An independent Industry Working Group (IWG) sponsored by the CPMI-IOSCO Working Group on Cyber Resilience (WGCR), including representatives from The Depository Trust & Clearing Corporation (DTCC), Euroclear, the Federal Reserve Bank of New York, LCH, TMX Group and the Reserve Bank of Australia, issued a whitepaper that explores data protection and validation as the cyber threat landscape continues to evolve.
Delivered to evaluate how Financial Market Infrastructures (FMIs) are protecting and leveraging data, the paper explores options that firms should consider as they bolster their capabilities, including data recovery, reconciliation and replay.
The IWG focused on five key themes:
- While the two-hour recovery time objective (RTO) remains a target objective, data integrity issues require trade-offs between speed of recovery and accuracy of recovery.
- Recovery capabilities of existing systems were typically designed with physical and non-cyber outages in mind and may not be as effective in maintaining data integrity during a cyber-attack.
- Interconnections between firms increase the potential impact of a data integrity compromise across the industry.
- Recovery from a data integrity breach requires a high degree of trust in the available backup data copies as well as coordination within the ecosystem.
- When considering the recovery objective, the definition of critical services can vary across FMIs and scenarios.
As a result of IWG analysis and to continue to improve capabilities in this area, the paper suggests firms should focus on the following areas:
- Identify tools that are most harmonized with the FMI’s objectives: Each FMI should identify tools that are attainable from a design perspective and focus on the implementation of those tools that provide the most coverage.
- Define logical restore points: FMIs should work with their participants and the larger community to identify restore points that make sense for their business.
- Understand legacy technology: FMIs should regularly conduct a comprehensive evaluation of their applications to understand any critical interdependencies and identify opportunities for enhanced resiliency as technology evolves.
Today, there is no standard approach to identifying the types of data that need to be protected, nor the manner in which that data should be protected. When facing a cyber-attack, traditional data replication strategies designed for physical or non-cyber disruptions have the potential to spread corrupted data to backup databases, including those within data bunkers and backup data centres. To tackle this challenge, the IWG sought to identify tools to address data recovery and validation issues, draw out key lessons and principles for using those tools, and identify areas that would most benefit from further industry collaboration.
The paper highlights the need for greater industry collaboration around: the creation of design principles for housing critical data sets in data bunkers and third-party sites; the need for further guidelines for minimizing contagion; the adoption of common standards for assessing third-party risks to the ecosystem; the delivery of industry-wide cyber exercises by an independent party; and a common, yet flexible, definition of service criticality and its prioritization around resumption.
Rachel Tyler, executive director for Business Resilience at DTCC and chair of the Industry Working Group, said in a statement: “The operation of FMIs is based on the use and trust of data, and to perform effectively, FMIs must keep their transaction and position data, configuration data – which is needed to run systems, and application data protected and intact. Firms must consider how they can continue to improve data protection and validation capabilities to best defend and recover from cyber threats.”
Laure Molinier, director for Business Recovery Crisis Management & Testing at Euroclear, said in a statement: “As part of our business resilience program, Euroclear’s goal is to continuously improve protection, detection, response and recovery procedures in relation to extreme scenarios such as major data integrity issues. As a trusted financial market infrastructure, we are expected to play a leading role in defining recovery protocols working together with the market in scenario analyses and joint-testing. Euroclear encourages industry-wide collaboration including the sharing of experiences and best practices which benefits the wider market.”
Rob Cairns, CTO at LCH, said in a statement: “Convening this working group is a significant step in ensuring and bolstering resilience among financial market infrastructure providers. The findings of the whitepaper demonstrate the need for greater collaboration and standardization in approaching the protection of data. We look forward to continuing to contribute to discussion and action on this important issue.”
Sarah Harris, deputy head of Payments Settlements Department at the Reserve Bank of Australia, said in a statement: “Cyber resilience is a key priority for the Reserve Bank of Australia and we welcome the opportunity to collaborate with our international colleagues on the important issues discussed in this paper.”
Bobby Singh, CTO and CISO at TMX Group, said in a statement: “As cyber threats continue to evolve in Canada and around the world, we look forward to continued collaboration to ensure our collective FMI cybersecurity objectives are advanced.”