What new expectations for FMIs mean for the banking sector
The European Central Bank’s (ECB) recent consultation on its Cyber Resilience Oversight Expectations (CROE) for Financial Market Infrastructures (FMIs) and the release of its framework for an EU-wide Threat Intelligence-based Ethical Red Teaming exercise (TIBER-EU) follows a significant amount of work by the ECB in the last four years to scale-up its involvement in the supervision of cyber resilience for both FMIs and banks.
While these new expectations are of most immediate significance to FMIs, the ECB’s approach in the CROE should be read carefully by the banking sector as an indication of what might be coming its way from the ECB and other authorities.
The ECB, through its banking oversight arm, the Single Supervisory Mechanism (SSM), is currently pursuing a parallel workstream to develop supervisory expectations for the cyber resilience of large Eurozone banks. These expectations will have to address a number of challenging issues, including questions about the governance of cyber risk, the expected speed of recovery from cyber breaches and the information that supervisors expect firms to share with the rest of the market. In clarifying its position on these issues for FMIs, the CROE can be seen as a leading indicator of what may be already in the pipeline for many banks.
A cyber maturity-based approach for FMIs
As we noted in our recent Point of View ‘Cyber Risk and Regulation in Europe’ financial authorities face a number of critical challenges in designing a regulatory framework for cyber risk. The most notable of these is how best to ensure that the standards they set actually encourage firms to be more ambitious in managing cyber risks as the technology giving rise to them evolves. Authorities are keen to avoid any regulatory framework becoming a costly ‘checklist’ exercise in compliance that doesn’t adapt to new challenges as they become known.
In responding to this challenge, the ECB has been careful not to articulate a single set of standards for the cyber resilience of FMIs. It bases most of its expectations on the guidance issued in 2016 by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) on cyber resilience standards for FMIs. But, going a step further than the CPMI-IOSCO guidance, the ECB structures its expectations around three levels of ‘cyber maturity’ that FMIs can demonstrate across a number of capabilities. These are:
- Baseline maturity: a set of characteristics and actions that all FMIs are expected to exhibit or undertake. Prominently Important Retail Payment Systems (PIRPS) and Other Retail Payment Systems (ORPS) at this level are expected by the ECB to take active steps to meet Intermediate level expectations.
- Intermediate maturity: an enhanced set of expectations that Systemically Important Payment Systems (SIPS) and the ECB’s Target 2 Securities system are meant to meet from the outset.
- Advanced maturity: a best-practice set of expectations that FMIs initially at the Intermediate maturity level are expected to take active steps to meet over time.
For FMIs over which the ECB does not exercise direct oversight – including Central Counterparties (CCPs) and Central Securities Depositories (CSDs) – the level of maturity expected for each firm remains at the discretion of national authorities, although the ECB encourages them to use the framework.
By describing detailed characteristics of the three levels of cyber maturity across eight capability areas, the ECB’s CROE consultation represents one of the most developed supervisory frameworks for cyber resilience that we have seen published thus far. The structuring of this framework around the three levels of maturity (and making clear that it expects institutions at one level to progress gradually towards the next) has the potential to allow the ECB to exert supervisory pressure much more flexibly and to encourage FMIs continually to improve their level of cyber resilience and preparedness for disruptions caused by cyber attacks.
At the Advanced maturity level in particular, a notable emphasis is placed on the responsibility of FMIs not only to safeguard their own cyber security, but also to assess and take actions to support the cyber integrity of their key stakeholders and the market as a whole. This effectively establishes a tier of supervisory expectations where compliance is both subjective and very much a moving target. It also highlights where the appetite of authorities for the sector to ‘do more’ on cyber resilience may go above and beyond what firms would seek to do themselves.
What is significant in the ECB’s CROE approach?
