Table of Contents

Core Pillar #1: Strengthen operational cyber resilience and collective defense to shield the financial sector against cyber threats.

Problem Statement: Preparing for the Next Crisis

In March 2017, G20 Finance Ministers and Central Bank Governors warned for the first time that “the malicious use of Information and Communication Technologies could . . . undermine security and confidence and endanger financial stability.”1 Consequently, the G20 tasked the FSB with taking stock of approaches on cybersecurity and the financial system; that FSB report was published in October 2017.2 A year later, the FSB also published a cyber lexicon to promote a common language in the industry.3

In the meantime, many individual jurisdictions have been developing approaches to address the risk of cyber incidents. Cyber incidents (attacks or system failures) are inevitable, especially when financial institutions are increasingly digitally interconnected. Firms must be ready to withstand them and maintain operations.4 While operational risk has been a fundamental tenet of financial risk management for more than a decade, the term operational resilience—“the ability of firms and financial market infrastructures (FMIs) and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”5—is still emerging as a foundational principle of financial risk management. Central to operational resilience is cyber resilience.

There is broad agreement that the financial sector should embrace operational resilience in order to withstand and recover from nonfinancial shocks and to protect financial stability. In February 2020, Christine Lagarde, the former managing director of the IMF and now head of the ECB, warned that a cyber attack had the potential to trigger a liquidity crisis.6 Just how operational resilience should be implemented and achieved remains unclear.

Managing cyber risk is still a challenge for regulatory and supervisory authorities. According to Arthur Lindo, a senior official from the U.S. Federal Reserve Board and chair of the BCBS Operational Resilience Group, “traditional regulatory approaches will not be adequate for meeting the challenges of this new environment. [Cyber risk] is requiring [a] regulatory approach that is significantly different from those we use for capital, liquidity and other major risk stripes.”7

Activities of the G7 Finance Track CEG

  • “Fundamental Elements of Cyber Security for the Financial Sector” (2016)8
  • “Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector” (2017)9
  • “Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector” (2018)10
  • “Fundamental Elements for Threat-led Penetration Testing” (2018)11
  • “Cybersecurity: Coordinating Efforts to Protect the Financial Sector in the Global Economy” (May 2019)12
  • G7-wide simulation exercise (2019)13

The financial community is currently debating how regulators should create new tools and expectations to ensure operational resilience across jurisdictions. Both financial institutions and regulators have incentives to effectively mitigate risks from cyber incidents,14 but there is debate about what is required of firms. Achieving operational resilience requires a comprehensive approach to prevention, adaptation, response, recovery, and learning. Consequently, operational resilience has many subcomponents, including impact tolerances, penetration-testing, third-party risk management, incident response and crisis management, information sharing, incident reporting, governance, and a common lexicon, to name a few.

Figure 4 illustrates how the thinking about cyber risks in the context of the financial system has evolved.

Industry has raised concerns about financial authorities’ divergent and inconsistent approaches and has called for an “international common approach.”15 Harmonizing regulation internationally, they argue, will reduce the costs of complying with multiple regimes and free up resources for operational activities.

Mapping the Status Quo: Current Approaches and Specific Areas of Focus

National Approaches Trump International Cooperation

The concept of “operational resilience” emerged as a key focus among national supervisory and regulatory authorities in 2016, as highlighted in Figure 5.16 The United Kingdom’s 2018 discussion papers cemented the term across the sector, and authorities in the United States, Singapore, and the EU also developed their own perspectives on the topic.

This section summarizes and analyzes the approaches of five key jurisdictions—the United Kingdom, the EU, Singapore, the United States, and India—chosen for their centrality and thought leadership in the global financial system.

United Kingdom

The Bank of England (BoE), the Prudential Regulation Authority, and the Financial Conduct Authority (FCA), here referred to in the aggregate as the United Kingdom Financial Service Authorities (UK FSAs), were among the first financial authorities to advance the concept of operational resilience.

Starting in July 2018, the UK FSAs published a series of discussion papers, “Building the UK Financial Sector’s Operational Resilience,” that drew focus away from firms’ ability to prevent disruptions and refocused attention on ensuring that individual firms and the financial sector had the ability to withstand disruptions, or “shocks.”17 In December 2019, the UK FSAs proposed an operational resilience framework based on industry feedback that called upon financial institutions and FMIs to set impact tolerances for key business services by “quantifying the acceptable level of disruption through severe . . . but plausible scenarios.”18 Importantly, the UK FSAs noted that they would refine their framework based on emerging international standards.19

The United Kingdom has a number of other important initiatives related to operational resilience. To support sector-wide penetration testing, the BoE developed CBEST, a framework for penetration testing of systemically critical organizations.20 According to the BoE, “The implementation of CBEST will help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber-attacks that could undermine financial stability in the U.K.”21

The United Kingdom also hosted and takes part in a number of cybersecurity exercises. For example, UK FSAs hosted the Waking Shark I and II exercises in 2011 and 2013, and the 2018 SIMEX18 exercise also focused on a prolonged and broad cyber attack.22 In 2015, the United Kingdom and the United States held a joint exercise testing the stability of the financial system in a cyber incident.23 Many UK firms participate in the regular Quantum Dawn exercises, hosted by the Securities Industry and Financial Markets Association (SIFMA).24 Relatedly, to support information sharing, the United Kingdom has the Cyber Security Information Sharing Partnership, a joint industry/government initiative led by the National Cyber Security Centre (NCSC) that provides threat intelligence to key financial institutions.25

Public-private mechanisms like the Cross Market Operational Resilience Group (CMORG) or FSCCC enable cooperation on exercises and information-sharing in the UK financial sector. For example, CMORG is a platform for senior public and private sector executives to rehearse how to respond to a major crisis event to establish what the Bank of England calls “common reflexes.”26 The group is jointly chaired by Lyndon Nelson of the Bank of England and Stephen Jones, CEO of UK Finance, the London-based financial services industry association.27 A subgroup of CMORG, the Sector Exercising Group, manages the sector’s annual exercise regime, including simulations of major cyber incidents like SIMEX18.28

In short, the UK FSAs are key thought leaders on operational resilience and the outcome of the consultation process will likely shape the international dialogue around this issue.

The European Union

The EC, the European Central Bank and other European supervisory authorities (ESAs), and individual EU member states have explored, tested, and implemented new approaches to strengthen the cyber and operational resilience of the financial system. Nonetheless, according to a September 2020 assessment by the EC, “Overall, the financial sector stability and integrity are not guaranteed and the single market for financial services remains fragmented.”29 The new “Digital Finance Strategy for the EU” therefore puts harmonizing operational resilience approaches front and center in the EC’s legislative agenda, which will likely lead to greater convergence among national approaches in the coming years.

