The Treasury Market Practices Group (TMPG) updated best practices for Treasury, agency debt, and agency mortgage-backed securities markets to provide market participants with enhanced recommended guidance on operational resiliency in TMPG-covered markets. This change responds to recent cybersecurity events and other widespread outages and service disruptions.
The updated best practice recommendations include examples of key issues for all market participants to consider when developing written contingency plans, including single points of failure, alternative backup providers, concentration risk, and fourth-party downstream reliance.
The TMPG also recommends that market participants consider both potential sudden intraday loss of access and more extended disruptions, periodically test their contingency plans, and develop written protocols to determine when it is appropriate to safely reconnect with those impacted by a cybersecurity incident.
The updated best practice recommendations re-emphasize that all market participants have a shared interest in and responsibility to engage with both industry and official sector efforts to mitigate, manage, and resolve cyber risk. This includes, but is not limited to, participation in industry-wide testing initiatives, facilitating resumption of operations, certification of reconnection to cyber affected systems, and centralized communication with respect to the same.
“The TMPG recognizes the importance of updating its best practice recommendations to keep pace with the evolving ecosystem, especially given the cybersecurity incidents and other operational outages seen in recent years,” said Casey Spezzano, chair of the TMPG, in a statement. “The TMPG believes that the widespread adoption of enhanced operational and cyber hygiene by all market participants, including service providers, is essential to promoting the integrity and efficiency of TMPG-covered markets.”
The TMPG recommends that all market participants adopt and implement these updated best practice recommendations related to operational resiliency as expeditiously as possible.