing, situational awareness, learning and evolving), all in line with the CPMI-IOSCO Guidance. In April 2018, the ECB invited FMIs and other interested parties to provide comments and request clarifications via a public consultation for the CROE. The consultation will last for eight weeks and the results will be published in September.
In addition, the ECB has developed a European Framework for Threat-Intelligence Based Ethical Red teaming (TIBER-EU) to complement the survey and the CROE. A Red Team test simulates an attempt to compromise an entity by mimicking the tactics and techniques of real-life adversaries. TIBER-EU targets the people, processes and technologies of an entity using reliable and bespoke threat intelligence. Given the inherent risks associated with such tests, TIBER-EU places a high priority on clearly defining the scope of each test and establishing robust risk management controls throughout the life cycle of the test, so as to ensure that the process is conducted in a controlled manner. Testing is carried out without the entity’s foreknowledge, challenging the FMI to assess its capability to detect and respond to cyber threats. Specifically, each FMI establishes a small White Team to manage the end-to-end testing. Meanwhile, the Blue Team, consisting of the rest of the FMI’s personnel, who remain unaware of the attack’s true source, is called to recognise the threat and react rapidly and effectively to protect the FMI. Following the completion of the Red Team testing, full disclosure is granted to all parties, as they are allowed to reflect on the outcome and make improvements on the cyber resilience of the tested FMI.
The implementation of TIBER-EU is a multi-stakeholder endeavour, predicated on the need for cooperation. The framework, inspired by similar initiatives in the UK (CBEST) and Netherlands (TIBER-NL), is designed to be adopted on a voluntary basis by central banks, supervisory authorities, intelligence agencies and relevant ministries in any jurisdiction. TIBER-EU is applicable EU-wide and can support cross-border testing for any type of entity, at national or pan-European level. The ECB is looking to make the most of the framework’s functionalities by establishing a centralised TIBER-EU Knowledge Centre (TKC) that will facilitate collaboration among authorities.
Multilateral projects like the CROE and TIBER-EU aim to improve information sharing and reduce regulatory burden on financial entities by harmonising cyber resilience processes across the European Union.
The second pillar aims to enhance the resilience of the European financial sector, and the ECB is focusing on a number of areas to achieve this objective. Cyber resilience in an FMI depends not only on its own readiness but also on that of its participants, service providers and interconnected FMIs. To strengthen the sector’s cyber resilience, the operational interdependencies need to be understood. This can be done by mapping, fostering cross-border and cross-authority collaboration, establishing effective information sharing and implementing market-wide business continuity exercises.
The ECB is currently developing an analytical framework for sector mapping to deepen its knowledge of cross-market dependencies. In particular, the aim is to produce a number of sector/network maps that will be used to understand key risk areas, improve crisis communication procedures and enhance information sharing.
Cross-border and cross-authority collaboration needs to be encouraged in order to avoid different levels of cyber resilience maturity within the financial sector, as well as to ensure that authorities adopt similar approaches and focus on similar priorities. It is vital that the appropriate authorities at both European and national level cooperate on cyber resilience matters, so as to avoid the risk of fragmentation. This is particularly important because different authorities have their own separate mandates for the various types of FMIs.
Another key component of sector-wide cyber resilience is the efficient sharing of information on threats between market participants, market participants and regulators, and between regulators. There needs to be a strategy for overcoming the current fragmentation in the European information-sharing landscape, as well as a willingness to move beyond incident reporting towards sharing ex ante operational, tactical and strategic threat intelligence. The Eurosystem is currently exploring information-sharing arrangements, with a view to streamlining procedures for the benefit of all stakeholders.
Currently, there is a significant focus on detecting and protecting against cyberattacks. However, the cornerstone of effective resilience is to acknowledge that an attack is imminent. All infrastructures must be in a position not only to withstand such threats but also to respond appropriately and recover in a safe and efficient manner. Market-wide exercises and cyber simulations are crucial for the enhancement of FMI readiness. A milestone was set in 2015 when, for the first time ever, a crisis communication exercise (TITUS) was carried out by FMIs in the euro area. Holding such exercises on a regular and more consistent basis will help FMIs to build up expertise in handling potential threat situations.
The third pillar of the strategy focuses on building a public-private forum for all relevant stakeholders. To this end, the ECB launched its Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures, which held its inaugural meeting in March 2018. The Board is chaired by Benoît Cœuré, member of the Executive Board of the ECB. It brings together high-level FMI representatives, service providers and competent authorities, who will focus on raising awareness of common cyber challenges, fostering a spirit of trust and collaboration, and acting as a catalyst for joint initiatives.
In the digital age, FMIs should regard a cyber incident as a matter of when, and not if. While the reasons for an attack may differ, the overall impact can cause a systemic disruption. In Europe, the authorities are recalibrating their approach to risk management by keeping a sharp focus on cyber resilience. The development and implementation of initiatives such as TIBER-EU and the CROE are designed to reinforce the cyber resilience of Europe’s FMIs, so that the latter can withstand cyber incidents and continue operating smoothly and efficiently.