Activity by the European Commission

In March 2018, the EC’s FinTech Action Plan called for the ESAs to issue ICT risk management requirements for the EU financial sector.30 The ESAs published the “Joint Advice of the European Supervisory Authorities,”31 which noted that “efforts should be made toward greater harmonization” and toward improved third-party risk management. In late 2019, the European Banking Authority (EBA) published its “Guidelines on ICT and Security Risk Management,” which entered into force on June 30, 2020.32 Among other things, these guidelines call for firms to conduct “business impact analysis by analyzing their exposure to severe business disruptions.”33 The EBA also published their outsourcing guidelines.34

In 2019, the EC focused on updating its regulations for Europe’s financial sector. In December 2019, the EC launched a consultation initiative, “Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure.”35 Aware of the financial service industry’s concerns around harmonization, the consultation noted: “It is essential that financial supervisors’ efforts work in a harmonised and convergent framework.”36 The EBF, the EU’s largest financial trade organization, welcomed the EC’s consultation: “The interconnectedness of all actors within the financial ecosystem, incl. [sic] third party providers, and the evolution of ICT risks highlight the need for a common minimum security for the financial sector as a whole, based on international coordination.”37

In September 2020, the EC released a new digital finance strategy for the EU in conjunction with a “digital finance package” of legislative proposals. The new strategy warns that coronavirus has “increased reliance on digital and remote technologies,” which has only increased the urgency of action: “The EU cannot afford to have the operational resilience and security of its digital financial infrastructure and services called into question.”38

The legislative package includes the Digital Operational Resilience Act (DORA) for the financial sector, which was prompted by an observed “minimum harmonization [that left] room for national interpretation and fragmentation.” 39 DORA aims to strengthen firms’ management of ICT risks, increase the capacity of supervisors, improve testing of financial systems, and upgrade oversight of third-party ICT providers.40 DORA reinforces that EU authorities are particularly concerned with third-party risk, especially that posed by cloud service providers. Most importantly, the legislation addresses the ESAs’ 2019 call to create “an appropriate oversight framework for monitoring critical service providers”;41 DORA proposes a framework that would enable “continuous monitoring of the activities of ICT third-party service providers that are critical providers to financial entities.”42

Activity by the European Central Bank

The ECB has also played a central role in advancing initiatives on cyber resilience across the EU. In 2017, the ECB Executive Board voted to establish the Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures, a forum for senior officials to advance cyber resilience policy. In 2019, the ECB published a set of “cyber resilience oversight expectations” (CROE) to provide guidance to FMIs and supervisors. The ECB also hosts UNITAS, a cybersecurity exercise that tests the resilience of crisis communications between supervisors and firms.

Since its launch in 2018, the ECRB has focused on tackling effective cross-border information sharing between financial infrastructures. In February 2020, the ECRB launched the Cyber Information and Intelligence Sharing Initiative (CIISI-EU), which brings together a range of public and private stakeholders: pan-European financial infrastructures, operational teams within central banks, critical service providers, the European Union Agency for Cybersecurity (ENISA), and Europol.43 CIISI-EU provides a technical platform for public-private information sharing, notably including strategic intelligence regarding nation state activity. To prevent mistrust between private companies and authorities from chilling the exchange of information, all content is siloed outside the purview of the supervisory functions of participating public authorities.44

Additionally, in 2018, the ECB published the Framework for Threat Intelligence-Based Ethical Red Teaming (TIBER-EU), based on the original Dutch TIBER-NL framework. The TIBER-EU framework provides central banks and financial authorities guidance in collaborating with financial institutions to carry out penetration testing of live systems. TIBER-EU aims to overcome barriers of mistrust by generating practical results for financial institutions, and by fostering community and collaboration from the bottom up. To this end, the ECB chairs a TIBER-EU Knowledge Centre where participants convene, share experiences, and plan mutual cross-border tests. To date, TIBER-EU has been adopted by twelve EU member states and adoption continues to grow.45

Individual EU Member States

EU member states have developed national approaches to operational resilience that mostly complement the EU’s work over the last two years. Key guidance and regulations from G7 states include: guidance on cloud computing from France’s Prudential Supervision and Resolution Authority (ACPR), the Bank of Italy’s guidance on outsourcing risk management, and governance expectations from Germany’s Federal Financial Supervisory Authority (BaFin).

One particular concern is how operational resilience will be implemented at a supra-national level, within the EU’s single market, given the national security implications of financial (in)stability. This concern was expressed during a meeting of the EU’s Economic and Financial Affairs Council in September 2019: “The designation of financial services as critical infrastructure might lead Member States to increasingly declare financial regulation a matter of national security, thus undermining internal market objectives. . . . An approach reconciling security and internal market objectives is therefore needed.”46 CIISI-EU and TIBER-EU can be seen as first attempts to balance these competing equities, and DORA is a signal that the European financial system is moving toward a coordinated approach to operational resilience. However, overcoming barriers of trust will require persistent and practical collaboration that clearly demonstrates value to member states.

Singapore

Singapore is another key thought leader in the cybersecurity domain. The Cyber Security Agency of Singapore (CSA) is responsible for cybersecurity nation-wide and works closely with the MAS on cyber security and resilience in the financial sector. Singapore’s Cybersecurity Act, which entered into force in March 2018, establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its key objectives are to strengthen critical information infrastructure against cyber attacks; authorize the CSA to prevent and respond to cybersecurity threats and incidents; establish a framework for sharing cybersecurity information; and establish a light-touch licensing framework for cybersecurity service providers.47

With respect to cybersecurity and operational resilience in the financial sector, the MAS, through its Technology and Cyber Risk Supervision Department, has issued a number of innovative regulatory cyber risk management approaches over the last decade. In June 2013, the MAS issued a “Notice on Technology Risk Management” to establish legally binding requirements for the availability and recoverability of critical systems, recovery time, and incident reporting.48 The MAS is currently revising these guidelines to reflect a more principles-based approach.49

In March 2019, the MAS proposed changes to their Technology Risk Management Guidelines and Business Continuity Management (BCM) guidelines, citing concerns about the increase in the scale and frequency of cyber attacks.50 The proposed revisions in the BCM guidelines intend to raise the standards for financial institutions to better account for interdependencies across their operational units and linkages with external service providers in their business continuity plans. The draft’s initial reference to “minimum performance levels”—not too dissimilar from the UK’s concept of “impact tolerances”—is being reviewed following the public consultation process.

In short, the MAS has become an international thought leader in building cyber resilience. For example, the MAS served as co-chair in developing the CPMI-IOSCO cyber guidance, one of the earliest international efforts focused on operational resilience.51 The MAS also partnered with the FS-ISAC to establish the Asia Pacific Regional Analysis Centre and an information-sharing group for central banks, regulators, and supervisory entities—the Central Banks, Regulators, and Supervisory Entities or CERES Forum—to combat cyber threats more effectively.52 Furthermore, Singapore has expanded its international cooperation through cybersecurity exercises such as the September 2019 Exercise Cyber Star and the November 2019 Exercise Raffles.53

The United States

In the United States, the Board of Governors of the U.S. Federal Reserve System (the Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) issued an advance notice of proposed rulemaking around “enhanced cyber risk management standards” in 2016. These rules were to be issued in 2017 but were then deprioritized.54 Two years later, the Financial Times reported that U.S. regulators were working on a “cross-agency approach to testing banks against attacks that could crash global payments networks, expose customer data or otherwise threaten the integrity of an industry.”55 The Fed had reopened the consultation process for the proposed “Enhanced Cyber Risk Management Standards,” suggesting that resilience is once again becoming a priority.56

There are indications that the United States is more sympathetic than other jurisdictions to industry concerns about regulatory harmonization. For example, in 2018, Randal Quarles, then vice chairman for supervision at the Fed, stated in a speech to the Financial Services Roundtable: “We support industry efforts to improve harmonization across the sector, which are complementary to achieving our regulatory safety and soundness goals.”57 He concluded that the Federal Reserve’s approach to cybersecurity “may not have fast results” but was focused on “getting it right.”58 A year later, during testimony before the U.S. House Committee on Financial Services, JPMorgan Chase CEO Jamie Dimon reiterated industry’s complaint about the conflicting cybersecurity regulations they were facing. The Financial Times reported that Dimon and other financial CEOs went on to meet with U.S. Treasury Secretary Steven Mnuchin to discuss improving harmonization of cybersecurity requirements.59

