Technology vendors supplying services to financial market infrastructures (FMI) should be subject to rigorous cyber-security checks to protect the integrity and stability of the financial system, say global regulators in a new consultative paper.
The document 'Guidance on cyber resilience for financial market infrastructures' produced by the Committee on Payments and Market Infrastructures and the International Organisation of Securities Commissions, sets out the preparations and measures that FMIs should have in place to deal with and recover from cyber attacks.
Benoît Cœuré, chairman of the CPMI, states: “The Cyber Guidance addresses the need for an FMI to resume its operations quickly and safely after an attack has occurred. This is not an easy task and may require innovative thinking that goes beyond the traditional approaches to operational resilience.”
Recognising the interconnectedness of the world's financial markets, the paper stresses the need for a collaborative approach to information sharing and system testing that extends beyond the bilateral relationships between individual FMIs to include suppliers of services and technology to the markets.
"Cyber risk posed by an interconnected entity is not necessarily related to the degree of that entity’s relevance to the FMI’s business," states the report. "From a cyber perspective, the small-value/volume participant or a vendor providing non-critical services may be as risky as a major participant or a critical service provider."
At a minimum, it states that service providers should meet the same high level of cyber resilience they would need to meet if their services were provided by the FMI itself.
"Cyber considerations should be an integral part of the FMI’s arrangements for managing vendors and vendor products in the areas of contracts, performance, relationships and risk," states the Guidance. "Contractual agreements between the FMI and its service providers should ensure that the FMI and relevant authorities are provided with or have full access to the information necessary to assess the cyber risk arising from the service provider."
Greg Medcraft, chairman of IOSCO, says: “Cyber resilience cannot be achieved by individual institutions alone in our highly interconnected financial sector. The broader ‘ecosystem’ needs to work in unison."