Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats. Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures ("FMIs") are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication. Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons. This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.
What are EU regulators proposing to improve FMI cybersecurity?
The European Commission has initiated a push to "protect open internet and online freedom and opportunity" by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.
With a number of new regulations coming down the track in the EU, such as the General Data Protection Regulation ("GDPR") and the Network and Information Security Directive (commonly referred to as the "Cybersecurity Directive"), the implementation of the Principles for Financial Market Infrastructures ("PFMIs") into the regulatory frameworks of many jurisdictions worldwide, and the proliferation of standards such as the US's NIST Cybersecurity Framework, FMIs are faced with significant investment and operational costs as they pay increased attention to improving their cyber-threat prevention, monitoring, detection and recovery capabilities. Such regulations seek to impose 1) notification and reporting requirements on critical infrastructure providers and data controllers, specifically including financial institutions; and 2) near-immediate recovery times in the event of cybersecurity breach incidences. The minimum standards for cyber risk management in the EU are not expected to vary by type of FMI.
The Bank for International Settlements' Committee on Payments and Market Infrastructures ("CPMI"), a global standards setter charged with promoting the safety and efficiency of payment, clearing, settlement and related arrangements, thereby supporting financial stability and the wider economy, considers that the inability of FMIs, following an attack, to quickly resume operations in a stable state could cause systemic risk through transmission to the wider financial system. Hence Principle 17 of the PFMIs states that FMIs should implement business continuity plans that ensure critical IT systems "resume operations within two hours following disruptive events"; and are "designed to enable the FMI to complete settlement by the end of the day of the disruption, even in the case of extreme circumstances". The overall objective of the PFMIs is to promote stability and efficiency in the financial system. CPMI concludes, however, that in the context of an extreme cyber event, a two-hour recovery objective would be extremely challenging for many FMIs.
As FMIs move towards faster recovery targets, they will likely experience three main areas of increased costs:
- An initial update of equipment, software and staff, along with periodic updates thereafter;
- Drafting of internal policies, procedures and training programs that are regularly updated and tested for efficiency and vulnerabilities; and
- Improved capabilities to detect cyber threats, which will correspondingly increase the need to record, respond to and report those incidents, in some cases to multiple regulatory bodies.
Regulators have also increased the incentive for FMIs to invest the above costs in improving cybersecurity by threatening hefty fines for financial institutions found to be non-compliant. Under the EU's Cybersecurity Directive, businesses will be fined a percentage of their revenue, though such penalty may be eliminated absent intent or gross negligence. The level of regulatory scrutiny an organization receives may depend on its role in and impact on market-wide cybersecurity, meaning the bulk of security audits will probably target high-risk industries and businesses like FMIs. Likewise, under the GDPR, the European Parliament proposes that sanctions be up to 5% of annual worldwide turnover or €1,000,000, whichever is greater. In preparation for and response to these regulations, FMIs must balance the costs of upgrading and maintaining their cybersecurity with the risk and cost of sanctions.
What should FMIs do next to meet cybersecurity challenges?
Putting in place appropriate contractual and governance safeguards is paramount. FMIs need to ensure that data loss and corruption caused by the service provider will amount to a breach of contract, though if the service provider is able to restore data from back-ups and does so within the time period stipulated in the contract, the service provider arguably should not suffer further liability to the FMI. A truly comprehensive program requires managing cybersecurity in an integrated fashion using a combination of in-house and third party resources.
The complexity of IT environments and the increasing sophistication of bad actors make this a difficult situation to manage and control without outside assistance. All facets of IT are at risk, from applications to centralized infrastructure, to even the most mundane endpoints. FMIs and their outsourcing partners would do well to focus primarily on isolating network components and important information, as well as managing personnel interfaces with network and data access points. Several isolation strategies are key to cyber resiliency:
- Ramp up in FMI compliance with new regulations will drive opportunity for the IT services sector, with the adoption of new technologies and practices such as VMs and VDIs (virtual machines and virtual desktop images), which can be reset to a known "golden state" to, in effect, remove malicious software installed by a cyber-attacker, and heuristic monitoring that is used to detect anomalies such as abnormal usage of an application or abnormal transaction behaviour.
- FMIs may set up processes to capture transaction and other important data in near real time and store that information outside the main or central system. Frequent reconciliation against the stored records could assist with ongoing detection of corrupted or fraudulent transactions and cyber-intrusions, or during recovery to return the system to the "golden state".
- To avoid significant data losses, FMIs should ensure that back-ups are made at regular intervals by the service provider and that the back-ups are also regularly tested to confirm that it is possible to reload the data. If a loss of data occurs, the stored information can then be reloaded from the latest available back-up.
- The access points of any FMI network should be limited by reducing the number of internet gateways and whitelisting software.
- Incorporate "defence in depth" strategy, which layers systems and system components and builds firewalls within the network. If one component is then compromised, an attacker could not access another component without breaching another obstacle. Internet-facing applications, such as e-mail software, ainternetre considered to be of greatest risk and should therefore be a top priority for isolation from core system components.
- Install proactive measures like hacking back, cyphertext, which requires users to enter a key code prior to opening information, or cryptographic defences that encrypt sensitive data, from HTTPS protocols to VPN clients.
- Keep confidential or critical information in separate storage systems, ideally at a separate data centre. Different systems covering different functionalities within an FMI, for example wholesale and retail payment systems, may be set up as each other's backup system in the event of a security breach.
An integrated approach to cyber resiliency covers not just an FMI's IT infrastructure, but also personnel, procedure and communications. Often the most severe data security breaches "result from inadvertent or deliberate acts of employees or contractors". Disgruntled employees are a high risk area as data can easily be sent into the cloud and physical copies do not need to be removed to create a data leak. Strategies to limit personnel-rooted cybersecurity vulnerabilities include:
- FMIs should require service providers of IT and other outsourced services to warrant that only personnel who are properly vetted, by the Disclosure and Barring Service in the UK or a similar body elsewhere, have access to the service infrastructure.
- An FMI's entire staff - operational, senior management, board level and service provider personnel - should be involved in the drafting and implementation of security and recovery plans and procedures.
- Organization-wide password management, locking of computers when not in use and physical security of data storage centres should be considered as a governance issue.
- FMIs may also want the contractual right to interview key provider personnel and/or to require that personnel it objects to are removed from the service provision arrangements. Service providers are likely to resist inclusion of such provisions, so balancing risk versus cost should be the key metric in drafting an agreement.
- In this era of Bring Your Own Device ("BYOD"), employees expect to access FMI systems from their own computers, tablets and phones. Security of these devices is often in question, particularly if multiple users have access to the device, so two-factor identity verification prior to access should be standard.
- Encryption before transmission of information between the FMI's premises and the service provider's premises or between both such locations and any other remote access location may also be desirable.
The Big Picture
FMI efforts to integrate and manage compliance with cybersecurity regulations in outsourcing arrangements should start early and continue throughout the contracting lifecycle. Due diligence, negotiation of terms and conditions, including governance structure, liability and audit and risk assessment provisions, should all be considered part of the agreement's overall security strategy. FMIs should recognise that some data loss and corruption is likely to occur, but the ability to respond quickly to incidents and make the appropriate risk management decisions will be defining characteristics of a strong FMI cybersecurity program.