In short, the United States is embracing operational resilience but moving more slowly, prioritizing regulatory harmonization and private sector input over speed. Arthur Lindo, deputy director of supervision and regulation at the Fed, explained the reasoning behind the U.S. approach: “We have changed [the Fed’s] focus from developing operational resiliency expectations that are primarily regulatory driven to developing expectations that are harmonized to leading industry standards and best practices and reflect significantly more input from firms before we establish specific resiliency tolerances.”60

Even with this more deliberate approach, cyber resilience remains a priority for U.S. financial supervisory authorities. In its 2020–2023 strategic plan, the Fed committed to “evolve policy and supervisory capabilities to keep pace with financial technology innovation and operational vulnerabilities, including cyber security.”61 During the January 2020 meeting of the Fed’s Federal Open Market Committee, some participants raised concerns “that cyber-attacks could affect the U.S. financial system,” marking concern about the issue among senior leadership.62

In addition to the Fed, individual states, specifically New York, have outsized influence on the financial sector’s resilience efforts. This is in part because the U.S. financial sector is heavily clustered around New York, and the New York State Department of Financial Services (NYDFS) has led a significant portion of the cyber risk supervision. In 2016, NYDFS published “Cybersecurity Requirements for Financial Service Companies,” a major revision to existing cybersecurity supervision requirements that focused less on prevention and more on recovery from cyber incidents.63

India

India’s approach to cyber resilience and operational resilience is mainly driven by its central bank, the Reserve Bank of India (RBI). In 2016, the RBI published a circular calling for a cyber security framework for Indian banks; this document warned that “banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats.” The framework also called for banks to establish security operations centers as soon as possible.

India’s other financial authorities have also been proactive in addressing cyber risks over the last five years. In 2015, the Securities and Exchange Board of India published a framework on cyber security and cyber resilience for FMIs, specifying that “cyber security frameworks include measures, tools and processes that are intended to prevent cyber attacks and improve cyber resilience.”64 In 2018, the Insurance Regulatory and Development Authority of India issued a circular outlining guidance on cybersecurity risk for India’s insurance companies, including requirements on a cyber security assurance program, a gap analysis report, and a cyber crisis management plan.65 Other key actors in India like the National Cyber Security Coordinator and the National Critical Information Infrastructure Protection Centre also play an active role in promoting cyber resilience across the financial sector.

Created by the RBI in 1996, the Institute for Development and Research in Banking Technology (IDRBT) incubated the Indian Banks–Center for Analysis of Risks and Threats (IB-CART) in 2014; IB-CART is modeled after FS-ISAC and the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds. Today, IB-CART facilitates information sharing across India’s financial sector. It was the first such sector-specific center in India and, according to IDRBT, has since “become a model of other critical sectors.”66 According to IDRBT’s website, “The IB-CART now has more than ninety users from over sixty public, private and foreign banks in India. The IB-CART advisory council has nine members with representation from public and private sector banks and CERT-IN.”67 IDRBT also led the development of a 2016 cyber security checklist for supervised entities within India’s financial sector. The checklist aims to “help banks in identifying any gaps in cybersecurity systems” and “help board level subcommittees on risk management and information security on monitoring the cyber defence preparedness of banks.”

In 2019, to address this evolving threat landscape, the RBI centralized all regulatory and supervisory functions related to cyber risks within its Cyber Security and IT Risk Group, located in a newly created Department of Supervision. In addition, the RBI, together with CERT-In, hosts cybersecurity exercises within the financial sector; as of July 2020, thirteen exercises have been held.68

In response to coronavirus, the RBI has begun taking further action to address heightened cyber risk to India’s financial sector, in particular its payments markets. The rise in cyber threats also prompted the RBI to work in close coordination with CERT-In to combat cyber-enabled fraud.69 CERT-In began tracking cyber threats, analyzing threat intelligence, and helping the RBI issue advisories to financial sector chief information security officers (CISOs).70 The RBI has been working proactively with the Economic Offenses Division of India’s Central Bureau of Investigation, which leads investigations of cyber crimes related to banking and financial services.71 However, the degree of cyber threats in India’s financial sector has revived calls for a national Indian FinCERT.72

Impact Tolerances

In 2018, UK authorities introduced the concept of impact tolerances through a series of discussion papers that have since become the BoE website’s most downloaded document. Impact tolerances are defined as “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.”73

There are signs that authorities from other jurisdictions are planning to take similar approaches to operational resilience. In the EU, the EBA’s “Guidelines on ICT and Security Risk Management” instruct financial institutions to conduct “business impact analysis by analyzing their exposure to severe business disruptions.”74 In Asia, the MAS’s proposed revisions to the BCM guidelines call for financial institutions to map critical business functions and determine recovery times and minimum performance levels for each.75 In the United States, Arthur Lindo has discussed the Fed’s process for establishing “specific resiliency tolerances.”76

The private sector has acknowledged that impact tolerances will be a component of sector-wide operational resilience, but there is disagreement about supervisory expectations. For example, in their response to the 2018 UK discussion papers, the GFMA agreed that “asking firms to set ‘impact tolerances’ for their most important business services could be helpful to mature operational resilience across the industry”; however, they also maintained that such a request “should remain aspirational rather than to meet supervisory expectations.”77 The financial sector’s coordinated response to the UK FSA’s consultation process will be the next major iteration in the public-private dialogues around establishing expectations for impact tolerances.

Requirements that banks map, set, and share their impact tolerances raise two main concerns. The first concern arises if financial authorities ask for impact tolerances without first developing a standardized, cross-jurisdictional framework, thereby forcing banks to produce multiple assessments to fit each jurisdiction’s requirements. For example, supervisors of Country A may require impact tolerances from a bank not only for its operations in Country A but also for its operations in Country B because operations in Country B could impact the financial stability of Country A.

The second concern is that consolidating tolerances from systemically important financial institutions into a single repository—essentially, a map of what business function disruptions would cripple a bank—creates a high-value target for sophisticated malicious actors. Financial authorities would need to securely store tolerance data.

Both concerns raise questions about what information is reasonable for a supervisor to request related to firms’ business outside of the supervisor’s jurisdiction. Namely, what are reasonable roles and responsibilities of the home regulator versus the host regulator?

International Financial Institutions’ Approach to Operational Resilience

This section summarizes and analyzes approaches to operational resilience on the part of key international financial institutions; the following section examines the approaches adopted by industry.

Committee on Payments and Market Infrastructures & the International Organization of Securities Commission

The CPMI, a committee within the BIS, is a global standard setter for payment, clearing, and settlement in the financial system; it is also a forum for central bank cooperation on such functions. IOSCO is an international body for financial authorities that regulate securities and futures markets. The CPMI and IOSCO have overlapping mandates and often collaborate on cybersecurity issues, “to enhance coordination of standard and policy development and implementation, regarding clearing, settlement and reporting arrangements including financial market infrastructures (FMI) worldwide.”78

In June 2016, CPMI-IOSCO released their joint report, “Guidance on Cyber Resilience for Financial Market Infrastructures.”79 It is regarded as the first internationally agreed upon guidance on cybersecurity for FMIs and highlights the growing attention this issue has been receiving in recent years. The goal of the report is to increase the ability of FMIs to pre-empt, rapidly respond to, and recover from cyber attacks, as well as to set resiliency standards from country to country.80

It should be noted that both organizations tackle cybersecurity individually as well as collaboratively. For example, IOSCO’s Cyber Task Force tracks cybersecurity regulations from IOSCO member jurisdictions. In 2019, the task force published a report finding that member jurisdictions consider cyber “to be at least one of the most important risks faced by regulated firms.”81 In May 2018, the CPMI published a guidance document, “Reducing the Risk of Wholesale Payments Fraud Related to Endpoint Security.”82

Financial Stability Board

The FSB, established by the G20 in 2009 and hosted by the BIS, began its work on cyber resilience in 2017, after being tasked by the G20 with taking stock of approaches on cybersecurity and the financial system.83 In October 2017, the FSB published its “Stocktake and Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices.” It found that many jurisdictions were still actively developing regulation and guidance and pointed to a fragmentation between approaches among surveyed jurisdictions.84

The FSB also published a cyber lexicon to promote a common language in the industry; this lexicon is currently being updated and is scheduled to be released in November 2020.85 The FSB also developed a toolkit, “Effective Practices for Cyber Incident Response and Recovery,”86 based on a range of practices from different jurisdictions; the toolkit will be presented at the G20 meeting in November 2020.

