MIP OnLine - 2018

Safeguarding Europe’s financial markets

May 2018

As technological advances continue to reshape the financial ecosystem, cyber threats become ever more sophisticated. They cannot be countered by using conventional methods because each attack is unique, affecting not only the operational side of information technology but also people and processes. Particularly in the case of financial market infrastructures (FMIs), cyberattacks could end up destabilising markets and disrupting the broader economy.

Public authorities have recognised these new challenges facing the financial ecosystem and have come together to strategically align their efforts on cyber resilience at global level. In June 2016, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) published the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures. The Guidance offers recommendations on measures that FMIs should take to anticipate, withstand, contain and rapidly recover from cyberattacks.

One month later, the European Commission adopted the Directive on security of network and information systems (NIS Directive). The Directive is the first piece of legislation on cyber security applied to all European Union (EU) Member States.

In October 2016, the G7 Cyber Expert Group published a report on the Fundamental Elements of Cybersecurity for the Financial Sector. The report was adopted by the G7 finance ministers and central bank governors in October 2017 on the margins of the International Monetary Fund’s annual meeting in Washington.

In parallel to these initiatives, the European Central Bank (ECB) has led the development of a common action plan for the European financial sector. The goal is to improve cyber resilience and avoid different standards being developed at national level, which would make the regulatory landscape more fragmented and more complex to navigate. In that context, in 2017 the Governing Council of the ECB approved the Eurosystem Cyber Resilience Strategy for FMIs. The strategy is based on three pillars: FMI readiness, sector resilience and strategic regulatory-industry engagement.

1. FMI readiness 2. Sector resilience 3. Strategic regulatory-industry engagement

In the digital age, FMIs should regard a cyber incident as a matter of when, and not if. While the reasons for an attack may differ, the overall impact can cause a systemic disruption. In Europe, the authorities are recalibrating their approach to risk management by keeping a sharp focus on cyber resilience. The development and implementation of initiatives such as TIBER-EU and the CROE are designed to reinforce the cyber resilience of Europe’s FMIs, so that the latter can withstand cyber incidents and continue operating smoothly and efficiently.