Getting cyber-resilience right matters. In July 2018, we published our analysis on the European Central Bank’s (ECB) first foray into setting its expectations on cyber-resilience. In September, it finalized the TIBER-EU Framework on ethical red teaming by setting out standards that firms ought to meet in selecting eligible providers of recognized TIBER tests. All of this marked a “crossing of the Rubicon” for the ECB, acting in its central banking and financial stability role as opposed to its financial regulatory and supervisory role at the head of the Banking Union’s Single Supervisory Mechanism (SSM) – which itself continues to put cyber-resilience as a key supervisory priority for 2019 and beyond. The ECB continued work on cyber-resilience on December 3, 2018 by publishing its Cyber-Resilience Oversight Expectations (the CROE) for financial market infrastructures (FMI).
CROE in 2018 replaces the 2016 version, and it does so with quite some effect. It sets very comprehensive and prescriptive expectations that, in its 62 pages, translate into in-scope entities needing to consider on-going risk assessments, introducing more detailed compliance and governance processes than perhaps may have been commonplace as well as putting cyber-resilience at the heart of various operations including when recruiting staff. It also comes at a time when international banking sector standard setters, including the Bank for International Settlements’ BCBS have published their own updates on cyber-resilience, including the December 2018 “Report on Cyber-resilience: Range of practices” evaluating the state of play in various key jurisdictions.The ECB regularly points to and applies practices from international standard setters, including the BCBS, even where these are not measures with legal effect. The measures should also be read in conjunction with national measures that may have legal effect, such as in Germany for example, the extensions of the Federal Financial Supervision Authority (BaFin’s) own cyber-resilience regime (BAIT), which was amended in September 2018 to cover critical infrastructure.
This Client Alert assesses CROE’s requirements and the ECB’s expectations of FMIs as well as Banking Union Supervised Institutions (BUSIs) that face FMIs who may need to document cyber-resilience compliance in considerably more depth or to whom the ECB, in its SSM role, may address similar expectatoins. The CROE will be of relevance and of interest to both existing FMIs and those new FMIs looking to enter the Eurozone as well as the range of BUSIs and other non-SSM supervised EU and non-EU credit institutions, other regulated market participants and non-financial corporates. The CROE also sets out what the ECB looks for in the job role and performance of a Senior Executive or the Chief Information Security Officer (CISO)—which may be of wider-reaching interest.
The aims of CROE and its key contents
The ECB intends that CROE will be applied by the Eurosystem (i.e. Eurozone central banks) to the oversight of all payment systems (designated in turn as any systemically important payment systems (SIPS), prominently important retail payment systems (PIRPS) and other retail payment systems (ORPS)) and the TARGET2-Securities system (T2S). CROE in 2018 is also clear that national central banks, operating under national law competencies, often in conjunction with other national competent authorities may opt-in to use the CROE for any “other” FMIs—primarily this is aimed at clearing and settlement systems (including central securities depositors (CSDs) and central counterparties (CCPs). We anticipate that CROE will become, as has been the case in other ECB rulemaking exercised by way of non-binding guidance, more widely adopted by core Eurozone member states, in particular those with significant FMIs operating within their jurisdiction.
The CROE, whilst building on international guidelines, such as those established by the Committee on Payments and Market Infrastructures (CPMI) or the International Organization of Securities Commissions (IOSCO) and in particular their joint 2016 published “Guidance on cyber-resilience for financial market infrastructures” (the Guidance), goes beyond those principles while at the same time setting concrete steps on how to operationalize the Guidance. The 2018 version of CROE however, like its predecessor, aims to provide:
In-scope FMIs with detailed stepson how to operationalize the Guidance and improve sustained cyber-resilience over a period of time
Overseers with clear expectations on how to assess and monitor FMI’s compliance with the Guidelines
The basis for common understanding and discussion amongst in-scope FMIs and relevant overseer,
but also seeks to incorporate and hold addressees to account to other standards it considers best practice that relevant firms use to meet their “capabilities” i.e., the “people, processes and technologies the FMI uses to identify, mitigate and manage its cyber risks and to support its objectives.”
CROE also communicates detail on what is expected to be included in the role of a “Senior Executive” tasked with the responsibility of “owning” cyber-resilience as well as the role of a CISO (the two roles may be combined). This is welcome and also is in keeping with the BCBS’ December 2018 report on practices and a general reshaping of the role of a CISO within firms and contribution to risk controls. Those officers, coupled with the relevant policies that aim to operationalize the requirements and expectations set in the frameworks adopted by the ECB’s international peers, conceptually aim to foster a cyber-risk awareness culture, an area that the BCBS considers crucial for relevant firms to embed throughout their operations.
