The securities industry appears so far to have experienced fewer cyber-attacks than the payments industry, but that does not mean it is not being attacked already, or immune to a catastrophic failure of cyber-security. Marc Bayle, director general, market infrastructure and payments, at the European Central Bank (ECB), warns that CSDs may experience cyber-attacks locally but they must combat them globally by sharing information. By collaborating, CSDs can detect and defeat cyber-attacks earlier, and recover from them more quickly and completely.
Cyber-security has become something of a buzzword of late. But for Marc Bayle, director general, market infrastructure and payments, at the European Central Bank (ECB) in Frankfurt, only the label is really new. When he joined the ECB in 1997, the central bank and the European securities market regulators had just published a set of guidelines for systemically important financial market infrastructures (FMIs) that obliged them to put in place business continuity and disaster recovery plans. “Cyber-security used to be called information security,” says Bayle. “The authorities have always been concerned about protecting critical systems and data.”
Technology has changed the nature of cyber-threats
That said, Bayle does appreciate that the nature of the information security problem has changed. “What has altered is that a new generation of technology has caused a paradigm shift in how we approach questions of resilience and recovery,” he says. “Previously, the focus was on protecting the core assets of the most important FMIs and their critical participants, as measured by the volume of transactions they initiated and the value of the assets they held. Now, it is clear that the weakest point of the wider eco-system determines the strength of the system as a whole.”
A vivid illustration of this network dependency was provided by the theft in February 2016 of $101 million of assets held at the Federal Reserve by the Bangladesh Bank. “The central bank of Bangladesh was not a critical customer of the Fedwire service, but it still gave access to valuable assets held at the Federal Reserve,” explains Bayle. “So cyber-security today means going beyond the protection of the core assets and the critically large participants. You have to protect the entire eco-system, and that changes completely your whole approach to cyber-security.”
Unlike 1997, when the Internet was in its infancy, the entire globe is now digitally networked. “Thanks to technology, we are in an increasingly inter-connected and globalising marketplace,” says Bayle. “Blockchain only reinforces that reality – it implies that the centre is no longer the relevant focus of protection. The network is.” This is as true of the securities markets, in which central securities depositories (CSDs) are the most important infrastructures, as it is of the cash payments markets.
Though the sheer complexity of the securities markets has so far provided a measure of protection against cyber-attack, Bayle warns that their systemic importance and the value of the assets being held and transferred make them a tempting target for criminal, hacktivist and State-sponsored cyber-attackers. “The way in which value is held and transferred in the securities industry is more complex than in the payments industry, which simply moves money around,” he says. “But that does not mean the securities industry is immune to attack. The question is not if the securities industry will be attacked, but when.”
In fact, Bayle argues that the securities industry is under attack already, not from well-aimed assaults (such as the North Korean attack on the Bangladesh Bank) but from attacks which impact all sorts of industrial sectors (such as the series of attacks using the “Petya” ransomware). “I am not sure there are fewer attacks on the securities industry than the payments industry,” says Bayle. “It is just that when there is a successful, well-directed attack on a central bank or a payments industry infrastructure, we hear about it. We hear less about ransomware attacks, because companies, including securities companies, often choose to pay a relatively small amount to solve the problem.”
Information-sharing is crucial to anticipate and defeat cyber-attacks
It would be wiser, says Bayle, if companies chose to share information about attacks with regulators and peers rather than simply protect their reputation by paying a ransom and telling no one. After all, the technique used by the cyber-attackers to steal from the Bangladesh Bank was known and understood, because it was used in earlier but smaller scale cyber-attacks. “This tendency to keep details of attacks confidential is now being remedied,” says Bayle. “Central banks and regulatory supervisors now require victims to share information about attacks, so there is greater transparency.”
That information-sharing, he continues, needs to extend beyond the immediate counterparties. “We are all of us exposed to third parties which are neither FMIs nor central banks, such as suppliers of hardware and software and telecommunications services,” says Bayle. “The risk they represent can only be solved by collaboration between customers of the products and services of commercial vendors. There is no aspect of cyber-security which is purely infrastructural, or national or local. Cyber-security is a systemic problem and a global problem, and it must be looked at globally and systemically.”
He adds that the effectiveness of information-sharing was proved by the response of Dutch banks to an attempted distributed denial of service (DDoS) attack. Because they collaborated to understand its character at an early stage, the Dutch banks were able to defeat the DDoS attack before it caused extensive damage. “Sharing information is important,” says Bayle. “And where nothing is being done, the authorities have to encourage it.” The ECB is doing exactly that. In January this year it established the Euro-system Cyber-Resilience Board (ECRB) to encourage FMIs to collaborate on cyber-security.
“The ECRB provides a forum where FMIs and regulatory authorities can exchange information ahead of attacks, and work together after attacks to accelerate recovery from them,” explains Bayle. “To achieve that, you have to create trust between FMIs, regulatory authorities and – eventually – market participants.” The principal objective of the ECRB is to identify cyber-security threats, place them in order of priority, and then develop strategies for dealing with them.
The priorities are protection, detection and recovery
Some priorities choose themselves, says Bayle. Protecting the integrity of data, so it remains reliable, is one. Another is to ensure that critical services (such as settlement of securities transactions) are not compromised for more than a couple of hours at the most. A third is to safeguard the confidentiality of sensitive information. “These are the three areas in which the ECRB is looking to determine whether we are vulnerable or not,” explains Bayle. “We want to be able to detect, protect and, if necessary, recover. But the thinking along these three dimensions must always remain dynamic.”
