In its response to the CPMI-IOSCO consultative report on cyber guidance for financial market infrastructures, the World Forum of CSDs makes recommendations in the following areas:
- The WFC welcomes the Guidance as it makes steps forward in raising awareness on the various aspects of cyber resilience. However, any measures taken in the Guidance should be proportional in order to accurately reflect the risk profile of CSDs.
- Governance: While respecting the crucial difference between a strategy and a framework document, the WFC believes it makes sense to allow CSDs to streamline their policy and use a single document as an outline for their cyber resilience policy.
- Identification: The WFC would like for CSDs to be able to list their critical functions in terms of priority classes rather than separate critical business functions and information assets.
- Protection: Regulators should be aware that CSDs will not always be in a position to impose their own cyber resilience standards to other entities, especially since FMIs’ standards are particularly strict due to their role as central infrastructures. Furthermore, if possible, a CSD should be able to rely on existing assessments of critical service providers (CSPs), such as independent assurance reports, to demonstrate compliance with the Guidance.
- Detection: Although fully respecting the importance of actively detecting threats to cyber resilience, regulators should be conscious of the fact that not all CSDs are able to commit the financial and human resources required to carry out zero-day exploits for example.
- Response and recovery: The 2-hour recovery time objectives should be aimed for in the form of a benchmark, but not made a legal requirement. CSDs will seek to resume their operations as soon as is possible assuring the integrity of data rather than the immediate resumption of operations is a greater priority.
For more details, read the full response to the CPMI-IOSCO consultative report on cyber guidance for financial market infrastructures.