Basel Committee on Banking Supervision

The BCBS, the main international body of banking supervisory authorities guided by the central bank governors of the G10 countries, has traditionally advanced cyber resilience and operational resilience through coordination and surveys across its memberships, and most recently through a set of principles for operational resilience. The BCBS works closely with the BIS and other international financial standard-setting bodies, and its focus on operational resilience and cyber risk builds on the work of its counterparts. For example, in 2019, the BCBS published “Cyber-resilience: Range of Practices,” which builds upon a 2017 survey from the FSB and compares how financial authorities approach cyber resilience across jurisdictions.87

In August 2020, the BCBS published a consultative document, “Principles for Operational Resilience,”88 which builds on its 2011 “Principles for the Sound Management of Operational Risk.” The new consultation notably broadens the focus beyond cyber incidents to include risks from pandemics, accidents, natural disasters, and technology failures.89 The consultation period is set to end by November 2020.

Bank for International Settlements

The BIS helps its members manage cyber risk and build resilience through key regulator stocktakes,90 convenings,91 consultations, and guidance.92 In 2018, the BIS hosted two events on cyber resilience: a cybersecurity seminar attended by fifty central banks and monetary authorities and a five-day cyber range exercise in which cybersecurity professionals from fifteen central banks defended against attacks on simulated networks. From these events, the BIS learned that “to be truly effective against the common threat of cyber attack, central banks must work together.”93 Shortly afterwards, the BIS created the CRCC to facilitate such collaboration.

The BIS’s CRCC is part of its Innovation BIS 2025 strategy, designed to facilitate collaboration on cyber resilience within the central bank community. According the BIS’s annual report, the CRCC will “offer cyber security seminars, technical training with hands-on cyber ranges similar to the one described above, and a secure platform to help build collaboration within the central bank community.” In a 2019 speech to regulators, the general manager of BIS, Agustín Carstens, explained that the CRCC will leverage its “trusted position within the central bank community” to provide four core services:

  • Developing a cyber resilience self-assessment framework for central bank cyber security benchmarking
  • Providing cyber range capability to provide hands-on cyber security training via scenarios that are fully customized for the financial sector
  • Providing a secure collaboration platform for multilateral cyber threat information exchange, virtual access to cyber security personnel in other central banks, information technology investment discussions, and best practices in information sharing
  • Collaborating closely with the Financial Stability Institute to assist in its delivery of cyber resilience publications and training as well as providing cyber security expertise in relation to emerging financial technology trends94

The Financial Stability Institute, established jointly by the BIS and the BCBS, advances research through policy briefs, crisis exercises, and papers on effective cybersecurity and operational resilience practices, along with other financial policy topics.95 The institute drives capacity-building for supervisors and regulators through four channels:

  • Raising awareness around key developments in cyber resilience through a global series of high-level meetings
  • Facilitating regional exchanges of experiences and best practices on cyber resilience and cyber risk between supervisors and regulators through regional expert meetings
  • Developing online products and tutorials on the work of the international financial standard-setting bodies—the BCBS, IAIS, and CPMI-IOSCO—on cyber resilience
  • Publishing research, policy briefs, and environmental scans on supervisory and regulatory developments in cybersecurity and cyber resilience in the financial sector

Because of their cost-effectiveness and scalability, online tutorials will be the focus for future efforts.96

Industry’s Approach to Operational Resilience

The financial industry generally supports establishing a minimum level of operational resilience across the sector but wants to be involved in developing a regulatory approach that does not overly burden business. Because financial institutions do not view cybersecurity or operational resilience as competitive issues, the industry has developed a consensus-preferred approach: regulations that are simple, internationally harmonized, principles-based, and risk-based and that maximize resilience while minimizing risk. Industry has also launched its own initiatives, mostly in the United States, to advance operational resilience.

The financial industry primarily advocates for regulatory development and reform, including around operational resilience, through trade associations. Some trade associations, like the EBF, align closely with specific regional markets, whereas other trade associations, like the IIF and the GFMA, represent institutions from all over the world. On major issues, like operational resilience, trade associations coordinate to speak to regulators with a unified voice.

Industry has two primary concerns about the global regulatory approach to operational resilience. First, there is significant concern about regulatory fragmentation. In 2016, just as regulators had begun to explore operational resilience, a group of trade associations warned that “fragmentation would not only impede the flow of global capital and its contribution to economic growth, but also exacerbate the very risks regulators are trying to mitigate.”97 In the United States, industry built the “Financial Sector Cybersecurity Profile” to help simplify compliance requirements.98 According to the FSSCC website, “The Profile is a financial services sector-specific extension of the NIST Cybersecurity Framework (NIST CSF)—and other key guidance documents such as [those created by the International Organization for Standardization (ISO)] and CPMI-IOSCO—to better address the sector's regulatory environment.”99 In Europe, the EBF has warned that “harmonization of regulatory requirements is a standing request of the European banking sector so as to facilitate compliance and avoid duplication and overlapping.”100

To counter fragmentation, industry wants leadership from international financial organizations. For example, in response to the MAS’s proposed BCM guideline revisions, the Asia Securities Industry and Financial Markets Association (ASIFMA) recommended that regulatory requirements be driven by “G20, FSB and the Basel Committee.”101 Industry’s desire for harmonization also explains their advocacy of a common taxonomy and their support for the FSB’s cyber lexicon.

Second, industry is concerned about prescriptive requirements and maintains instead that regulators should adopt risk- and principles-based approaches. Trade associations argue that there is no “one-size-fits-all” approach and that regulations need to be proportional to the maturity and systemic importance of the firm. They consider risk- and principles-based approaches to be more future-proof, whereas prescriptive requirements may become irrelevant as technology changes.

In addition to consultation and advocacy with regulators, industry has established sector-led initiatives focused on operational resilience, primarily in the United States. Examples include FSARC and its UK counterpart FSCCC, Sheltered Harbor (a subsidiary of FS-ISAC focused on consumer banking), the Financial Sector Profile, and Quantum Dawn, a series of global sector-led cybersecurity exercises. These initiatives not only improve firms’ resilience but also signal to regulators that private sector interests align with those of the public and that future regulatory requirements need not be heavy-handed.

