The Basel Committee on Payments and Market Infrastructures (CPMI, previously known as CPSS) has issued a document about Cyber resilience in financial market infrastructures insisting that payment and settlement systems should be able to resume operations within 2 hours from a cyber attack and should be able to complete the settlement by end of day. The Committee is treating a cyber attack as a business continuity issue and is applying Principle 17 of its Principles for financial market infrastructures. Key Consideration 6 of Principle 17 requires that the business continuity plan “should be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events” and that the plan “should be designed to enable the FMI to complete settlement by the end of the day of the disruption, even in the case of extreme circumstances”.
I think that extending the business continuity resumption time target to a cyber attack is reckless and irresponsible because it ignores Principle 16 which requires an FMI to “safeguard its participants’ assets and minimise the risk of loss on and delay in access to these assets.” In a cyber attack, the primary focus should be on protecting participants’ assets by mitigating the risk of data loss and fraudulent transfer of assets. In the case of a serious cyber attack, this principle would argue for a more cautious approach which would resume operations only after ensuring that the risk of loss of participants’ assets has been dealt with.
I believe that if there were to be a successful cyber attack against a well run payment and settlement system, the attack would most likely be carried out by a nation-state. Such an attack would therefore be backed by resources and expertise far exceeding what any payment and settlement system would possess. Neutralizing such a threat would require assistance from the national security agencies of its own nation. It is silly to assume that such a cyber war between two nation states would be resolved within two hours just because a Committee in Basel mandates so.
The risk is that payment and settlement systems in their haste to comply with the Basel mandates would ignore security threats that have not been fully neutralized and expose their participants’ assets to unnecessary risk. I think the CPMI is being reckless and irresponsible in encouraging such behaviour.
This issue is all the more important for countries like India whose enemies and rivals include some powerful nation states with proven cyber capabilities. I think that Indian regulators should tell their payment and settlement systems that Principle 16 prevails over Principle 17 in the case of any conflict between the two principles. With this clarification, the CPMI guidance on cyber attacks would be effectively defanged.