Benoît Cœuré, Member of the Executive Board of the ECB, informed the audience of the second meeting of the Euro Cyber Resilience Board for pan-European Financial Infrastructures on the latest development in cyber finance across European markets.
The cyber threat facing the financial sector continues to be a challenge. From banking trojans affecting individual customers to systemic threats posed by ransomware and targeted attacks from advanced persistent threat (APT) groups, the landscape is evolving on a daily basis.
The Eurosystem cyber strategy for financial market infrastructures rests on three pillars: individual FMI resilience, sector resilience and strategic regulator-industry collaboration. I am pleased that in the last few months, the ECB and the Eurosystem have made significant progress in putting in place the building blocks for enhancing the cyber resilience of the European financial ecosystem and operationalising the strategy.
The ECB developed two key tools to improve FMI resilience: the cyber resilience oversight expectations (CROE and the TIBER-EU Framework.
The CROE serves three key purposes: (i) it provides FMIs with detailed steps on how to operationalise the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures, ensuring they are able to make improvements and enhance their cyber resilience over a sustained period of time; (ii) it provides overseers with clear expectations against which to assess FMIs under their responsibility; and (iii) it provides the basis for a meaningful discussion between the FMIs and their respective overseers. The central banks of the Eurosystem will work closely with the various financial infrastructures to enhance their cyber resilience, with the CROE serving as a good basis for this work.
Enhancing cyber resilience is of crucial importance. Equally important, however, is to test whether the enhancements that have been introduced by individual entities are effective. To that end, the ECB published the TIBER-EU Framework in May and the TIBER-EU Services Procurement Guidelines in August. The hope is that over time, this sophisticated level of testing will help strengthen our financial infrastructures and raise standards among threat intelligence and red team testing providers.
In terms of sector resilience, exercises are a key component of building market-wide preparedness for a cyber incident. In March, we told you about our forthcoming market-wide exercise, which we held in June. The exercise, UNITAS, took the form of a facilitated discussion among market participants – many of whom are here today – on a cyber scenario. The scenario involved a cyberattack on a number of financial infrastructures, resulting in a loss of data integrity and a knock-on effect on other financial infrastructures.
With regard to strategic regulator-industry collaboration, our third pillar, the Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures was formally established in March 2018, as a forum for strategic discussions between financial infrastructures and authorities. As you know, our objectives are to raise awareness of the topic of cyber resilience; to act as a catalyst for joint initiatives to develop effective solutions for the market; and to provide a place to share best practices and foster trust and collaboration.
Of course, cyber risk is borderless and it is an international issue. So the Eurosystem’s initiatives are part of a growing international effort to combat cyber threats. In October this year, G7 ministers and central bank governors published the “Fundamental Elements for Threat-Led Penetration Testing”, which complements the TIBER-EU Framework, and the “Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector”. In 2019, the G7 Cyber Expert Group will move ahead with conducting the first global cross-border cyber crisis simulation exercise.
In November, the Financial Stability Board (FSB) published a Cyber Lexicon. Having a common set of definitions in non-technical language will support the work of the FSB, standard-setting bodies, authorities and financial institutions to address cyber security and cyber resilience in the financial sector. The ECB continues to participate in these international fora, ensuring that global initiatives are aligned with our work in Europe.
From an operational perspective, the Market Infrastructure Board, which is in charge of the Eurosystem-operated financial infrastructures, continues to scale up its activities to ensure the continued cyber resilience of its systems and platforms.
In March, four key areas for further focus were identified: 1) crisis management and incident response; 2) information sharing; 3) awareness and training; and 4) third-party risk. There was general agreement that these key areas warranted further thought and focus. The UNITAS exercise further confirmed that these areas require attention.