London, 23 September 2016 – The World Federation of Exchanges ("WFE"), which represents more than 200 market infrastructure providers including exchanges and CCPs, today published a set of principles around cyber resilience, intended to support and complement guidance already provided by global regulators.
The principles have been drafted in consultation with our members, following the publication of CPMI-IOSCO's 'Guidance on Cyber Resilience for Financial Market Infrastructures'(1) in June 2016. The CPMI-IOSCO's guidance was designed to elaborate further on the main areas of its Principles for Financial Market Infrastructure (PFMIs) that are relevant for cyber security.
Further to the guidance, the WFE has published its perspectives on the areas it considers important for national and/or regional market authorities to take into account when reflecting the local context.We seek to capture practical and operational considerations that WFE members believe authorities should build into their thinking when designing, implementing and/or monitoring for compliance with rules, regulations or laws that affect the operational resilience of market infrastructure providers at the local level.
These considerations are intended to support ongoing compliance efforts, to ensure that markets are not only resilient, stable and robust, but also able to operate on a fair and safe playing field.They are intended as a prompt for further regulatory and industry discussion to ensure appropriate standards and expectations that fit the nuances of global markets operating in local jurisdictions.
In summary, the principles are as follows:
- In developing and implementing local FMI standards and initiatives, existing global cyber security standards(2) should be used as an initial framework, to ensure consistency of approach and operational convention. Any FMI standards should be flexible enough to accommodate differences in regional and national legal and regulatory frameworks;
- Account should be taken of standards and approaches for non-FMI parts of the system, to ensure a consistently applied regulatory and operational approach;
- Cyber resilience frameworks should be balanced enough to enable continued technology innovation and development of markets and services while still remaining suitably robust to ensure markets are safe,
- FMIs should continue to be consulted to ensure that FMI standards are developed and implemented which are workable, acknowledge the specificities of the particular FMI model, and do not give rise to unintended consequences;
- Global principles should – insofar as national laws and regulations allow – be consistently implemented at national level without deviation or super-equivalence in order to support the objective of ensuring a level playing field with no weak links;
- Different markets have different models and different needs, and incidents are unpredictable in nature.Further, technology moves quickly.Standards and expectations should therefore have an element of flexibility so that FMIs can react quickly.
Nandini Sukumar, CEO, WFE, said: "The WFE supports CPMI-IOSCO's pragmatic approach to the design of cyber guidance and the engagement it has had with the industry. Markets are global, and are growing more so. The industry needs strong and effective global standards to achieve fair, robust and resilient markets in which investors can have confidence.Regulators and FMIs need to continue to work hand-in-hand in implementing sensible and practical arrangements on a national level for the benefit of the wider system."
Gavin Hill, Head of Regulatory Affairs, WFE, said: "Given the universality of the issue and its systemic significance, it is promising to see global organisations and regulators playing such a key role in developing, fostering and promoting consistent industry-wide standards for FMIs. The WFE encourages standard setters and implementing authorities to engage closely with the industry, and to use the WFE's high level principles when setting and implementing local requirements, to ensure they are sufficiently flexible and workable in the global context."
Click here to read the WFE Cyber Resilience Principles in full.
(2) For example, National Institute of Standards and Technology - NIST - or ISO-IEC standards