A functioning real economy requires the financial system to perform a range of key economic functions reliably. These include payment services, securities trading, settlement services and deposit taking, among others. These processes have become increasingly digitalised, creating new and important interdependencies often with a limited number of service providers. The financial system has come to rely critically on robust information and communications technology (ICT) infrastructures and the confidentiality, integrity and availability of data and systems. Consequently, critical economic functions can be disrupted through cyberattacks and other incidents that affect the information systems and data of financial institutions and financial market infrastructures. Cyber-attacks can turn into systemic crisis when trust in the financial system is eroded1.

The European Central Bank (ECB), acting in its central banking and financial stability role as opposed to its financial regulatory and supervisory role at the head of the Banking Union's Single Supervisory Mechanism (SSM) took the first (welcome) steps into improving cyber-resilience standards across the financial services sector2.

During December 2018, the ECB published its Resilience Oversight Expectations (the CROE) for financial market infrastructures (FMI)3. CROE in 2018 replaced the 2016 version, and it did so with quite some effect.

It sets (even if framed as non-binding guidance4) very comprehensive and prescriptive expectations for financial services firms – specifically also with regards to on-going risk assessments along with more detailed compliance and governance processes than perhaps may have been commonplace as well as putting cyber-resilience at the heart of various operations including when recruiting staff. The CROE also sets out what the ECB looks for in the job role and performance of a Senior Executive or the Chief Information Security Officer (CISO)—which may be of wider-reaching interest. CROE should be read in conjunction with rules and supervisory guidance set by other international standard setters but also by national competent authorities in the EU.

In February 2020, the ECB was awarded the Central Banking Award 2020 for payments and Market Infrastructure Development for its work on CORE. Specifically, the CROE's multi-tiered design aims to help FMIs of all sizes with strengthening their cyber-resilience as well as overseers' own capabilities and collaboration with FMIs. Moreover, the World Bank's adoption of CROE5 and partnership with the ECB to aid global harmonisation and strengthening of the global financial system. Unfortunately, the CROE as adopted by the ECB and by the World Bank fails to define the precise threat landscape and range of bad actors that will direct cyberattacks to regulated financial services firms. In response various government policymakers have led multi-jurisdictional simulations on the impact of a major cyberattack on the global financial system6. The European Systemic Risk Board (ESRB) also published its inaugural report in February 2020 on systemic cyberattacks7. The ESRB's Report – in Section 2.4 (and Annex 1) specifically highlighted the common individual vulnerabilities amongst ESRB member institutions – which of course is worrying for national competent authorities inasmuch as FMIs that they are supposed to oversee8. With new actors (including state sponsored) using cyberattacks, a number of firms may want to revisit how they are meeting CROE and cyber-resilience more generally.

Finance is changing and cyber-security is now ever more important than ever. So too are the changes in risk management in light of the increasing shift by financial services firms to meet customers' demands for digitisation, online services, mobile applications as well as the sustained move amongst firms but their counterparts and clients towards remote and location-independent working. With rapidly evolving threat actors that are constantly adapting their tactics, techniques and procedures (TTPs) to remain ahead of financial services firms' defences this Client Alert assesses CROE against the backdrop of events in 2021. In addition, it is assessed in light of changes to CROE due to the EU's proposal for a new regulation for a digital operational resilience act (DORA) which is expected to take operational effect from 20249. This Client Alert should be read in conjunction with our coverage on the ECB's framework for Threat Intelligence-based Ethical Red Teaming (TIBER EU)10 on 2 May 2018.

CROE's compliance objectives

The CROE was designed for use by the Eurosystem (i.e., Eurozone central banks) as part of the oversight of all payment systems. These are designated in turn as:

  1. Systemically important payment systems (SIPS)
  2. Prominently important retail payment systems (PIRPS)
  3. Other retail payment systems (ORPS) and
  4. The TARGET2-Securities system (T2S).

CROE permits national central banks, operating under national law competencies, often in conjunction with other national competent authorities to opt-in to use the CROE for any "other" FMIs—primarily this is aimed at clearing and settlement systems (including central securities depositors (CSDs) and central counterparties (CCPs).

CROE's core concepts build upon those established by the Committee on Payments and Market Infrastructures (CPMI) or the International Organization of Securities Commissions (IOSCO) and in particular their joint 2016 published "Guidance on cyber-resilience for financial market infrastructures" (the Guidance). CROE, however, goes beyond those principles while at the same time setting concrete steps on how to operationalise the Guidance. The 2018 version of CROE however, like its predecessor, aims to provide:

  1. In-scope FMIs with detailed steps on how to embed the Guidance and improve sustained cyber-resilience over a period of time
  2. Overseers with clear expectations on how to assess and monitor FMI's compliance with the Guidelines
  3. The basis for common understanding and discussion amongst in-scope FMIs and relevant overseer

CROE also seeks to incorporate and hold relevant persons to comply with other standards the ECB considers best practice. Relevant firms are required to meet their "capabilities" i.e., the "people, processes and technologies the FMI uses to identify, mitigate and manage its cyber risks and to support its objectives."