The Growing Popularity of Exercises

Cybersecurity exercises are important for preparedness and resilience because they help institutions think through responses to hypothetical scenarios. Exercises about cyber incidents affecting the financial system help supervisors and banks consider possible repercussions for core bank functions, identify gaps in current response plans, and practice crisis communication and coordination. These exercises may vary from tabletop simulations to penetration tests. Leading financial institutions make these exercises routine to strengthen coordination among government agencies, supervisors, and the private sector. Some of the major exercises include:

  • Quantum Dawn: The Quantum Dawn exercise series hosted by SIFMA dates back to 2011. Over the course of the five exercises held since then, participation has grown from a small group of U.S. institutions to more than 180 global financial institutions as of 2019. Each exercise has simulated a different set of cyber incidents, but the post-event lessons from every exercise have consistently called for better communication among participants. Quantum Dawn V, held in 2019, simulated a targeted ransomware attack with impacts on major banks across the globe, starting in the United States and moving across Asia and the UK; the exercise boasted over 600 participants from 180 financial institutions.102 The exercise tested coordination between SIFMA, the Association for Financial Markets in Europe (AFME), and ASIFMA.
  • Cyber-attack Against Payment Systems (CAPS): FS-ISAC regularly hosts CAPS, a series of tabletop exercises, with its membership institutions. The exercise aims to help participants prepare for attacks against their systems and processes.103
  • Exercise Cyber Star: Led by Singapore’s CSA, Exercise Cyber Star is a periodic crisis exercise that tests the cybersecurity readiness and response capabilities of stakeholders across Singapore’s eleven critical information infrastructure sectors, including banking and finance.
  • Exercise Raffles: Jointly organized by the MAS and the ABS, this financial sector exercise tests financial institutions’ business continuity and crisis management against operational disruption scenarios. The three most recent iterations of the exercise (in 2014, 2017, and 2019) focused on cyber attack scenarios, with the most recent exercise being held over two days and covering banking and payment service disruptions, trading disorders, data theft, and the spreading of rumors and falsehoods on social media.
  • Waking Shark: The Waking Shark exercises I and II simulated cyber attacks on the UK’s financial sector in 2011 and 2013 respectively. Participants represented major financial institutions, financial market infrastructure providers, financial authorities, the UK Treasury, and other government agencies.104
  • SIMEX18: In 2018, as part of the SIMEX series, UK financial authorities simulated a significant multiday cyber attack on the UK’s financial sector with participation from “29 of the most systemically important firms and financial market infrastructures.”105 The exercise prompted a review of the sector response framework and the integration of the FSCCC into the response framework.
  • Hamilton Series: The Hamilton Series consists of exercises led by the U.S. Department of the Treasury to improve U.S. response to cyber threats within the financial sector. The exercises include participants from both the public and the private sector to stress test and improve public-private response strategies.106S. government agencies, including the Department of Homeland Security, regulators led by the Financial and Banking Information Infrastructure Committee, and law enforcement participate alongside industry partners like the Financial Services Sector Coordinating Council (FSSCC) and FS-ISAC.107
  • Resilient Shield: In 2015, the British and U.S. governments conducted one of the first international exercises with the private sector to strengthen coordination and response planning.108
  • UNITAS: In June 2018, the ECB hosted a market-wide crisis communication exercise, known as UNITAS, to simulate an attack on a major financial market infrastructure. According to the ECB, the aim was to: “(i) raise awareness of data integrity issues and the implications for financial infrastructures; (ii) discuss how impacted financial infrastructures could cooperate and collaborate with each other and other relevant stakeholders on a pan-European basis; and (iii) assess the need for developing external public communication strategies.”109
  • G7 cybersecurity exercise: In June 2019, twenty-four financial authorities from G7 countries participated in a “major cross-border cyber-security attack on the financial sector.”110 Some G7 countries invited private financial institutions from their jurisdictions to participate, while others limited participation to government agencies.111

In 2019, the UK NCSC even published “Exercise-in-a-Box,” a free and simple online tool that helps organizations practice responding to a cyber attack.112 The tool uses a basic profile of the participants’ institution and provides a tailored scenario based on the institution’s level of cybersecurity maturity. After the exercise is completed, participants receive a summary report with key takeaways and recommendations to improve their institution’s cyber resilience. This could become an effective tool for cybersecurity capacity-building enabling participants to live and think through the implications of a cyber incident in a controlled setting.

  • Recommendation 1.1: Standard-setting bodies—namely the Basel Committee on Banking Supervision (BCBS), the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS)—should continue to support initiatives to improve and align regulatory oversight efforts for the cybersecurity and operational resilience of financial services. This will contribute to higher quality security practices among financial firms by reducing regulatory transaction costs and freeing up bandwidth among firms’ cybersecurity staff.
    • Supporting Action 1.1.1: The G20 should task the FSB with developing a baseline framework for the supervision of cyber risk management at financial institutions. This framework should leverage common risk management frameworks, such as those advanced by the Financial Stability Institute and the Financial Services Sector Cybersecurity Profile, as well as internationally accepted standards for technology and risk controls.

Specific Issues Worth Highlighting: Promising Opportunities, Urgent Topics, and Low-Hanging Fruit

FinCERTs

The ability to respond quickly and effectively to a cyber incident is fundamental to recovery and operational resilience. CERTS and CSIRTs specialize in response; they have been described as “digital fire brigades.”113

Over the last twenty years, an ecosystem of CERTs that specialize in responding to incidents in the financial system has emerged—some of which are explicitly called “FinCERTs.”114 FinCERTs specialize in responding to cyber incidents in financial networks, core banking systems, and payment systems. Most FinCERTs are operated by large banks to respond to incidents on their internal networks. Recently, financial regulators have begun establishing their own FinCERTs to respond to incidents within their jurisdiction. Figure 6 shows their existence around the globe.

In addition, many national CERTs and cybersecurity agencies operate substructures that specialize in financial sector cybersecurity. While the national-level CERTs and cybersecurity agencies are officially sector-agnostic, these substructures often fulfill the same function as that of a standalone FinCERT: facilitating information sharing, responding to cyber incidents, and building public-private trust.

However, the ecosystem of FinCERTs and national substructures is fragmented, and cooperation occurs on an ad hoc basis. There is no sector-wide coordinating body that connects FinCERTs across jurisdictions or bridges the public-private divide. (FS-ISAC is not a CERT since it does not perform incident response functions.115) Connecting the emerging system of FinCERTs will likely improve global responses to rising cyber threats to the financial system.

Mapping the FinCERT Ecosystem

While there is no sector-wide coordinating body for FinCERTs, two organizations—FIRST and the Task Force on Computer Security Incident Response Teams (TF-CSIRT)—provide global platforms with the “aim of sharing information among CSIRTs and assisting coordination during network-wide incidents.”116 Neither have operational functions, but most FinCERTs are members of one or both platforms.

Most FinCERTs can be categorized as either (1) CERTs operated by financial institution CERTs, or (2) CERTs operated by public financial authorities. A survey of the directories of FIRST and TF-CSIRT shows that there are at least sixty-eight FinCERTs operating today: thirteen are public, and fifty-five are private.

Public Sector FinCERTs

Governments have long been operating CERTs at the national level to respond to incidents that occur on government or commercial networks, including networks operated by the financial industry. The EU’s NIS Directive requires member states to establish national CSIRTs and supervise critical sectors like the financial sector.117 What is new is that central banks and ministries of finance are establishing their own FinCERTs to create specialized response and recovery capabilities for the financial sector. One advantage of housing a FinCERT within a financial regulatory body is increased authority to request information and data sharing from private financial institutions.118 Many, like Sri Lanka’s FinCERT, were established in collaboration with private financial institutions and trade associations.

Another example of a public-private FinCERT is the Italian CERTFin, which is led jointly by the Bank of Italy and the Italian Banking Association. Participation in CERTFin is open and any financial institution or service provider operating in Italy’s financial sector can opt in.

