The Bank for International Settlements and the International Organization of Securities Commissions issued guidance to financial market intermediaries to enhance their cybersecurity. (FMIs include systemically important payment systems, central securities depositories, securities settlement systems, central counterparties or clearinghouses, and trade repositories.) In general, BIS and IOSCO recommended five central risk management categories and three overarching components that should be addressed in all FMIs’ cybersecurity programs. These include: governance; identification of critical business functions; protection; detection of potential cyber incidents; response and recovery, as well as rigorous testing; situational awareness; and learning and evolving. According to BIS and IOSCO, “[s]trong situational awareness can significantly enhance an FMI’s ability to understand and pre-empt cyber events, and to effectively detect, respond to and recover from cyber attacks that are not prevented.” Similarly, it is important that any cybersecurity program adopted by an FMI evolve with the “dynamic nature of cyber risks,” said BIS and IOSCO.
Compliance Weeds: BIS’s and IOSCO’s issuance of its guidance to FMIs provides a timely reminder to members of the National Futures Association that they were required by March 1 to have adopted and begun enforcing formal written policies regarding cybersecurity. These policies must be “reasonably designed by members to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” (Click here for further details on NFA’s requirements in the article, “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.)