Cyber security has become indispensable for all business activities these days and financial market infrastructures (FMIs) are no different in this regard. FMI is defined as a multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling, or recording payments, securities, derivatives, or other financial transactions. FMIs play a critical role in the financial system and the broader economy and contribute to maintaining and promoting financial stability and economic growth. At the same time, the FMIs also concentrate the risk and, if not properly managed, FMIs can be sources of financial shocks or a major channel through which these shocks are transmitted across financial markets.
Therefore, it is imperative that cyber security of financial market infrastructures (FMIs) must be ensured by all stakeholders including Indian government, Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI). Recently, the RBI has prescribed a cyber security framework for banks of India that has to be implemented till 30-09-2016. However, RBI is well known for its lax implementation of cyber security related issues in India and this deadline could prove to be another paper deadline only. Similarly, the SEBI has expanded the ambit of its Technical Advisory Committee (TAC) to include cyber security of the markets. Indian government is also working in the direction of ensuring cyber security in India but its efforts are too slow and too late in this regard.
In a latest international development in this regard, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). This builds on an earlier version of the report that underwent a three-month public consultation.
The safe and efficient operation of FMIs is essential to maintaining and promoting financial stability and economic growth. The Cyber Guidance aims to add momentum to and instil international consistency in the industry’s ongoing efforts to enhance its cyber resilience. This includes the ability of FMIs to pre-empt cyber attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if the attacks succeed. In addition, the Cyber Guidance provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.
At its core, the Cyber Guidance requires FMIs to instil a culture of cyber risk awareness and to demonstrate ongoing re-evaluation and improvement of their cyber resilience posture at every level within the organisation. Furthermore, while the guidance is directly aimed at FMIs, it is important for them to take on an active role in reaching out to their participants and other relevant stakeholders to promote understanding and support of resilience objectives and their implementation. Effective solutions may require collaboration between FMIs and their stakeholders as they seek to strengthen their own cyber resilience.
The Cyber Guidance does not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).