CPMI and IOSCO report on financial market infrastructures' cyber resilience finds reasonably high adoption of cyber guidance but highlights

30 November 2022

The report finds one serious issue of concern and four issues of concern. The serious issue of concern relates to a small number of FMIs not fully meeting expectations regarding the development of cyber response and recovery plans to meet the two-hour recovery time objective (2hRTO).

The report finds reasonably high adoption of the Guidance on cyber resilience for financial market infrastructures (“Cyber Guidance”) by FMIs.


 The four additional issues of concern relate to shortcomings in established response and recovery plans to meet the 2hRTO under extreme cyber-attack scenarios; lack of cyber resilience testing after major system changes; lack of comprehensive scenario-based testing; and inadequate involvement of relevant stakeholders in testing.
• These findings highlight clear challenges for FMIs’ cyber resilience that should be addressed with the highest priority.


The Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) today published an assessment showing reasonably high adoption of their Cyber Guidance by FMIs.


The report – Implementation monitoring of the PFMI: Level 3 assessment on Financial Market Infrastructures’ Cyber Resilience – presents the results of an assessment of the state of cyber resilience (as of February 2021) at 37 FMIs from 29 jurisdictions that participated in this exercise in 2020–22. The Level 3 assessment covered all FMI types, ie, systemically important payment systems (PSs), central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs), and trade repositories (TRs).
The report finds one serious issue of concern and four issues of concern. The serious issue of concern relates to a small number of FMIs which have not yet developed their cyber response and recovery plans to meet the 2hRTO. That is, those plans were not designed to enable the FMI to ensure that critical IT systems can resume operations within two hours following disruptive events even in the case of extreme but plausible scenarios.
The report also highlights four issues of concern among some of the assessed FMIs:
• shortcomings in established response and recovery plans for meeting the 2hRTO under extreme cyber-attack scenarios;
• a lack of cyber resilience testing (eg integrity of backup data, vulnerability assessments or penetration testing) after a significant system change;
• a lack of comprehensive scenario-based testing;

... more at IOSCO


© IOSCO