Saturday, 24 July 2021

The Sad State of BCP and Cyber Risk Planning at Financial Market Infrastructure Institutions

Nine Years Thundering Toward the Station
Alas, Yet to Arrive

Here I am again making what no doubt could be labeled as an “overdue wake up call” by the chronically somnolent or perhaps as a “sobering fact” by the habitually intoxicated.

On 21 July the BIS Committee on Payment and Market Infrastructures published a joint report with the Board of International Organization of Securities Commissions on a level 3 evaluation of implementation of Principles for Financial Market Infrastructures (PFMI).

Before beginning my rant, a couple of notes.

The PFMI were issued in 2012, which would appear to be some nine years ago, if my arithmetic is correct.

The PFMI were issued to set standards for Business Continuity Planning (BCP) and Recovery of Operations for systemically important and therefore critical financial market infrastructure institutions:

  • payment systems (PS)

  • central securities depositories (CSD)

  • central counterparties (CCP),

  • securities settlement systems (SSS) and

  • trade repositories (TR).


To be clear we’re talking about payment systems, e.g., CHIPS, CHAPS, Fedwire not individual banks. For the other categories, some US examples: DTCC, NSCC, FICC, etc.

The rationale is to require these critical market infrastructure institution to have effective BCPs to restore service in the event of disruptions. In that regard think of power blackouts, 9-11, and yes cyber attacks.

Here is the link to the BIS CPMI page on the PFMI which contains additional details.

In addition to the PFMI, you will notice that there are also an additional eight guidance papers on implementation of the PFMI.

Among those there is a 2016 guidance paper on cyber risks. Applying the same arithmetic as above, that would appear to be five years ago.

The July joint BIS CPMI/IOSCO-OICU IMSG (Implementation Monitoring Standing Group) reviewed the business continuity planning practices at a sample of 38 FMIs from 29 jurisdictions during 2019-2020.

The sample comprised 14 PSs, 15 CSDs/SSSs, five CCPs and four TRs.

The study was conducted by reviewing responses to a questionnaire.

That is, based on assertions made by the respondents rather than an on site investigation.

If you’re like me, you might find that a bit chilling given the results. 

If you're willing to self-certify to failure, isn't it likely the the failure is even more egregious?

So what were the findings?

1.2.1 Timely recovery in the event of a wide-scale or major disruption

The IMSG has identified one serious issue of concern, which is that the business continuity management of some, and potentially many, FMIs does not seem to “aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption”, as expected by the Operational Risk Principle (Principle 17). Furthermore, based on the information provided by the participating FMIs, there are doubts about whether their business continuity plans are designed to “ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events” and “enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances” as expected by KC6. [That’s Key Consideration 6 in Principle 17]. Given this is a serious area of concern, the CPMI and IOSCO expect the relevant FMIs and their supervisors to address this as a matter of the highest priority.

Given that the PFMI were issued some 9 years ago and implementation is still deficient, the use of the term “highest priority” is perhaps both an indication of importance as well as a bit of sarcasm. That being said, the IMSG only “expects” this to be done. No doubt as they have expected implementation over the past nine year.

The IMSG’s findings continue:

While almost all of the surveyed FMIs indicated that they have business continuity plans (BCPs) designed to meet this requirement, there is evidence that leads the IMSG to question this. In terms of specific evidence:

  • A few of the surveyed FMIs do not explicitly aim for the 2hRTO, even for wide-scale physical (noncyber) disruptions.

  • One of the surveyed FMIs acknowledges that its secondary site does not have a distinct risk profile from that of its primary site.

  • A small number of FMIs stated that they did not have alternative arrangements to allow for the processing of time-critical transactions. Of those that did have such arrangements, some relied solely on manual and paper-based alternative arrangements.

  • A few FMIs indicated that they do not have specific plans to mitigate potential widespread staff unavailability. This suggests that these FMIs may have difficulty completing settlement if this were to occur.

Mighty disappointing” to use a technical financial market term.

Inverse kudos to the respondent that apparently will rely on manual paper-based systems. Systemically important FMIs are likely to be ones that process “lots” (that’s another technical financial term) of transactions.

But you ask what about cyber attacks?

1.2.2 Cyber risk

Principle 17 states that “[a]n FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls…” The IMSG has identified one issue of concern, which is that a few FMIs in the sample did not provide specific BCP objectives with respect to cyber risk. Among the FMIs that have specific BCP objectives with respect to cyber risk, only a few explicitly acknowledged the breadth and depth of potential cyber attacks and the complexities of cyber risks that their BCPs may not be able to cover.

While not as serious as the previous risk in the assessment of the IMSG, I think this qualifies as very serious.

  • The probability of a cyber attack may be higher than some of the other risks of disruption and the impact much greater.

  • If computer networks are hacked, critical information even that at backup sites may be unavailable or destroyed.

Particularly, if the attack is the work of a state actor.

That would be a different kettle of fish than a natural disaster. Or even a 9-11 style attack.

1 comment:

Abu 'Arqala said...

A footnote.

Apparently one respondent to the questionnaire noted that its back-up site was 300 meters from its "main" site.

And that is why we can't have nice things.