According to its mission statement, CERTFin’s main goals are:

  • “To provide prompt information regarding potential cyber-threats that could damage banks and insurance organizations;
  • To act as Point of Contact between financial operators and other relevant public institutions as far as cyber protection;
  • To facilitate the response to large-scale security incidents;
  • To support crisis management process in case of cyber incidents;
  • To cooperate with national and international institutions and other actors, from both public and private sector, which are involved in cyber security, by promoting the cooperation among them; and,
  • To improve cyber-security awareness and culture.”119

CERTFin coordinates incident response and acts primarily as an information gathering center for affected constituents. In the event of a major cyber incident, CERTFin also functions as a conduit between cybersecurity operators in the financial sector and the Italian national CERT through a dedicated escalation process. CERTFin also prioritizes operational cooperation and information sharing with other CERTs, considering such activity “of paramount importance.”120

Europe has established the majority of FinCERTs. One standout example of multilateral cooperation is the Nordic Financial CERT, operated jointly by Sweden, Norway, Iceland, Denmark, and Finland. Efforts by the ENISA and TF-CSIRT to coordinate CERTs and CSIRTs across Europe may contribute to the culture of collaboration in the European CERT community.121 Additionally, the fact that the ECB has its established CSIRT-ECB may encourage national central banks to create their own.

Israel’s FinCERT: The Cyber and Finance Continuity Center (FC3)

Israel’s national FinCERT, FC3, is worth highlighting. FC3 provides specialized cybersecurity capabilities focusing specifically on the financial ecosystem and its needs.122 It also provides a set of services to its customers, including information sharing, incident handling, and situational reports.

FC3 was established after a cybersecurity exercise with the country’s financial leadership revealed “a need for integration and ‘translation’ between the financial language, the cyber and technology language and the risk management needs.”123 It is co-owned and co-managed by the Israeli Ministry of Finance and the Israeli National Cyber Directorate, which provide expertise in the financial ecosystem and in cyber and technology, respectively. This coordination has allowed FC3 to comprehensively map Israel’s financial sector processes, systems, and functions to improve resilience. Additional synergies are realized because FC3 is headquartered on the same campus as university experts and Israel Defense Forces cybersecurity experts.

Israel’s experience establishing a national FinCERT may be instructive for other countries. According to FC3’s leadership, the following process led to the creation of the FinCERT:

  • A government directive that promoted government regulation and leadership in developing cybersecurity protection.
  • Drills for the leaders of the financial ecosystem and security agencies in identifying gaps; these drills were also used to catalyze improved cybersecurity protection.
  • A government committee that drove deeper internal processes; this committee was led by the Ministry of Finance and brought together all of the country’s financial regulators, the central bank, and cyber authority.
  • Identification of the financial ecosystem players and mapping of the protection layers.
  • Definition and mapping of end-to-end financial processes.

After several months of consultation and resource mapping, the government committee decided to disband and move directly into creating the financial CERT.124

The Israeli government took away valuable lessons from the process. Notably, FC3 was “the first sectorial CERT that was created and is now part of several sectorial CERTs—each one focuses in a different sector, and utilizes capabilities, knowledge and tools that are provided by the national CERT.”125 According to FC3 leadership, key lessons include:

  • Create a workforce with experts from financial institutions, technology experts, and managers who have experience working with the financial regulators.
  • Develop additional channels for collaboration with the private sector, such as a steering committee, conferences, and internships for financial CERT employees in private financial institutions and vice versa.
  • Quickly begin using online tools for institutions to receive information and share data.
  • Work incrementally: All of the financial institutions were connected voluntarily to the financial CERT, allowing trust, value, and cooperation to emerge.
  • Create an ongoing process that allows growth and empowerment in technology, people, processes, and intel across financial sectors in the national and international arenas.126
  • Recommendation 1.2: Governments (starting with the G7 and G20 Finance Ministers and Central Bank Governors) and industry should expand and strengthen the international ecosystem of financial sector-focused computer emergency response teams (CERTs) or similar entities to stimulate public-private collaboration and strengthen sector-specific security.
    • Supporting Action 1.2.1: Governments should create a FinCERT, either as a substructure of an already established national CSIRT (computer security incident response team) emulating the Israeli FinCERT or as a stand-alone entity, to strengthen the protection of the financial sector, which is often at the forefront of regular and novel malicious cyber activity.
    • Supporting Action 1.2.2: The Forum of Incident Response and Security Teams (FIRST) should consider creating a stand-alone track or side event at the annual FIRST conference to deepen this community of experts, including government FinCERTs, staff of national CSIRTs focusing on the financial sector, and related private sector entities. Two or more members of FIRST should also propose a FinCERT “Special Interest Group” to the FIRST board to create a community of interest in addition to the annual side event. (This would be similar to the national CSIRT side event that takes place alongside the annual FIRST conference. Appendix B provides an overview of existing FinCERTs worldwide.)
Sheltered Harbor

Sheltered Harbor is designed to improve the resilience of and preserve public confidence in the U.S. financial system, specifically with respect to the integrity of financial data. It functions as a fail-safe to restore financial data for banks and customers in the event of a major disruption. The main idea is that should a financial institution be unable to recover quickly from a cyber incident, other financial firms could jump in and continue to provide service to affected customers by accessing the struggling firm’s standardized, backed-up account data through the Sheltered Harbor data vault.127

Sheltered Harbor was conceptualized after the 2015 Hamilton Series showed financial institutions how damaging a major data loss or disruption would be to financial stability.128 A group of thirty-four financial institutions, clearing houses, core processors, and industry associations came together in 2016 to create the initiative.129 As of October 2018, Sheltered Harbor holds the data for 70 percent of U.S. deposit accounts and 55 percent of U.S. retail brokerage client assets.130

Participation in Sheltered Harbor is voluntary; member institutions must pay minor dues and meet certain standards. In a public letter sent to financial CEOs in May 2019, six U.S. financial trade associations called for all financial institutions to join Sheltered Harbor, arguing that “implementing the Sheltered Harbor standard prepares institutions to provide customers timely access to balances and funds in such a worst-case scenario.”131

An excerpt from that public letter explains how Sheltered Harbor works:

Financial institutions back up critical customer account data each night in the Sheltered Harbor standard format, either managing their own secure data vault or using a participating service provider. The data vault is owned and managed by your institution, is unchangeable, and is completely separated from your institution’s infrastructure, including all backups. When your institution completes the requirements for data vaulting, you will be awarded Sheltered Harbor certification. This designation and accompanying seal communicate to key audiences, such as customers, industry peers, and regulatory agencies, that your critical customer account data [are] protected.132

Regulators have received the private sector–led initiative well. For example, two U.S. regulators, the OCC and the FDIC, promoted Sheltered Harbor to financial institutions in a “Joint Statement on Heightened Cybersecurity Risk” following the U.S. killing of Iranian general Qasem Soleimani.133 Additionally, the U.S. Federal Financial Institutions Examination Council included Sheltered Harbor in their 2019 “IT Examination Handbook” and 2018 “Cybersecurity Resource Guide for Financial Institutions.”134

  • Recommendation 1.3: Financial authorities should prioritize increasing the financial sector’s resilience against attacks targeting the integrity of data and algorithms. Unlike incidents affecting availability or confidentiality, few technical mitigation solutions exist today to mitigate the risks associated with the manipulation of the integrity of data and algorithms. The second-order risk of undermining trust and confidence is significant.
    • Supporting Action 1.3.1: Financial authorities should encourage industry to join or emulate data vaulting initiatives, such as Sheltered Harbor, to advance common standards, to better protect against data integrity attacks such as ransomware, and to test data vaulting solutions’ effectiveness during a crisis.
    • Supporting Action 1.3.2: Considering the limitations of current technical solutions, governments and financial authorities should lead whole-of-society exercises, including industry, that specifically simulate cyber attacks involving the manipulation of the integrity of data and algorithms. Such exercises should be used to identify weaknesses, such as divergence between decision-making timelines in financial markets versus the national security community, and to develop action plans to better protect against such attacks.
Exchanges and Other Financial Infrastructures

“Banks tend to have the loudest voice but governments need to focus more on exchanges.” Expert at Carnegie’s FinCyber Brainstorming Workshop in May 2020.

