Parts of the plumbing of the global financial system, such as securities settlement systems and central counterparties, aren’t adequately prepared to recover from a hacking attack or similar cyber incident, according to a review by global regulators.
In a joint report, the International Organization of Securities Commissions (IOSCO) and the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) detailed the results of a review of cyber resilience at financial market infrastructure firms.
The review, which examined 37 firms in 29 countries, found that the regulators’ guidance in this area is being widely followed, but that there are also some notable shortcomings.
In particular, the report flagged a “serious concern” with a number of firms failing to develop cyber response and recovery plans that are designed to enable them to recover critical IT systems within two hours following a disruption.
“This finding casts doubt over the level of cyber resilience and preparedness of these [infrastructure firms], and is flagged as a serious issue of concern that should be addressed with the highest priority,” the report said.
Additionally, the review found several other weaknesses, including a lack of cyber resilience testing after major systems changes, a lack of comprehensive scenario-based testing, and recovery plans that aren’t capable of responding to an “extreme” cyber attack within two hours, among other concerns.
“Considering their aggregate impact, these (serious) issues of concern seem to pose clear challenges for (financial market infrastructures’) cyber resilience,” the report concluded.
In response, IOSCO and the CPMI called on the industry’s infrastructure firms, and their regulators, to promptly address these issues.