Cyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level.
In one such latest international development, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per the latest cyber guidance, the safe and efficient operation of financial market infrastructures (FMIs) is essential to maintaining and promoting financial stability and economic growth. If not properly managed, FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets. In this context, the level of cyber resilience, which contributes to an FMI’s operational resilience, can be a decisive factor in the overall resilience of the financial system and the broader economy.
The cyber guidance document also mentions that financial stability may depend on the ability of an FMI to settle obligations when they are due, at a minimum by the end of the value date. An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme but plausible scenarios. Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption FMIs should exercise judgment in effecting resumption so that risks to itself or its ecosystem do not thereby escalate, whilst taking into account that completion of settlement by the end of day is crucial. FMIs should also plan for scenarios in which the resumption objective is not achieved. Although authorities recognise the challenges that FMIs face in achieving cyber resilience objectives, it is also recognised that current and emerging practices and technologies may serve as viable options to attain those objectives. Furthermore, the rationale for establishing this resumption objective stands irrespective of the challenge to achieve it. The chapter on response and recovery provides guidance on how an FMI should respond in order to contain, resume and recover from successful cyber attacks.
It is clear that as per the latest cyber guidance, Indian FMIs such as exchanges, depositories and clearing corporations will have to ramp up their network resilience so as to recover and resume operations within two hours of a cyber attack. Presently, SEBI has not prescribed any time-frame for Indian stock exchanges and other players to resume operations following a cyber attack. SEBI has, however, put in place most of the other proposals outlined in the cyber guidance. But now SEBI would be required to ensure a robust and resilient cyber security infrastructure for stock exchanges and FMIs as well.
These are the first internationally agreed guidelines on cyber security for the financial industry. SEBI was part of the working group on cyber resilience, which framed the cyber guidance. SEBI may introduce these requirements for Indian stock exchanges and FMIs within next few months. Perry4Law Organisation (P4LO) welcomes these developments and is committed to extend its techno legal expertise to SEBI and Indian government for the proper implementation of this cyber guidance.