The ECB’s CROE builds on the CPMI-IOSCO 2016 guidance but develops it into a far more comprehensive supervisory framework by adding a level of detail that will give firms a much better picture of the expectations they are due to face. In doing this, the ECB touches on many of the key questions whose resolution we see as critical in determining how banking regulators deal with cyber risk in their upcoming work. In particular, the CROE stakes out a number of important positions that have the potential to challenge FMIs and can be read across to banks in the following areas:
- Governance and accountability: introduces clear Board-level responsibilities for cyber risk, including appointing a Board-level cyber expert at the Advanced level. As a Baseline requirement, all FMIs must also identify a ‘Senior Executive’ responsible for cyber risk and implement a number of safeguards around the role (e.g. independence from the IT function). We consider it very likely that this governance requirement will be soon applied by the ECB to those banks directly supervised by the SSM. This scope would be similar to the one set by UK regulators in 2016 when they created a Senior Management Function with general responsibility for operational resilience and cyber risk.
- Third party risk management: requires FMIs to monitor cyber risks arising from third party partners, detect threats and prevent cyber breaches from migrating to their systems. For instance, at the Intermediate level, FMIs are expected to put in place procedures to block third party connections in the event of a cyber-attack on the third party that risks contagion. They are also expected to obtain assurance around the third party service provider’s cyber resilience capabilities.
- Incident recovery: most notable here is that the ECB adopts the CPMI-IOSCO two-hour downtime target for the recovery of critical systems after a cyber attack even in ‘extreme but plausible scenarios’ as an Intermediate level expectation. This is significant, as specific downtime targets have not been universally favoured by all regulators. The proposed Guidance does, however, note that the recovery of critical systems to allow for end-of-day settlement will be a more important standard that the ECB will seek to enforce. If the two-hour downtime target is extended to parts of the banking sector (as was proposed in 2016 by the US federal banking regulators in their Advanced Notice of Potential Rulemaking) then this could establish a very challenging hurdle for many banks.
- Data integrity: to support incident recovery, the ECB expects Intermediate FMIs to develop participant transaction recovery mechanisms that are tested regularly and to store data backups at an alternate site. At the Advanced level, firms should maintain backups in a redundant secondary system that can be activated without any disruption to the FMI’s operations. Given the role that banks play in payments and the large volumes of customer data they hold, supervisors will have every incentive to hold them to an equally high standard and encourage them to invest in market-leading data integrity solutions.
- Information sharing: from the Intermediate level, FMIs are expected to participate actively in industry forums to share real-time threat intelligence information with stakeholders. At the Advanced level, the CROE calls for FMIs to develop an in-house threat intelligence capability that analyses threat and vulnerability information and shares it with relevant stakeholders in the financial sector, potentially on an automated basis.
- Testing: as a Baseline activity, the ECB expects all FMIs to develop a comprehensive cyber resilience testing programme that tests critical systems’ recovery plans at least annually using ‘extreme but plausible scenarios’. From the Intermediate level, firms are to use the TIBER-EU framework and contract third party providers to carry out the red team exercises while building up their internal capabilities to monitor the results of these tests and identify lessons learned. At the Advanced level, FMIs are expected to develop an internal red-team testing function while continuing to work with external red teams.
What to look for next
The ECB’s consultation on the CROE runs until 5 June and could be in place before the end of the year.
The ECB, as mentioned earlier, is also doing similar work through the SSM, considering how best to develop and articulate its supervisory expectations for the cyber resilience of significant Eurozone banks. Although this is proceeding more slowly than the ECB’s work on FMIs, the level of detail and ambition set out in the ECB’s CROE sets a high bar for the approach that SSM banks can expect to see in future. These banks should be especially alert to their inclusion in the rollout of TIBER-EU (which we will address more fully in an upcoming blog), as the ECB’s framework is explicitly written to be extended beyond FMIs and the cyber testing frameworks of some EU jurisdictions (most notably the UK and the Netherlands) already include banks.
Consequently, the CROE framework should be read by the European banking sector, and particularly those banks directly supervised by the SSM, as an important sign of how their supervisory framework for cyber risk may soon evolve.
For more of our views on how financial regulators are increasing their involvement in dealing with cyber risk, read Cyber Risk and Regulation in Europe by Deloitte’s EMEA Centre for Regulatory Strategy.