London, 20 August 2018 – The World Federation of Exchanges ("WFE"), the global industry group for exchanges and CCPs, has today published its response to the Financial Stability Board's (FSB) Cyber Lexicon Consultation.
The FSB's document - a draft glossary of common terms related to cyber security and cyber resilience - is intended to "support its work to protect financial stability against the malicious use of Information and Communication Technologies (ICT)". The WFE welcomes the work done on the lexicon, as it is helpful for the market infrastructure industry and all stakeholders to have a consistent set of terms.
The highlights of the WFE's response can be summarised as follows:
- The WFE believes the lexicon would be more effective, and consistent, if the definitions were anchored exclusively in two sources: i) the International Organization for Standardization (ISO), and ii) the National Institute of Standards and Technology (NIST), as these are the most distinguished sources for Technical, Risk Management, Cyber Security and Information Security standards.
- If other sources are to be used, it is important to ensure that the inclusion of terms from separate sources doesn't create a disjointed list.
- The WFE proposes some new terms and definitions for the lexicon, including: Threat, Authorisation, Resilience, Intrusion and Flaw Remediation.
- It suggests replacing the terms Campaign and Course of Action with Threat Objective and Threat Objective Lifecycle respectively, along with revisions to those definitions.
- The WFE also recommends alternative definitions for Penetration Testing and Situational Awareness, to more clearly define both of these terms.
- The WFE suggests that, in order to maintain the accuracy and efficacy of the lexicon, the FSB engages participants through regular consultations (perhaps every three years).
Nandini Sukumar, CEO, WFE said: "The WFE is pleased to work with industry stakeholders on such a fundamental piece of work. The area of cyber security and resilience is fraught with complexities and variations around terminology, therefore implementing a clearly defined set of common terms will allow market participants a greater ability to work in a coordinated manner across geographies, in the event of a regional or global cyber-attack. Furthermore, a common vocabulary can support the development of industry standards. We look forward to the refined and finalised lexicon being ready for the G20 meeting in Buenos Aires in November."
The WFE has published a range of whitepapers in the cyber resilience space, including best practice guidelines for cyber security compliance, and cyber resilience standards.