London, 12 April 2017 – The World Federation of Exchanges ("WFE"), which represents more than 200 market infrastructure providers including exchanges and CCPs, today published a set of cyber resilience standards designed to be used by WFE members, and other market infrastructure providers, to ensure alignment and common minimum standards across the global system.
The standards cover eight key areas:
- Strategy & Framework: Effective cyber framework arrangements should be in place to establish, implement and review the approach to managing cyber risk.
- Governance: There need to be appropriate lines of accountability, responsibility and cultural buy-in at all levels of an organisation regarding cyber resilience.
- Risk Identification: To mitigate against new risk - in addition to monitoring existing ones - processes and business functions should reviewed and updated regularly.
- Protection / Controls: It is important to continuously evolve protection measures, such as security controls, systems, processes (including behavioural monitoring) to keep pace with market developments.
- Monitoring & Detection: Strong detection controls and standards should be in place that are proportionate to the organisation's relative size, systemic importance, risk tolerance and threat landscape.
- Response & Recovery: Strategies should ensure that critical systems can be restored to full operation as soon as practicable, acknowledging conditions will vary.
- Information Sharing: Organisations should seek to proactively share experiences, knowledge and expertise, and to cooperate and collaborate through industry groups, such as the WFE's GLEX working group (see below).
- Testing, Situational Awareness, Learning & Evolving: Arrangements must evolve with the changing threat landscape.
Today's standards follow a set of cyber resilience principles (issued by the WFE on 23 September 2016) that authorities can take into account when implementing existing, or creating new, cyber standards for FMIs. In combination, the WFE principles and standards are intended to support and complement guidance already provided by global regulators. *
Nandini Sukumar, Chief Executive Officer, WFE said: "Cyber is a top priority for the WFE and its members. We are committed to enhancing cyber resilience within the exchange and CCP industry, and are working together to stay on top of the issue. These guidelines serve as the building blocks upon which WFE members and other global market infrastructure providers can base their individual approaches to cyber."
Gavin Hill, Head of Regulatory Affairs, WFE added: "Cyber resilience is a topic that requires no reminder of its importance. The WFE guidelines are aimed at assuring market stakeholders that the industry is committed to high standards, and to protecting the system as a whole."
The WFE is hosting its bi-annual Technology Conference in London, 24-26 July, with partner Imperial College London. As the lines between finance and industry converge, this event seeks to capture and discuss the latest technological innovations in the market structure space, including cyber.
* The WFE responded to the CPMI-IOSCO Consultative Paper on Guidance on Cyber Resilience for Financial Market Infrastructures in February 2016. You can read the submission here.