On 12 April 2017, the WFE published a set of cyber resilience standards designed to be used by WFE members, and other market infrastructure providers.
The standards, designed to ensure alignment and common minimum standards across the global system, cover eight key areas:
- Strategy & Framework: Effective cyber framework arrangements should be in place to establish, implement and review the approach to managing cyber risk.
- Governance: There need to be appropriate lines of accountability, responsibility and cultural buy-in at all levels of an organisation regarding cyber resilience.
- Risk Identification: To mitigate against new risk - in addition to monitoring existing ones - processes and business functions should reviewed and updated regularly.
- Protection / Controls: It is important to continuously evolve protection measures, such as security controls, systems, processes (including behavioural monitoring) to keep pace with market developments.
- Monitoring & Detection: Strong detection controls and standards should be in place that are proportionate to the organisation’s relative size, systemic importance, risk tolerance and threat landscape.
- Response & Recovery: Strategies should ensure that critical systems can be restored to full operation as soon as practicable, acknowledging conditions will vary.
- Information Sharing: Organisations should seek to proactively share experiences, knowledge and expertise, and to cooperate and collaborate through industry groups, such as the WFE’s GLEX working group.
- Testing, Situational Awareness, Learning & Evolving: Arrangements must evolve with the changing threat landscape.
The standards follow a set of cyber resilience principles (issued by the WFE on 23 September 2016) that authorities can take into account when implementing existing, or creating new, cyber standards for FMIs. In combination, the WFE principles and standards are intended to support and complement guidance already provided by global regulators.