Financial infrastructures include FMIs (that is, payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories), credit rating agencies, stock exchanges, securities settlement platforms, and any other service providers deemed critical for the functioning of the financial sector.135 Their systemic importance in the financial system demands a high standard of resilience. For example, the first internationally agreed upon guidance on cyber resilience was about FMIs, published by CPMI-IOSCO in 2016. In 2019, the ECB published the CROE, which provides guidance to FMIs and supervisors regarding cyber resilience expectations.136

Financial infrastructure operators do have unique concerns about operational resilience. For example, in comments to CPMI-IOSCO, the WFE raised concerns about a prescriptive recovery time of two hours. As Darrell Duffie and Joshua Younger explained, “the CPMI standard for the cyber resilience of financial market infrastructure is a two-hour recovery time, or ‘2hRTO,’ but this standard remains aspirational.”137 There are also concerns about independent assurance of data integrity in the event of an incident: in order to independently assure data integrity, an FMI would need to establish a point of reliability loss, invalidate transactions submitted after that point, and return to the previous checkpoint. This also raises questions about whether and to what extent legal provisions around settlement finality may need to be updated.

Nevertheless, financial infrastructure operators seem broadly supportive of a regulatory approach based on operational resilience, and the interests of financial infrastructure operators typically align with those of other financial institutions. Resistant to prescriptive supervision and regulation, they advocate for proportionality, and they are concerned about the international harmonization of cybersecurity regulatory approaches. In a March 2020 response to the EC’s consultation, the WFE affirmed support for policymakers’ efforts “to enhance operational resilience,” but urged them to align new rules with existing ones, as this “would be helpful in quickly realising and implementing those common principles across an interconnected, global financial services industry.”138 Financial infrastructures are built on consumer trust, so establishing a resilient financial system is also broadly in their interest. This is especially true given the evolving threat landscape in which financial infrastructures operate.

Threat Landscape for Exchanges and Clearing Houses

A 2013 survey by the WFE and IOSCO found that 53 percent of exchanges surveyed reported experiencing a cyber attack in the previous year and that 89 percent of respondents considered cyber crime in securities markets to be a systemic risk. The survey also found that attacks against exchanges tend to be disruptive rather than profit-driven.139 This clearly differentiates exchanges from banks and other financial institutions: exchanges are focused on traders and corporate clients and do not hold personal accounts that can be targeted, as happens, for example, in carding. Instead, a DDoS campaign against the New Zealand Stock Exchange in August 2020 led to multiday disruptions of its operations and was a powerful reminder of the continued threat to, and importance of, exchanges for a country’s financial sector.140

A string of successful profit-driven attacks—including one via the SWIFT network against the Bangladesh Bank in 2016; one against Mexico’s interbank payment network, SPEI, in 2018; and one against Banco de Chile in 2018 via international payment systems—have also focused attention on attacks against participants within financial payments systems.141 In 2018, SWIFT and BAE Systems examined potential threats to foreign exchange markets, securities markets, and trade finance markets. They found that:

The cyber threat is highest in the securities markets, particularly to its Participants. This is due to the large numbers of Participants and infrastructures in that market, the complexities of their interactions, and inherent characteristics such as long chains of custody, unstructured communications and trusted practices—all of which combine to provide opportunities for [Advanced Persistent Threat] groups to exploit.142

Profit-driven attackers usually target low-hanging fruit in emerging financial markets, but this could change. As BAE analysts point out, attackers “might choose to attack foreign exchange markets, trade finance, securities and other areas, looking to make large gains in single intrusions or use persistent access to play the market over longer periods.”143 Successful attacks against systemically important exchanges or clearing houses would be highly complex but highly profitable for malicious actors.

Politically motivated attacks that aim to disrupt exchanges and clearing houses may also pose a systemic risk to the financial system and could create market volatility, settlement issues, and trade inconsistencies. Disruptions to a systemically important exchange or clearing house could have cascading consequences for the larger financial system. Attacks that call into question the integrity of an exchange’s transactions or data could undermine trust in the financial system and require a great deal of time, effort, and funds to resolve.

Past examples of politically motivated disruptions include 2012 DDoS attacks against U.S. exchanges; a 2014 data breach involving the Warsaw Stock Exchange, reportedly carried out by a group affiliated with the self-proclaimed Islamic State; and 2019 DDoS attacks against Hong Kong Exchanges and Clearing Limited.144

  • Recommendation 1.4: Governments and industry should put additional emphasis on the resilience of financial market infrastructures (FMIs)—critically important institutions responsible for payment systems, central counterparties, central securities depositories, or securities settlement systems—and other service providers deemed critical for the functioning of the financial sector, such as stock exchanges, as successful disruptions against these entities can pose a systemic risk and undermine confidence in the financial system.
    • Supporting Action 1.4.1: Governments should use the unique capabilities of their national security communities to help protect FMIs and critical trading systems, including sharing information about impending threats.
    • Supporting Action 1.4.2: Industry groups, such as the World Federation of Exchanges (WFE), which is a global industry association for exchanges and clearing houses, should dedicate more resources to capacity-building efforts designed to help smaller and less mature FMIs and other important service providers increase their cybersecurity level.
Third-Party Risk

Financial services firms increasingly rely on services and a complex digital supply chain provided by third parties. This trend has accelerated further during the coronavirus global pandemic as the financial sector transitioned to remote work and expanded digital services. Third-party risk, or outsourcing risk, is not a new concept to financial authorities and institutions. What is new is the degree of interdependent risk, the increasing complexity of that interdependence, and the number of actors involved in managing the risk. This growing interdependence can be exploited by malicious actors who, for example, may choose to target vulnerable third-party service providers with ransomware because the leverage gained by disrupting not only the service provider but also its dependent customers can make extortion more successful.

Financial authorities have traditionally managed third-party risk in the system by setting outsourcing requirements for financial institutions. However, concerns are growing that financial authorities do not have enough visibility or authority over certain third-party service providers, and that financial institutions are expected to manage risks in oligopolistic markets where they have less leverage to set the terms of service level agreements.

New regulation and guidance reflect these growing concerns. The MAS’s 2019 updates to its BCM guidelines raise the standards for financial institutions developing business continuity plans so that those plans better account for linkages with external service providers.145 The BCBS has proposed “third party dependent management” as one of its core “principles for operational resilience.” Such approaches provide financial institutions with flexibility, and responsibility, to manage these outsourcing relationships. The EU may be going one step further with DORA, which proposes a framework that would enable “continuous monitoring of the activities of ICT third-party service providers that are critical providers to financial entities.”146

The Cloud

The increasing reliance on cloud services has been highlighted during the coronavirus pandemic. According to a March 2020 Business Insider article, “projections of moving 55% of workloads to the cloud by 2022 (from 33% now) look conservative as these targets could be reached a full year ahead of expectations given this pace.”147 Nasdaq, for example, has further accelerated its planned migration to the public cloud.148 Cloud infrastructure also plays an important role for innovation as many start-ups, including in fintech, are “cloud native,” using cloud service providers from the start to avoid having to build (and pay for) their own IT infrastructure.

