Mon, 18 Jul 2016
Nearly two years ago, I wrote a blog post in which I strongly criticized the insistence of the Basel Committee on Payments and Market Infrastructures (CPMI, previously known as CPSS) that payment and settlement systems should be able to resume operations within 2 hours from a cyber attack and should be able to complete the settlement by end of day. I described this demand as reckless and irresponsible because it ignored Principle 16 which requires an FMI to “safeguard its participants’ assets and minimise the risk of loss on and delay in access to these assets.” I argued that in a cyber attack, the primary focus should be on protecting participants’ assets by mitigating the risk of data loss and fraudulent transfer of assets. In the case of a serious cyber attack, this principle would argue for a more cautious approach which would resume operations only after ensuring that the risk of loss of participants’ assets has been dealt with. Shortly thereafter, I was glad to find the Reserve Bank of India echoing these sentiments (in less colourful language) in its Financial Stability Report.
Almost two years later, the Basel Committee (CPMI) has issued new guidance that reflects a much more responsible approach to 2-hour recovery. The Guidance on cyber resilience for financial market infrastructures published late last month states:
An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme but plausible scenarios. Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption FMIs should exercise judgment in effecting resumption so that risks to itself or its ecosystem do not thereby escalate, whilst taking into account that completion of settlement by the end of day is crucial. FMIs should also plan for scenarios in which the resumption objective is not achieved.
This is a welcome sign that regulators are more pragmatic and are not allowing market participants to form unrealistic expectations. As Regulation Asia wrote about last week’s outage at the Singapore Exchange (SGX):
Trying to lead the public to think a resumption is possible, without knowing if it is really possible only degrades credibility with each successive retraction and announcement.