[author: Kevin Wong]

The European Central Bank (“ECB“) published for consultation a draft version of the cyber resilience oversight expectations (“CROE“) for financial market infrastructures (“FMIs“) on April 10, 2018.

The CROE are based on guidance on cyber resilience for FMIs that was published by the Committee on Payments and Market Infrastructures (“CPMI“) and the International Organization of Securities Commissions (“IOSCO“) in June 2016. The 2016 guidance was immediately applicable and the CROE form part of the oversight of the guidance, setting out assessment criteria for supervisors to use.

The CROE also provides FMIs in the euro area with steps on how to implement the guidance and enhance their cyber resilience.

In line with the guidance, the CROE covers five primary risk management categories:

(i).   Governance.

(ii).  Identification.

(iii). Protection.

(iv). Detection.

(v).  Response and recovery.

It also covers three overarching components which relate to testing, situational awareness, and learning and evolving.

The CROE use a maturity model that provides supervisors and FMIs with a benchmark against which they can evaluate FMIs’ current level of cyber resilience, measure progression and establish priority areas for improvement.

The webpage for the consultation invites FMIs and other interested parties to provide their input on the draft CROE. The deadline for responses is June 5, 2018.

The ECB provided an overview of the Eurosystem cyber resilience strategy for FMIs in a speech in November 2017.