Financial market infrastructures (FMIs) depend on the use and trust of data, and to operate effectively, FMIs must ensure that their data is secure and intact.
In 2019, CPMI-IOSCO sought closer engagement with the industry on this important topic by creating an independent Data Protection and Validation industry working group (IWG) to evaluate how this issue impacts FMIs.
The IWG had representation from six firms: DTCC, the Reserve Bank of Australia, Euroclear, LCH, the Federal Reserve Bank of New York and TMX. The result of IWG’s work is a white paper, Cyber Threats and Data Recovery for FMIs, which explores options that firms should consider as they bolster their capabilities, including data recovery, reconciliation, and replay.
Recently, DTCC Connection, sat down with Rachel Tyler, DTCC Executive Director, Business Resilience, who chaired the IWG, to discuss the white paper and its key findings.
Related reading: Cyber Risk and Operational Resilience
DC: What was the impetus behind the creation of the Data Protection and Validation IWG?
Against the backdrop of a rise in the number and level of sophistication of cyberattacks, in 2016, the CPMI-IOSCO Working Group on Cyber Resilience (WGCR) released Guidance on Cyber Resilience for Financial Market Infrastructures to provide direction on how to plan for and recover from cyber threats.
A few years later, the WGCR sought closer engagement with the industry, and sponsored an independent group of FMIs to come together to look at how keeping data intact impacts FMIs.
DC: What was the objective of the IWG?
RT: The IWG was tasked to identify opportunities to better protect financial market infrastructures’ data as cyber threat landscape continues to evolve. The group had four objectives:
- Categorize the different types of data that need to be protected and the potential impacts of a data event.
- Explore and document current practices and challenges with respect to data recovery options for a range of high-level data scenarios.
- Identify leading and emerging practices with respect to data protection and validation methodologies, as well as potential areas of strength and weakness.
- Determine areas of focus for future industry collaboration, in other words, are there opportunities to promote reconciliation and replay capabilities within the industry.
DC: What are the key findings of the IWG?
RT: The analysis drew a number of key findings. First, the IWG wanted to acknowledge the two-hour recovery time objective (RTO) as documented in regulatory guidance. But when dealing with a data integrity issue, there is a trade-off between speed of recovery and accuracy of recovery and these decisions depend heavily upon an FMI’s individual legal and operational environment. So, while two-hour recovery from a cyber-attack is still a target, the paper recognizes there are instances where two-hour RTO cannot be met.
A second key finding focuses on the differences between an outage caused by a physical event versus a cyber event, which presents a completely different attack vector. Recovery capabilities built to manage physical and other non-cyber outages are not as effective in maintaining data integrity in the face of a cyber-attack.
Another finding surrounds the interconnectedness of firms, a topic that is very much on the minds of DTCC and the financial industry generally. The connections between firms, and the use of computer systems for processing, increases the possibility that a data impact at one firm can quickly spread to others, resulting in a contagion effect.
DC: What opportunities for FMIs did the IWG find based on its analysis?
RT: The paper identifies several areas of opportunity for FMIs.
First, the IWG inventoried potential data recovery and reconciliation tools and concluded that there is no silver bullet or one-size-fits-all solution for FMIs. Firms must identify tools that are most harmonized with their individual objective(s) and implement solutions based on what best suits their own needs and timeline.
Second, it is helpful for FMI’s to define logical restore points, which are points in time that the industry can revert back to if data is destroyed or corrupted in such a way that it can’t be trusted. FMIs should work with their participants and the larger community to identify restore points that make sense for their business, so that if an issue occurs, time is not wasted determining the last good point of data.
Lastly, it is important to understand legacy technology. FMIs should regularly conduct a comprehensive evaluation of their applications to understand any critical interdependencies and identify opportunities for enhanced resiliency as technology evolves.
The connections between firms, and the use of computer systems for processing, increases the possibility that a data impact at one firm can quickly spread to others, resulting in a contagion effect.
DC: What opportunities for the industry collaboration did the IWG find based on its analysis?
RT: One opportunity is for the private and public sectors to work together to create design principles for housing critical data sets in data bunkers and third-party sites. While some FMIs currently use third-party sites or off-premise data bunkers to serve as a recovery tool in data impact scenarios, this is not common practice. The IWG found that the lack of established best practices around design principles is a key factor for limited usage of off-premises bunker or third parties.
Another opportunity is around guidelines for minimizing contagion. During its work, the IWG could not identify a consistent approach among FMIs for determining scenarios where it may be appropriate to disconnect or reconnect the FMI from an external endpoint to prevent contagion. Given the interconnectedness and global nature of firms, regulatory dialogue on this issue would be beneficial as well, and help establish consistency across jurisdictions, where appropriate.
Other opportunities explored in the paper include the use of a common standard to evaluate entities that contribute to the ecosystem, either as a provider or as a client, and utilizing an independent central coordinating-party to conduct industry-wide cyber exercises.