New paper, delivered by an industry working group, identifies options that could bolster industry capabilities around data recovery, reconciliation and replay
New York/London/Hong Kong/Singapore/Sydney, 22 September 2021 ‒ An independent Industry Working Group (IWG) sponsored by the CPMI-IOSCO Working Group on Cyber Resilience (WGCR), including representatives from The Depository Trust & Clearing Corporation (DTCC), Euroclear, the Federal Reserve Bank of New York, LCH, TMX Group and the Reserve Bank of Australia, today issued a whitepaper that explores data protection and validation as the cyber threat landscape continues to evolve. Delivered to evaluate how Financial Market Infrastructures (FMIs) are protecting and leveraging data, the paper explores options that firms should consider as they bolster their capabilities, including data recovery, reconciliation and replay.
The IWG focused on five key themes:
- While the two-hour recovery time objective (RTO) remains a target objective, data integrity issues require trade-offs between speed of recovery and accuracy of recovery.
- Recovery capabilities of existing systems were typically designed with physical and non-cyber outages in mind and may not be as effective in maintaining data integrity during a cyber-attack.
- Interconnections between firms increase the potential impact of a data integrity compromise across the industry.
- Recovery from a data integrity breach requires a high degree of trust in the available backup data copies as well as coordination within the ecosystem.
- When considering the recovery objective, the definition of critical services can vary across FMIs and scenarios.
As a result of IWG analysis and to continue to improve capabilities in this area, the paper suggests firms should focus on the following areas:
- Identify tools that are most harmonized with the FMI’s objectives: Each FMI should identify tools that are attainable from a design perspective and focus on the implementation of those tools that provide the most coverage.
- Define logical restore points: FMIs should work with their participants and the larger community to identify restore points that make sense for their business.
- Understand legacy technology: FMIs should regularly conduct a comprehensive evaluation of their applications to understand any critical interdependencies and identify opportunities for enhanced resiliency as technology evolves.
Today, there is no standard approach to identifying the types of data that need to be protected, nor the manner in which that data should be protected. When facing a cyber-attack, traditional data replication strategies designed for physical or non-cyber disruptions have the potential to spread corrupted data to backup databases, including those within data bunkers and backup data centres. To tackle this challenge, the IWG sought to identify tools to address data recovery and validation issues, draw out key lessons and principles for using those tools, and identify areas that would most benefit from further industry collaboration.
The paper highlights the need for greater industry collaboration around: the creation of design principles for housing critical data sets in data bunkers and third-party sites; the need for further guidelines for minimizing contagion; the adoption of common standards for assessing third-party risks to the ecosystem; the delivery of industry-wide cyber exercises by an independent party; and a common, yet flexible, definition of service criticality and its prioritization around resumption.
Rachel Tyler, Executive Director, Business Resilience at DTCC and Chair of the Industry Working Group, stated: “The operation of FMIs is based on the use and trust of data, and to perform effectively, FMIs must keep their transaction and position data, configuration data - which is needed to run systems, and application data protected and intact. Firms must consider how they can continue to improve data protection and validation capabilities to best defend and recover from cyber threats. We are pleased to have engaged with our peers on this paper, and look forward to seeing these efforts progress.”
Laure Molinier, Director, Business Recovery Crisis Management & Testing at Euroclear, said: “As part of our business resilience programme, Euroclear’s goal is to continuously improve protection, detection, response and recovery procedures in relation to extreme scenarios such as major data integrity issues. As a trusted financial market infrastructure, we are expected to play a leading role in defining recovery protocols working together with the market in scenario analyses and joint-testing. Euroclear encourages industry-wide collaboration including the sharing of experiences and best practices which benefits the wider market.”
Rob Cairns, CTO at LCH, said: “Convening this working group is a significant step in ensuring and bolstering resilience among financial market infrastructure providers. The findings of the whitepaper demonstrate the need for greater collaboration and standardisation in approaching the protection of data. We look forward to continuing to contribute to discussion and action on this important issue.”
Sarah Harris, Deputy Head, Payments Settlements Department at the Reserve Bank of Australia, says: “Cyber resilience is a key priority for the Reserve Bank of Australia and we welcome the opportunity to collaborate with our international colleagues on the important issues discussed in this paper.”
Bobby Singh, Chief Technology Officer and Chief Information Security Officer at TMX Group, said: “We are very pleased to be part of this initiative with our global industry partners to share best practices and explore solutions to address data protection, recovery and validation issues. As cyber threats continue to evolve in Canada and around the world, we look forward to continued collaboration to ensure our collective FMI cybersecurity objectives are advanced.”
Notes to Editors
Following an FMI CEO roundtable in September 2018, CPMI-IOSCO sponsored the establishment of three industry working groups, including this group, composed of and led by FMIs to explore solutions to key cyber resilience challenges.
While the CPMI-IOSCO Working Group on Cyber Resilience (WGCR) has sponsored this IWG, this paper represents solely the views of members of the IWG on industry themes and does not represent the views of the CPMI, IOSCO or any of their member organizations.
The WGCR was established in 2014 and explores ways to help both authorities (regulators, overseers) and FMIs enhance cyber resilience. The WGCR engages with the industry, encourages information sharing among relevant stakeholders and promotes swift implementation of the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures (Cyber Guidance), published in June 2016.