Efforts are underway in Europe and the U.S. to strengthen industry protections against attacks on computer systems. Regulators in both regions are developing new standards for exchanges and clearinghouses, which are seen as critical to the operational security of financial markets.
Meanwhile, at the international level, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions published a joint consultative report on "cyber resilience for financial market infrastructures." The report seeks public feedback on a set of proposed guidelines for financial market infrastructures to enhance their cyber resilience. The guidance covers five primary risk management categories: governance; identification; protection; detection; and response and recovery.
Greg Medcraft, the chairman of IOSCO, commented that the development of this guidance reflects "an urgency" among regulators to address the increasing risks that cyber threats pose to financial stability. "Cyber resilience cannot be achieved by individual institutions alone in our highly interconnected financial sector. The broader ecosystem needs to work in unison," Medcraft said. "We hope to collaborate with all stakeholders to meaningfully enhance the cyber resilience of our financial system as we refine these proposals and later implement them."
In Europe, the European Parliament and Council Presidency reached an informal agreement on the Network and Information Security Directive at the beginning of December. The new directive, which has been in discussion for nearly three years, will require operators of essential services in the banking, financial markets (trading venues and central counterparties), energy, transport, healthcare, water supply and digital infrastructure sectors to take appropriate security measures and to notify serious incidents to the relevant national authorities.
Additionally, each Member State will have to designate one or more national authorities to deal with cyber matters, set out a national cybersecurity strategy, and cooperate with other EU countries. Once the agreement has been officially approved by the Council and the Parliament, Member States will have 21 months to adopt the necessary national provisions and a further six months to identify their essential services operators.
In the U.S., the Commodity Futures Trading Commission is taking the lead in setting standards for financial market infrastructures. On Dec. 16, the CFTC issued proposed rules establishing cybersecurity testing and system safeguard requirements for market infrastructure providers such as exchanges, clearinghouses and swap data repositories. The CFTC also issued an advanced rulemaking to determine how certain aspects of the cybersecurity proposals should apply to swap execution facilities. The proposals call for cybersecurity testing in several areas. These include vulnerability testing conducted at least quarterly, internal and external penetration testing, security incident response plan testing, enterprise technology risk assessments conducted at least annually, and controls testing at least once every two years. Controls testing is expected to be the most challenging as most organizations do not have formal controls testing in place, according to PricewaterhouseCoopers.
"The proposed rule that we are issuing today is an important step toward enhancing the protections in our markets," said CFTC Chairman Tim Massad. "It builds on our core principles, which already require clearinghouses to focus on system safeguards, by setting standards consistent with best practices. It requires robust testing of cyber protections, setting forth the types of testing that must be conducted, the frequency of testing and whether tests should be conducted by independent parties. In addition, it enhances standards for incident response planning and enterprise technology risk assessments," he said.
