London, Tuesday 5 June 2018 – The World Federation of Exchanges ("WFE"), the global industry group for exchanges and CCPs, has today responded to the ECB's consultation on Cyber Resilience Oversight Expectations (CROE) for Financial Market Infrastructures (FMIs).
The WFE's response can be broken down into three categories:
- The WFE and its members share the views of the ECB on the importance of having effective arrangements in place to establish, implement and review their approach to managing cyber risk. The WFE believes that FMIs should be able to work on their own cyber resilience strategies, in a flexible way, recognising the different scales, business focuses and cultures within each institution.
- The role of the board and senior management in the area of cyber resilience has increased, with Chief Information Security Officers (CISOs) now routinely briefing their Boards on recent developments and of the level of preparedness. The WFE's view differs to the ECB's on the topics of formal Cyber Code of Conduct, however, and suggests that cyber should instead be included in the overall FMI's Code of Conduct.
- The industry agrees that identification is a key component of cyber preparedness, resilience and recovery. Indeed, WFE members regularly review, identify and update processes and business functions to ensure they are aware of, and tackling any new risks, and monitoring existing ones. The industry believes that identification efforts should be focused on identifying threat actors and categories, tools, and methods, so defences may be properly positioned and tested.
- Focusing on protection is clearly very important, however, the WFE advocates against an overly prescriptive, or one-size-fits-all approach, which it believes is not likely to be successful, particularly as not all FMIs are at the same stage of development. Risk tolerance, threat landscape and systemic roles can vary.
- The WFE believes that people management is the key to security analytics, and posits that focusing on behavioural monitoring is critical. It is often 'insider threats' from staff members that result in cyber destruction or destabilisation. Indeed, in January 2018, the WFE published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.
- The WFE acknowledges the need for strong controls and standards, and further supports the ECB's perspective that these controls and standards should be proportionate and consistent to the FMI's relative size, systemic importance, risk tolerance and specific needs.
- FMIs' response and recovery strategies are designed to ensure that critical systems resume full operation as soon as possible and without compromising the orderliness of the market; however. conditions will vary from incident to incident and from FMI to FMI. For this reason, the WFE advocates that resumption of operations within two hours is inappropriate.
- The emphasis on information sharing and collaboration is appropriate. In practice, global industry groups are already active, such as the WFE's GLEX, groups who are already working to connect key individuals at each organisation to ensure there is a continuous and real-time dialogue and knowledge sharing on risks and issues that are specific to FMIs.
Nandini Sukumar, CEO, WFE said: "The WFE and its members are committed to ensuring the trading and clearing environments they operate are secure, stable and designed to withstand shocks. Our response to the ECB today reiterates the WFE's position on the issue of cyber resilience - one of our strategic priorities for 2018 – and therefore we applaud international initiatives to assist FMIs in their efforts towards cyber preparedness."
Richard Metcalfe, Head of Regulatory Affairs, WFE added: "This response highlights the practical, proactive steps that the industry is taking. Cyber security continues to be a priority for exchange groups globally and is rightly attracting attention at the international level. While there are clear operational challenges of staying one step ahead, the industry and regulators are working hard to satisfy the shared objectives of ensuring the safety and soundness of the global financial system, which is critical to enhancing investor and consumer confidence."
- Ends -
About the World Federation of Exchanges (The WFE):
Established in 1961, the WFE is the global industry association for exchanges and clearing houses. Headquartered in London, it represents over 200 market infrastructure providers, including standalone CCPs that are not part of exchange groups. Of our members, 36.8% are in Asia-Pacific, 42.6% in EMEA and 20.6% in the Americas. WFE exchanges are home to nearly 45,000 listed companies, and the market capitalisation of these entities is over $82.5 trillion; around $81.8 trillion (EOB) in trading annually passes through the infrastructures WFE members safeguard (at end 2017).
The WFE is the definitive source for exchange-traded statistics, and publishes over 350 market data indicators. Its statistics database stretches back more than 40 years, and provides information and insight into developments on global exchanges.
The WFE works with standard-setters, policy makers, regulators and government organisations around the world to support and promote the development of fair, transparent, stable and efficient markets. The WFE shares regulatory authorities' goals of ensuring the safety and soundness of the global financial system, which is critical to enhancing investor and consumer confidence, and promoting economic growth.
The Global Exchange Cyber Security Working Group (the GLEX) was established in December 2013 to connect Information Security leadership amongst the world's leading financial exchanges and CCPs. The primary purpose of the GLEX is to facilitate information sharing. The GLEX is both a conduit for internal communication amongst its members and an externally-facing presence available for relevant third parties needing to address members of the GLEX. It also actively comes together to help shape policy-making through reactive and proactive measures, reaching common consensus positions amongst its members. In April 2017 the WFE – through the GLEX – published a set of cyber resilience standards designed to be used by WFE members, and other market infrastructure providers, to ensure alignment and common minimum standards across the global system. The GLEX meets once annually and also virtually - via teleconference or other facilities - on a quarterly basis. Cyber continues to be one of the WFE's five business priorities for 2018.
For more information, please contact:
Head of Communications, The World Federation of Exchanges
Phone: +44 20 7151 4137 / +44 7850 287 685
LinkedIn: The World Federation of Exchanges