The two dozen responses to the document released over the weekend, from government bodies, regulators, market operators and infrastructure providers, reveal general agreement with the principles. But they also highlight the challenges markets face.
For example, ASX, the Australian market operator, notes it has four FMIs in its corporate group.
“We believe that the most practical approach for an organisation with multiple FMIs is for the group’s parent entity or Board (or Board Committee) to have ultimate responsibility for cyber resilience matters,” the ASX said.
“Clearly documented governance arrangements could set out the arrangements for responsibility of cyber resilience matters for the entire group. ASX further believes that duplication of individual cyber resilience strategies and/or frameworks for each FMI under a group arrangement would be inefficient and thus supports a combined approach.”
Now that makes sense - in theory. The challenge will be for sufficient, efficient communication for each operating market to both be subordinate to its head board but have the flexibility to move rapidly when a threat is detected.
ASX also pointed out the FMIs are not closed eco-systems. This has been particularly evident in recent breaches, for example one involving the central bank of Bangladesh, the global SWIFT financial messaging system and the banking system of the Philippines.
While the final details are not yet clear, it seems likely the breach was an internal one in Bangladesh, which meant SWIFT didn’t recognise the fraudulent transfer of money (because it came from an authorised account) but once the money ended up in the Philippines tracking it back was almost impossible.
As the ASX noted in general “there are limitations to the extent that an FMI can control or influence the cyber risks borne by other participants in that ecosystem and therefore believes that an FMI’s responsibility should amount to management of their own risks, while communicating with other stakeholders in the ecosystem, as appropriate”.
The German Bundesbank made a similar point: “It should be noted that there are limitations to getting information related to cyber resilience from the ecosystem especially e.g. from ancillary industry such as Microsoft.”
Several respondents, including ASX, argued arbitrary time frames to resume operations didn’t properly recognise reality. Resuming in two hours, as suggested, seems fraught.
SWIFT said there are “scenarios for which this recovery time objective is unrealistic, particularly in complex cyber scenarios where the detection of the problem can, on average, take 200 days, according to industry statistics. In some instances it may even be an undesirable objective, as reopening service too quickly could promulgate a cyber issue though the financial system”.
The specifics of responsibility are also a challenge. The global payments platform Visa noted it “sees the benefit in clearly defining the remit of the responsibilities in organisations for those who are involved in the key processes in a cyber-resilience framework.”
“However, [Visa] believes that accountability for cyber resilience is a shared organisational issue, requiring each area of the business to be accountable and responsible for various aspects of cyber resilience,” it said.
“For instance, compliance with cyber resilience may be enforceable by the area of the organisation principally managing risk, whereas the legalities of cyber resilience policies may be checked by the legal department.”
These are all valid points. Meanwhile cyber threats continue to mount and thousands of breaches, from the minor to potentially major, occur in markets daily.
The clear lesson is market operators, regulators and ancillary providers need to behave more like the criminals: constantly evolving, constantly testing and probing, constantly revisiting protocols.
‘Agile’ methodologies, the current fad in project management, do actually encapsulate how organisations need to be organised: rapidly responding, learning from each iteration, being prepared for unpredictability.
While the practice of war is constantly changing, the motivations behind wars have barely changed through human history. So too the motivations of cyber criminals in financial markets. The American bank robber Willie Sutton (perhaps apocryphally) summed it up when asked why he robbed banks: “Because that’s where the money is”.
Today he would be armed not with guns but a keyboard and stolen data.
Andrew Cornell is managing editor at BlueNotes