The main reason thinking has to be dynamic is that cyber-threats mutate constantly, and cyber- attackers adapt their own strategies in response to successful counter-strategies. As defenders close one possibility, attackers search elsewhere for points of vulnerability. As Bayle argues, there is limited value in monitoring potential attackers, as opposed to understanding the techniques they use, and their potential consequences. “The most successful attacks are State-sponsored but we are more concerned about the potential effects of attacks than the nature or motivations of the attackers themselves,” he says. “Our goals – detect, protect, recover – remain the same, whatever the origin of the attacker.”
Implement the CPMI-IOSCO recommendations on cyber-security
But if the strategy is clear, how to get a disparate group of FMIs and central banks, even in a single area such as the eurozone, to invest sufficient resources in implementing the chosen strategy is far from straightforward. It helps that the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) has issued Guidance on cyber resilience for financial market infrastructures in June 2016, since it provides internationally agreed guidance on cyber-security for FMIs.
The CPMI-IOSCO document advises FMIs to ensure governance of cyber-security is effective, put plans in place to recover rapidly from attacks, invest in actionable threat intelligence and testing, and instil a culture of cyber-security awareness throughout the organisation. “FMIs need to make sure there is a strong awareness of the cyber-threat environment throughout their organization,” says Bayle. “That means speaking to your staff and speaking to every entity in the eco-system, continuously, so that they are always aware of the wider context.”
The CPMI-IOSCO report reiterates the familiar warning that cyber-security cannot be achieved by any one FMI acting in isolation. The establishment of the ECRB is a sign that European regulators are taking this recommendation seriously. But Marc Bayle points out that the Euro-system has gone further still. In March 2017, it published its own cyber-resilience strategy for FMIs, with the specific aim of driving widespread implementation of the CPMI-IOSCO recommendations not just through collaboration and information-sharing, but via market-wide testing of cyber-attack scenarios and recovery strategies.
Furthermore, European FMIs are also bound by a set of cyber-resilience oversight “expectations” published by the Euro-system on 3 December 2018. “The expectations are more demanding than they sound,” explains Bayle. “They are a firm regulatory framework designed to put pressure on European FMIs to adapt to the rapid evolution of cyber-threats. An FMI cannot now do nothing about cyber-resilience without falling out of compliance with a regulatory framework that applies to them.”
Resistance by FMIs to the investment necessary to meet those expectations is countered by the Euro-system with an obvious truth: the price of failing to invest in cyber-security is potentially unlimited. That said, the Euro-system is not unrealistic. “We have set the bar high,” explains Bayle. “But we also recognise we have to find a balance between increasing cyber-resilience and keeping the cost of implementation at a reasonable level.”
This flexibility was evident after the two-month consultation period on cyber resilience expectations closed – concessions of the best-is-the-enemy-of-the-good kind were made – but the Euro-system nevertheless insisted this summer that the major national CSDs, central counterparty clearing houses (CCPs), payments market infrastructures (PMIs) and central banks war-game a range of potential cyber-attacks.
The full lessons of this exercise will be published shortly, but some key issues are already evident. The legal basis on which FMIs can exchange information needs to be beyond dispute; understanding of the value at stake between FMIs needs to be improved; and the challenge of co-ordinating the data needed for a rapid post-incident recovery needs to be overcome.
Cross-border co-ordination of data is essential to rapid recovery
“For an eco-system to recover its capacity quickly after a cyber-attack, you require a very strong co- ordination mechanism in the area of data,” explains Bayle. “If a database is compromised within an eco-system you have to make sure that, if you are trying to re-start activities from a clean sheet of paper, that you have synchronised all members of the eco-system so that they are starting from the same set of data at the same time. That requires a high degree of co-ordination before services can be resumed. It is an element on which there is clearly still work to do.”
The need to co-ordinate recovered data is yet another reminder that, in a networked world, cyber- security cannot be achieved in one country. “Increasing global connectivity means that, if one market infrastructure cannot work, it will affect all other market infrastructures,” explains Bayle. “When FMIs open accounts with each other, they agree to comply with the local cyber-security standards, so it helps that those standards conform as far as possible to a global standard. That means compliance with the CPMI-IOSCO recommendations.”
As it happens, cross-border co-ordination is one dimension in which even Europe still has work to do. The 2016 European Union (EU) directive on the Security of Network and Information Systems (NIS Directive) obliges member-states to identify crucial infrastructural assets that need protection from cyber-attack, and to devise recovery plans, but it ignored the linkages between them. “One of the drawbacks of the NIS Directive is that the plans are always drawn up in a purely national context,” says Bayle. “It forces market infrastructures and central banks to think about protecting and recovering from cyber-attacks before they occur, but it makes no provision for co-ordinating these efforts across national borders.”
This is why Bayle believes the next major challenge in cyber-security is to formulate and implement a global governance regime to manage crises that can cross national borders. “None of the institutions that attends the World Forum of CSDs (WFC) is immune from attack,” he says. “We are all at risk. In an inter-connected and globalised financial system, we cannot afford to think about cyber-security in isolation from each other either. We have to think and act together to devise solutions.”
Tuesday 9 April 2019
Marc Bayle de Jesse, Director General, Market Infrastructure and Payments at the European Central