Jason Harrell, DTCC Executive Director and Head of Business and Government Cybersecurity Partnerships
The twenty-first century has been a time of rapid technological advancement across the financial services industry. From the rise of robo-advising in wealth management to the explorations of the use of blockchain in post-trade processing, technological advancements have improved the customer experience and globally expanded the use of financial products. This, however, has also given rise to fairly significant security concerns that must be addressed.
This technological progress introduced a number of new financial services entrants, who come not only with innovative and progressive ideas, but also expand the surface area for possible cybersecurity incursions. When combined with the increased sophistication of new threat actors and an expanded threat landscape, the regulatory focus on safeguarding the operational resilience of the global financial markets has also increased.
At its core, operational resiliency is an outcome, and that outcome is that market participants, operators and the financial sector (Sector) as a whole can prevent, respond to, and recover from operational disruptions in a manner that avoids and/or prevents negative systemic impact. Not surprisingly, cyber resilience continues to drive a lot of the activity and needs for achieving operational resilience. When considering cyber resilience, three concepts or trends have emerged – a shift from systems- to a service-based approach to recovery, intra-firm collaboration, and global regulatory coordination.
The first of these trends, the shift in recovery from systems- to a service-based approach, is largely a mindset change in the way traditional business recovery is viewed. Instead of exclusively focusing on a business’ ability to bring a system up within a specified time, the most important outcome for a business, and for the Sector as a whole, is to be able to continue delivering its business services to the marketplace following an operational disruption, for example a payment, clearing or settlement. While this may be accomplished by bringing a specific system online, this represents only one option that a firm may use to deliver a business service. With a service-based approach to resilience, market participants and operators are exploring other options to provide their services, which may result in new and innovative methods for market recovery. Sheltered Harbor is an example of a service-based approach to operational resilience. Sheltered Harbor is an industry-led initiative comprising of financial institutions, core service providers, national trade associations, alliance partners including market participants, technology providers, trade associations, partners and infrastructure providers dedicated to enhancing financial sector stability and resiliency. It helps prepare financial institutions to be able to restore critical customer information, such as access to account balances, in the event of a material operational or cyber event by providing a financial institution with the ability to designate a Restoration Partner. In the event that an institution’s Sheltered Harbor Resiliency Plan is activated, the Restoration Partner can restore critical customer data as quickly as possible. This substitutability is an example of an innovative approach based on a service-centric view of resilience.
The second trend is intra-firm collaboration on resilience. Resilience is comprised of individual and aggregate Sector activities. No single market participant, operator, regulator or standards-setting body has the ability on its own to deliver resilience across the Sector. This can only be accomplished through firms working together to pool resources and share information among each other and relevant regulatory authorities. In the US, the Financial Systemic Analysis and Resiliency Centre (FSARC), a trade association, which facilitates collaboration between financial institutions, market utilities, government agencies, and key Sector partners, is an example of the collaboration required to build Sector resilience. FSARC helps its members understand market risks and build capabilities to adapt and respond to their potential impacts. The Hamilton Exercises, which are led by the U.S. Department of the Treasury, also represent sector-wide, annual practices where regulators, market participants and operators simulate systemic risk events and collaborate on a response. These exercises are valuable touchpoints for promoting resilience and identifying the actions required to respond to these events while decreasing operational friction among market participants.
Finally, regulatory coordination is becoming increasingly important. As cyber threats continue to permeate the financial marketplace, formulating effective cybersecurity rules and guidance across the global financial markets is necessary. By partnering with market participants and operators to develop sound cyber resilience requirements that avoid isolated approaches and disparate requirements, regulators – and market participants – will be better able to focus resources on protecting the Sector. The Financial Services Sector Coordinating Council Cybersecurity Profile (Profile) is an example of regulator and firm partnership to develop a toolkit that aligns regulatory requirements in a common, standardized framework (NIST Cybersecurity Framework) and allows firms to demonstrate their compliance across multiple regulatory requirements. For regulators, the Profile can provide enhanced visibility on non-Sector and third party risks as well as the ability to more effectively compare and analyze data from other regulators. These benefits would be extended if adopted across global jurisdictions.
Together, these trends – bolstering resiliency with a service model approach, promoting intra-firm efforts around collaboration and information sharing, and focusing on regulatory coordination around mandates and best practices – are creating a solid foundation from which the Sector can continue to bolster its cyber security preparedness and response. Ultimately, the industry will be able to introduce operational resilience practices that are more comprehensive and efficient across firms, third parties, and the industry, to create an even safer tomorrow.
This article was originally published in Markets Media.