The Annex to CROE sets out a welcomingly practical and detailed Glossary of terms. These may be useful for FMIs but also other market participants wanting to tackle cyber-resilience. This is the case even if this ECB Glossary does expand existing defined terms or even when and where it diverges from terms agreed at the international level such as by the BCBS or FSB. As an example, CROE widens existing EU legal definitions and recasts “Cyber incident” as:
“A cyber event that:
jeopardizes the cybersecurity of an information system or the information the system processes, stores or transmits; or
violates the security polices, security procedures or acceptable use policies,
whether resulting from malicious activity or not.”
A “cyber event” is defined in CROE and very much building on EU definitions as: “Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring.”
The BCBS report, unlike CROE, sets out a taxonomy of cyber risk controls contained in its own Annex A. This sets a control objective, a control description, example control and practices and example testing approaches in relation to a number of areas. Annex B of the BCBS report sets out board IT metrics which are applicable to cyber-resilience and which set out what forward-looking indicators and metrics might be useful as items to present to the Board (or equivalent governance function) of a firm. BCBS Annex C sets out cyber-resilience metrics in terms of events and practices before a compromising event – i.e., a cyber-incident, at the point of compromise and after compromise. Many in-scope firms may find it useful to borrow from this BCBS Annexes A, B and C when designing compliance monitoring frameworks to meet CROE’s expectations.
How to comply with CROE – meet or explain
CROE establishes three levels of expectation (also referred to as “maturity levels”) of how to comply with CROE’s criteria or explain why they do not meet the criteria. Firms are expected and T2S as well as SIPS are required to meet and maintain at least “Advancing” maturity prior to migrating to “Innovating”:
Evolving: Essential capabilities are established, evolve and are sustained across the FMI to identify, mitigate and manage cyber-risks in alignment with the cyber-resilience strategy and framework approved by the Board. Performance of practice and capabilities are monitored and managed;
Advancing: In addition to meeting the “evolving” level’s requirements, practices at this level involve implementing “more advanced tools” (e.g. advanced technology and risk management tools) that are integrated across the FMI’s business lines and have been improved over time to manage cyber risks posed to the FMI proactively. There is no qualitative standard in the CROE as to what constitute an “advanced” tool.
Innovating: In addition to meeting the “evolving” and “advancing” levels, FMIs’ capabilities across the business are “…enhanced as needed in order to strengthen cyber-resilience.” Again, in the absence of some qualitative examples, this leaves much to interpretation. This may also risk a divergence between those taking the meet and explain approach of CROE quite seriously and those that merely window-dress. That in turn may mean that those embedded more fully will want to ensure they have material readily available to show to the oversight functions how they are meeting various (vaguely drafted) expectations in a concrete manner. This is especially the case as in order to meet the innovating level relevant in-scope FMIs are expected to demonstrate that they are “…driving innovation in people, processes and technology for the FMI and the wider ecosystem to manage cyber risk and enhance cyber-resilience. This may call for new controls and tools to be developed or new information-sharing groups to be created.”
While the CROE does recognize that all addressees are different and thus that the means of how their capabilities meet the relevant levels will differ, the CROE is drafted in a technological, operational and jurisdictional agnostic manner. CROE is also built around the following risk management pillars as a component of an overall cyber-resilience framework that firms will need to meet or explain why they do not/cannot meet the relevant criteria:
response and recovery
These principles in each of the thematic areas are translated into Sections of CROE that detail the overarching expectation and the qualitative features that must be fulfilled by an addressee to meet each of the levels from evolving to innovating. The common threads are summarized in the following sections below.
As a general observation, while some of what is set out in CROE may be familiar to a number of CROE addresses, especially larger FMIs, the depth of what is documented and how may be different as the ECB’s expectations—regardless of whether at “evolving” or “innovating”—may go beyond what is currently in place in those organizations. This not only extends to policies and procedures but also how decisions to act or refrain from acting in a particular context are justified along with issues on data integrity.
Section 2.1 Governance begins with expectations on establishing a cyber-resilience strategy and framework. Conceptually some of this follows a similar approach to how the ECB-SSM communicated its supervisory expectations in transforming governance and culture in relation to non-performing loans and exposures. The setting-up of a cross-disciplinary steering committee of senior management and appropriate staff—including (external) contractors—from multiple business units to develop a holistic framework based on threats to the firm as well as its risk tolerance for individual as well as enterprise-wide impacts is at the heart of that process and the core of building a framework. Stemming from the risk self-assessment exercise, CROE expects that organizations develop and then set their cyber-resilience strategy. This should also be aligned to its corporate strategy and its “threat landscape”.
