Cyber resilience and financial market infrastructures

Cyberattacks on financial market infrastructures (FMIs) have the potential to impact the entire financial ecosystem. This is because FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or, given the high level of interconnectivity, a major channel through which these shocks can be transmitted across domestic and international markets, putting financial stability at risk.

The threat of cyberattacks is further accentuated by their dynamic, evolving nature and because they are borderless. It is therefore essential that financial institutions and FMIs have an adequate level of cyber resilience to ensure their own safety as well as that of the entire ecosystem.

What's the ECB's role?

The ECB is responsible for overseeing a number of systemically important payment systems (SIPS) operating in the euro area. As these systems clear and settle payments across Europe, they are fundamental to the smooth functioning of the financial markets in the euro area.

As an overseer, the ECB needs to ensure that not only the individual SIPS have a strong level of cyber resilience, but the financial ecosystem as a whole is resilient against cyber threats.

What is being done at the international and European levels?

A significant amount of work has been undertaken internationally with regard to cyber risk and FMIs. In June 2016, the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures was published, providing FMIs with guidance on how to establish and operationalise a cyber resilience framework.

At the G7 level, the G7 Cyber Expert Group (G7 CEG) – of which the ECB is a member – is actively focusing on cybersecurity risks for the financial sector. Established in November 2015, the G7 CEG aims to identify and develop fundamental elements of cybersecurity in order to help financial entities address the risk of cyberattacks. The G7 CEG has published the following fundamental elements, representing a major step forward in this field:

In terms of legislation, the European Commission adopted the first Directive on security of network and information systems (NIS Directive) in July 2016. A revised version, the NIS2 Directive, expands the scope to new sectors and entities with a view to improving the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

The Directive contains legal measures and incentives aimed at making the EU’s online environment secure by strengthening preparedness, cross-border cooperation, cyber incident reporting and information exchange.

Additionally, the Digital Operational Resilience Act (DORA) aims to strengthen IT security and harmonise operational resilience rules in the financial sector. DORA is part of the wider digital finance package introduced by the European Commission to foster innovation and competition in digital finance while addressing the associated risks. It will apply as of January 2025.

These initiatives all provide the basis for our work at the ECB and across the Eurosystem.

Eurosystem cyber resilience strategy

In March 2024 the Governing Council approved the revised Eurosystem cyber resilience strategy. The revised strategy aims to provide a consistent, holistic approach to addressing cyber risks. In a world of increasing interdependencies, sophisticated cyber threat actors, geopolitical tensions and evolving threats, the strategy’s overarching objective is to strengthen cyber resilience in the euro area by enhancing the cyber readiness of FMIs and payment entities, and foster sectoral resilience and collaboration.

The strategy covers FMIs as well as electronic payment instruments, schemes and arrangements overseen by the Eurosystem (under the oversight framework for electronic payment instruments, schemes and arrangements (PISA)). Apart from the Eurosystem-operated TARGET Services, other FMIs covered by the strategy include systemically important payment systems (SIPS), large-value payment systems (LVPS), prominently important retail payment systems (PIRPS), other retail payment systems (ORPS), Central Securities Depositaries (CSDs), and Central Counterparties (CCPs).

The strategy aims to put the CPMI-IOSCO guidance into practice and comprises three pillars:

1. Entity readiness: work with FMIs and entities covered under the PISA framework to enhance their cyber resilience, with a view to ensuring their safety and soundness in the face of increasingly sophisticated threats.
2. Sector resilience: enhance the overall cyber resilience of Europe’s financial sector through cross-border/cross-authority collaboration, information sharing and joint cyber crisis simulation exercises. Improving entities’ resilience enhances the cyber security effectiveness and preparedness of the sector as a whole.
3. Strategic regulator-industry engagement: joint strategic and Board-level pan-European regulator-industry forums, established with a view to promoting trust and collaboration among participants, catalysing joint initiatives to enhance sector capabilities, and increasing cyber awareness.

The strategy also includes a provision for its detailed monitoring and continuous improvement. This will help us track progress, implement it in a harmonised manner in all jurisdictions, and allow for adjustments to ensure the strategy and underlying tools remain effective.

Pillar 1 – Entity readiness

The evolving nature of cyberattacks makes it necessary to ensure that entities strengthen their individual level of cyber maturity.

Pillar 1 aims to ensure that the CPMI-IOSCO guidance is put into practice in a consistent manner by implementing a harmonised approach to assessing entities in the euro area against the guidance. In addition, the Eurosystem has developed tools to help entities regularly assess their cyber readiness and protect themselves against unpredictable and increasingly sophisticated cyber threats.

One of these tools is TIBER-EU, a European red team testing framework which gives guidance on how to carry out “friendly attacks” that mimic the tactics, techniques and procedures of real attackers, based on bespoke threat intelligence. These friendly attacks target the processes, technologies and staff of an FMI without prior warning in order to test its protection, detection and response capabilities.

Overseers also use other tools, such as cyber surveys and assessments based on the cyber resilience oversight expectations, to assess the level of cyber maturity of Eurosystem financial entities and provide more detailed guidance to financial market infrastructures.

Pillar 2 - Sector resilience

Given the high degree of interconnectedness in the financial ecosystem, an entity depends not only on its own readiness, but also on that of its participants, third-party service providers and other interconnected entities. It is therefore essential that there is a high level of cyber resilience across the ecosystem as a whole, including third parties and technology/information and communications technology service providers with whom the financial entities are connected.

Pillar 2 focuses on strengthening the sector’s cyber resilience by understanding operational interdependencies and overall cyber preparedness. It does this through sector mapping, performing critical service provider surveys, promoting scenario-based exercises, fostering cross-border and cross-authority collaboration, establishing effective information sharing and implementing market-wide business continuity exercises.

Pillar 3 – Strategic regulator-industry engagement

To address the continuously evolving threat landscape, increased digitalisation and interdependencies in the financial sector, it is imperative that all relevant participants, both regulators and market participants, can work together in a trusted environment.

Pillar 3 aims to ensure regular pan-European cyber forums take place with Board-level participation by regulators and market participants. In this vein, the Euro Cyber Resilience Board for Pan-European Financial Infrastructures (ECRB) was established in 2017.

Together with market participants, the ECRB has developed effective solutions to address the cyber challenges the financial sector is facing. Furthermore, the ECRB’s Cyber Information and Intelligence Sharing Initiative (CIISI-EU) aims to facilitate the sharing of information and best practices between financial infrastructures to raise awareness of cyber threats.

Related links

Cybersecurity for the financial sector Cybercrime: from fiction to reality, IN FOCUS, Issue 2, June 2017