• ECB publishes final cyber resilience oversight expectations for financial market infrastructures
• Document defines Eurosystem’s expectations in terms of cyber resilience, based on existing global guidance
• Reflects comments received from public consultation
The European Central Bank (ECB) published the final cyber resilience oversight expectations for financial market infrastructures (FMIs), abbreviated CROE. Cyber resilience is an important aspect of FMIs’ operational resilience and is thus also a factor affecting the overall resilience of the financial system and the broader economy.
The cyber resilience oversight expectations are based on the global guidance on cyber resilience for financial market infrastructures. This guidance was published by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions (CPMI-IOSCO) in June 2016.
To address the idea of continuous adaptation, evolution and improvement, the CROE uses a maturity model which provides the overseers and the FMIs with a benchmark against which they can evaluate the FMIs’ current level of cyber resilience, measure progression and establish priority areas for improvement. The CROE establishes three levels of maturity: Baseline, Intermediate and Advanced.
The CROE is not a checklist of measures FMIs need to strictly comply with, but instead as a set of practices that can contribute to FMIs’ compliance. It will be the overseers’ or supervisors’ judgement to see whether the FMI, commensurate with its criticality, is complying with the baseline, intermediate or advanced level.
It is expected that FMIs will reach the aforementioned maturity levels across all eight categories of the Guidance; once FMIs reach and maintain their expected levels of maturity, they should continue to evolve and improve by taking relevant steps to reach the higher levels of maturity, where it is appropriate and in line with their business specificities. This process of evolution and improvement should occur through discussions between the FMI and the respective overseer and supervisor over a sustained period of time and commensurate with the criticality of the specific FMI.
The cyber resilience oversight expectations serve three key purposes:
i. it provides FMIs with detailed steps on how to operationalize the guidance, ensuring they are able to foster improvements and enhance their cyber resilience over a sustained period of time;
ii. it provides overseers with clear expectations to assess FMIs under their responsibility; and
iii. it provides the basis for a meaningful discussion between the FMIs and their respective overseers.