Moving on from frameworks and strategy documents, Section 2.1 of CROE looks at the role and involvement of the FMI’s “Board” (and one presumes this extends to other forums exercising similar governance and strategic steering functions), their skills and accountability of senior management and ultimately the wider risk culture of the FMI. The Board is expected to take an active role in approving the cyber-resilience strategy and framework, setting the FMI’s risk tolerance and implementation of the framework in terms of policies, procedures and controls that support the framework. As with other EU but more recently ECB-SSM rules and/or expectations (that read like rules) that relate to the Board and senior management, there is a need to demonstrate both individual and collective responsibility and ability. While there is an appreciation that a “senior executive” e.g. the CISO may have primary responsibility and accountability, demonstrating compliance with this supervisory outcome means having collective capabilities and taking of ownership.
In terms of culture, the supervisory expectation and outcome is that in-scope FMIs apply and embed a top-down as well as bottom up approach. Again, as with the documentation aspects in Section 2.1, the distinguishing features between each of the levels are largely the deepening degree of granularity that would be expected in both the analysis of what effects a firm and the capabilities in place to maintain cyber-resilience. For FMIs that are “innovating,” appointing a “cyber-expert” to the Board is one of the qualitative features. Other qualitative measures include introducing cyber-resilience and risk threat updates as a standing Board meeting agenda. In order to meet the “innovating” level, senior management is expected to cooperate proactively with other stakeholders across the ecosystem to promote a cyber-resilience culture more generally.
Section 2.2 addresses “identification” and specifically that FMIs should identify and classify business processes and information assets that should be protected against compromise and the external dependencies. FMIs are expected to identify and document all of its critical operations and functions, key roles, processes and information assets that support those functions as well as third-party dependencies and interconnections and update that information periodically. This means having in place not only measures which aim to prevent intrusions from third-party connections and the ability to block those but also the validation of the FMI’s third-party relationship management and outsourcing arrangements by an independent audit function.
This risk inventory and risk assessment should be supported by a network map showing network resources with associated IPs that locate routing and security devices as well as servers supporting critical functions as well as external linkages. Further, FMIs are expected to conduct risk assessments before deploying new and/or updated technologies, products, services and connections to identify potential threats and vulnerabilities. CROE follows the general supervisory trend amongst international peers that relevant organizations, including senior management and their Board (i.e.taking ownership and accountability beyond the IT-staff), understand, map and manage their exposure to cyber-risk. This applies regardless of whether the connection and/or potential to exposure is connected to financial and non-financial entities. CROE also expects that external map to be reflected in understanding risks that are generated in the internal functions and thus different business units and jurisdictions and measuring both qualitative and quantitative impacts and mitigants to control risk generators and exposure threats.
Getting from “evolving” to “innovating” will, according to CROE, rest on automating information feeds and data management so as to strengthen a holistic enterprise-wide risk management. The CROE however is silent on what FMIs will need to do to test the resilience and accuracy of those very data feeds and does not address the concerns of many respondents during the consultation phase that automation may actually embed and hardwire risks from programming or other shortcomings.
Section 2.3 deals with the effective security controls, systems and processes that protect the confidentiality, integrity and availability of the FMI’s assets. The measures to be implemented may be applied in a proportionate manner and should be reflective of the risk and threat landscape in which the FMIs operate. FMIs are expected to “apply a defence in-depth strategy in line with a risk-based approach.” This is then clarified as meaning an FMI should implement multiple independent security controls so that if one control fails or a vulnerability is exploited, alternative controls will be able to protect the assets and/or processes that are protected and/or targeted.
In order to meet the “advancing” level criteria, the FMI is expected to develop and implement a bespoke information management system (ISMS), which it states “…could be based on a combination of well-recognized international standards (e.g. ISO 270001, ISO 20000-1 and ISO 27103 etc.)”. Moreover, FMIs are expected to include cyber-resilience at the outset of system design, development and acquisition process lifecycle and thus embed “resilience by design”.
The Section also goes on to set out its expectations on network and infrastructure management. As a key principle, FMIs are expected to establish secure boundaries that protect network infrastructure. This includes using a router, firewall, intrusion prevention system or intrusion detection systems, virtual private networks and appropriate use of proxies as well as device connectivity. The boundaries should be split between trusted and untrusted zones, and the relevant risk profiles and criticality of information assets contained in each zone. Change and patch management processes are expected to be included in detailed policies and procedures as well as active involvement of the cyber-security team.