CROE's Annex sets out a welcomingly practical and detailed Glossary of Terms. These may be useful for FMIs but also other market participants wanting to tackle cyber-resilience. This is the case even if this ECB Glossary does expand existing defined terms or even when and where it diverges from terms agreed at the international level such as by the Basel Committee on Banking Supervision (BCBS) or Financial Stability Board. As an example, CROE widens existing EU legal definitions and recast "Cyber incident" as:

"A cyber event that:

  1. jeopardizes the cybersecurity of an information system or the information the system processes, stores or transmits; or
  2. violates the security polices, security procedures or acceptable use policies, whether resulting from malicious activity or not."

A "cyber event" is defined in CROE and very much building on EU definitions as: "Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring."

The BCBS report, unlike CROE introduced a taxonomy of cyber risk controls as part of its Annex A. These set a control objective, a control description, example control and practices and example testing approaches in relation to a number of areas. Annex B of the BCBS report set out board IT metrics which are applicable to cyber-resilience and which set out what forward-looking indicators and metrics might be useful as items to present to the Board (or equivalent governance function) of a firm. BCBS Annex C introduced concepts for a cyber-resilience metrics in terms of events and practices before a compromising event – i.e., a cyber-incident, at the point of compromise and after compromise. Many firms have borrowed from BCBS Annexes A, B and C when designing compliance monitoring frameworks to meet CROE's expectations.

CROE also communicated details on what is expected to be included in the role of a "Senior Executive" tasked with the responsibility of "owning" cyber-resilience as well as the role of a CISO (the two roles may be combined – at least from the ECB's position although other regulatory authorities may disagree). Such officers, assisted by relevant policies and procedures, are expected to foster a cyber-risk awareness culture within a relevant firm.

Click here to continue reading . . .

Footnotes

1. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated actors' ability to penetrate the networks of large organisations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders, including to entities which are not the primary target or source of disruption. Malicious cyber incidents are becoming more persistent and prevalent, illustrating the high level of sophistication and coordination that threat actors are able to achieve.

2. For more information see details here.

3. Available here

4. It is important to note that whilst CROE's drafting is framed as non-binding – as with other similar non-binding guidance published by the ECB, CROE forms part of supervisory expectations and thus the on-going supervisory dialogue of the ECB-SSM. Equally, the CROE sets definitive expectations that relevant persons must either "meet or explain". The use of "should" in CROE, implies a "must" or "are expected to" as opposed to granting a degree of optionality – unless that divergence from the expectation can be justified.

5. See details here

6. Most recently on 9 December 2021 – further details available here.

7. Available here.

8. In 2018, the ESCG surveyed ESRB member institutions to gather information on common individual vulnerabilities (CIVs) relevant for cyber risk. Collected findings came from cybersecurity assessments undertaken by 14 ESRB members across supervised/overseen entities (including banks, FMIs and insurers). This led to the identification of the set of CIVs listed in Table 3 of the ESRB Report. The ESRB grouped these vulnerabilities into different categories according to their nature: a gap (target quality not present), a weakness (inadequate quality), a susceptibility (can be affected by something else), and a flaw (defect or imperfection). These vulnerabilities can either arise in a process or be part of a control measure. Annex 1 provides a more detailed description of each of these vulnerabilities. These include

  1. Insufficient industry oversight of third-party suppliers and the supply chain – thus a weakness in process
  2. Inadequate cyber hygiene – thus a weakness in process
  3. Ineffective testing of people, processes and technology – a flaw in process
  4. Insufficient cyber strategic planning and board level influence on cyber resilience – thus a weakness in process
  5. Lack of investment in cyber threat intelligence – thus a gap in process
  6. Presence of end-of-life systems – thus a susceptibility/flaw in asset
  7. Technology centric focus underestimating responsibility of people and processes – thus a weakness in process
  8. Organisational culture change needed for secure cybersecurity behaviours – thus a gap in process
  9. Cyber undermines existing operational resilience arrangements – thus a weakness in control measures
  10. High risk internet use requires better controls – thus a weakness in control measures
  11. Firm scale and resource impact effective cyber-risk management – thus a susceptibility in process
  12. Insufficient credible third line of defence challenge in firms – thus a weakness in process
  13. Cyber maturity targets not defined – thus a gap in process

9. DORA incorporates the lessons that have been learned from the Eurosystem's cyber-resilience strategy for financial market infrastructures. It covers – implicitly or explicitly – the Eurosystem's cyber resilience oversight expectations, the European programme to test and improve the resilience of the financial sector against sophisticated cyberattacks (TIBER-EU), and the Cyber Information and Intelligence Sharing Initiative created by the ECRB (CIISI-EU).

10. Available here

Originally published December 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.