Logical and physical access are also addressed in this Section including in role-based access controls that allocates system access rights and privileges to specific roles. FMIs are required to review such rights periodically and take appropriate action. Interactions with suppliers and third-party security management is also touched upon in CROE. This includes due diligence on the relevant party’s own systems and controls, and FMIs will need to factor that into the relevant onboarding process and risk review.
Embedding cyber-resilience into the employment recruitment and employee on-boarding process is also highlighted in the CROE as a priority area. Specifically this Section calls for screening for cyber-related incidents of prospective applicants or contractors along with regular cyber-risk and resilience training. Moving to “innovating” in the criteria set out in this Section calls for greater use of automated solutions in terms of processes in various lifecycle steps as well as individual steps and programs communicating with one another. CROE is equally silent here in terms
Section 2.4 discusses the expectations that FMIs will need to meet to show they have early detection capabilities to detect a potential or actual breach having taken place. Much of this Section echoes and builds upon what is set out in Section 2.1 – Identification. FMIs should have detailed incident response processes in place. Those FMIs that are “advancing” will have developed and implemented a security, information and event management system, which correlates all the network and system alerts and other unusual activity in order to detect multi-faceted attacks. This Section also sets out that FMIs should, even at “evolving” stage, establish procedures for collecting digital evidence in a “forensically acceptable manner” and maintain a “forensic readiness policy” to support forensic investigations. This may require some very technical drafting to meet both regulatory and IT-specifications.
Response and recovery
Section 2.5 deals with how FMIs should set their Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). Both of these are key in setting what point should systems be restored to in order to recommence business following a cyber-incident/attack and how quickly one can recover to that point in time. Much of what is in this Section also echoes and reiterates what is set out in the TIBER-EU Framework in terms of having computer security incident response teams. As iterated in our coverage on TIBER-EU, FMIs will have an interest in having a detailed Cyber-Response and Recovery Plan as well as escalation lists on file and in the field with the relevant colleagues.
The trend of building on the TIBER-EU Framework continues in Section 2.6 – Testing. This Section expects FMIs to have detailed and periodic vulnerability and penetration testing including using communicated scenario-based testing and a covert “red teaming” test. Moreover, FMIs are expected to develop, monitor and analyze detailed metrics of testing efficacy and regularly conduct tests in collaboration with its peers, participants and third-parties in addition to industry-wide exercises to test cooperation and coordination along with communication plans.
Situational awareness and learning and evolving sections
This part of the CROE sets out what FMIs can do to monitor cyber threats both in terms of intelligence i.e., tactics, techniques and procedures of attacks along with targets as well as going a step further than the TIBER-EU Framework for those FMIs that would like to migrate to “advancing” in maintaining a cyber-risk threat dashboard. The dashboard aims to capture all threats as well as those that could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred previously.
Situational awareness also requires information sharing, and CROE considers good compliance amongst FMIs when they establish trusted and safe channels of communication with direct stakeholders for exchanging information. The Learning and Evolving Section ties everything together with FMIs expected to place emphasis on cyber-resilience awareness to deliver on the policies an FMI has in place, as well as the CROE expectations along with how to spot and report suspicious activity.
Outlook and next steps
CROE is another part of the emerging strategy of how the ECB, in its central banking and financial stability role, expands its expectations of FMIs but also those firms facing FMIs. The latter may also have additional Banking Union supervisory requirements. CROE’s focus means that FMIs and firms may need to revisit and/or expand on details in documented policies and procedures as well as how they evidence that cyber-resilience is embedded in a firm’s culture as well as people and processes.
Complying with CROE may also mean that a number of firms that are caught may need to ensure that they have a clear and traceable trail of justifications (including a certain degree of independent documented challenge is desirable) as to why certain arrangements have been implemented to meet CROE’s expectations or why they are proportionate. Some firms may find that notably in terms of compliance monitoring much of what CROE sets in expectations could be complemented nicely by measures set out in the BCBS Annexes to help achieve the meet or explain standard.
In terms of next steps addresses, and those, such as BUSIs, which are likely to become addressees of similar measures, may want to consider performing a gap analysis between current documented and operational arrangements and what CROE expects, mapping plans to migrate to the relevant maturity level as well as facilitating linkages with other market participants. As CROE provides prescriptive detail on what various policies ought to achieve in terms of outcomes as well as detailed operative deliverables such as dashboards, affected parties may want to plan and involve stakeholders from early on, in particular as meeting CROE compliance is likely to be only but one of many workstreams.