Spotlight

For more background information about the cloud, security, and public policy, see the Carnegie paper “Cloud Security: A Primer for Policymakers,” co-authored by Tim Maurer and Garrett Hinck (August 2020): https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597

“A quarter of major banks’ activities and almost a third of all UK payments activity are already hosted on the Cloud, and there are considerable opportunities for even more intense usage.” Remarks by Mark Carney, Governor of the Bank of England, in June 2019.149

When thinking about the risk implications of the cloud for the financial system, two different public policy problems are relevant: an existing public policy problem and an emerging one. The existing public policy problem is the rising cost of cyber attacks and the fact that most organizations—governments and companies—cannot effectively protect themselves. Very few organizations can rival the security teams of the large cloud service providers and they are therefore better off entrusting their security to teams at cloud service providers or other third-party service providers.150 The emerging public policy problem is the concentration risk associated with such a centralized approach.

Lawmakers and financial supervisory authorities have grown increasingly concerned about the emerging risk associated with the growth of the cloud. In 2019, two members of the U.S. Congress urged the U.S. Department of the Treasury to designate the leading cloud service providers to the financial industry as systemically important.151 Financial authorities outside the United States increasingly lament their inability to assess risks associated with cloud service providers that are primarily located in the United States or China.

The current geopolitical landscape makes a multilaterally coordinated governance approach to cloud service providers highly unlikely. While such an arrangement would not be unprecedented (consider, for example, the SWIFT governance model), it is much more likely that a fragmented regulatory approach will emerge. This fragmentation will be characterized along two dimensions. In the first, fragmentation will emerge among jurisdictions as individual countries and small groups of like-minded countries create their own regulatory frameworks. In the second, fragmentation will emerge across sectors as individual sectors start to impose regulations affecting cloud service providers through, for example, third-party provisions.

Given the current climate, it is also difficult to envision a scenario where the United States or China would agree to a multilateral governance arrangement without being in the driver’s seat. After all, nearly all major cloud service providers are located in the United States and China. Although other countries will try to extend their own regulatory authority to cloud service providers, either reaching beyond their borders or forcing companies to store and process data locally, cloud service providers will likely behave like other firms have in the past. Depending on the market, they will either (a) comply with the regulation only for the largest and most important markets such as the United States, (b) communicate that they comply with other countries’ individual regulations de jure while de facto only using a few jurisdictions internally as benchmarks, or (c) decide to leave markets with overly onerous regulatory burdens or not to enter them in the first place.

In short, it is unlikely that a regulatory approach will effectively address the growing security concerns about cloud service providers in the near to medium term. The regulatory trend is overwhelmingly toward fragmentation and away from coherence, and this state of affairs is likely to continue for years. This raises the question: What can realistically be done to improve the security and resilience of cloud service providers within the next five years? The recommendations in this report focus on a few actionable measures that could help mitigate the risk independent of the broader governance questions.

  • Recommendation 1.5: Financial authorities, or a designated lead governmental agency, should (i) assess the benefits and risks of using cloud service providers to strengthen the cybersecurity of financial institutions that lack the capacity to effectively protect themselves and (ii) take steps to minimize the risks associated with a migration to the cloud, including potential concentration risk.
    • Supporting Action 1.5.1: Financial authorities, or a designated lead governmental agency, should assess which financial institutions, especially small and medium-sized organizations, would become more resilient against cyber attacks by migrating to appropriately secured public or hybrid cloud service providers.
    • Supporting Action 1.5.2: To better assess and address growing concerns about concentration risks, governments should work with the major cloud service providers and financial institutions to:
      • Organize annual joint exercises simulating different scenarios to (a) identify internally who would lead their firms during a global cyber disruption; (b) increase cooperation among cloud service providers in building international response and recovery capabilities; and (c) strengthen the resilience of the cloud service infrastructure, as disruption of one provider could lead to service disruptions and reputational damage for all providers in a worst-case scenario.
      • Assess systemic risks, as well as existing and potential mitigations, and share information about key vulnerabilities and threats. The goal is to provide coordinated analysis and identify potential systemic risks for critical functions shared by cloud service providers and to create a playbook for when an incident occurs.
      • Although the activities listed above have been piloted in other industries in line with anti-trust provisions, governments should express their support and provide guidance by issuing public statements clarifying their position.
    • Supporting Action 1.5.3: Financial authorities should monitor whether the market, through cloud service providers and third-party consulting firms, is providing financial services firms with sufficient resources to assist with the migration to public or hybrid cloud service providers; this information will allow them to minimize the transitory risk and otherwise take supplementary actions. Publishing these findings will improve market information and allow potential cloud customers to assess benefits and costs more accurately.
    • Supporting Action 1.5.4: National security agencies should consult critical cloud service providers to determine how intelligence collection could be used to help identify and monitor potential significant threat actors and develop a mechanism to share information about imminent threats with cloud service providers.
Data Privacy, the GDPR, and Challenges to Information Sharing

Ensuring data privacy is fundamental to the operation of the financial ecosystem and the financial institutions therein. However, “data privacy” (the proper protection and handling of personal data) and “data security” (the protection of data from unauthorized access) are not the same. There has been some confusion as to whether recent data privacy regulation, in particular the EU’s GDPR, may have unintended consequences for cybersecurity in the financial system. Specifically, some are concerned that the GDPR’s protections of personal data could hamper cybersecurity threat information sharing.

For example, one legal assessment, produced in 2018 on behalf of FS-ISAC, concluded:

The exact impact of GDPR on international threat information sharing appears not fully understood. There should be no misunderstanding: threat information sharing, undertaken in a proper and controlled manner, is a lawful enterprise under GDPR. Article 6(1)(f) holds as lawful the processing of personal data that “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”, requiring protection of the personal data. The processing of personal data in threat information by FS-ISAC and its Members, as well as other ISACs, member organizations, and governmental entities meets this criteria.152

Feedback from regulators and industry experts suggests that governments and regulators may need to provide further clarification so as to remove any doubt among financial institution’s legal counsels (including data protection officers) that could potentially undermine cybersecurity efforts. Confusion seems to exist specifically with respect to the sharing of potentially personal data (for example, IP addresses, email addresses, and related metadata), which are often linked to business email compromise, as well as with sharing profiles of malicious actors and anonymized tactics, techniques, and procedures.153

This uncertainty and reluctance are not in the public interest as they can degrade a financial institution’s ability to protect against and respond to cyber attacks targeting systems and data under their care (including attacks on personal data, the protection of which is the key justification for the GDPR). Specifically, if financial institutions limit their information-sharing arrangements because of a perceived risk of incurring GDPR-related fines (and the subsequent reputational impact), it could undermine the cybersecurity not only of the institutions themselves but of the entire financial system. In Europe, initiatives like CIISI-EU have had to overcome such hurdles, often caused by participants’ legal counsels having a very narrow interpretation of the GDPR’s applicability in such cybersecurity arrangements.154

Data protection regulations usually include specific reasons that can justify cybersecurity threat information sharing within the financial system. For example, GPDR justifies information sharing in cases of national security and the public interest.155 However, without further clarification from governments that these justifications apply to cybersecurity threats, industry will opt to avoid risk more often than not.

EU member countries may choose to interpret the cybersecurity of their financial system as a national security issue under Part 2, Chapter 3 of the Data Protection Act 2018.156 However, this measure is geared toward national cybersecurity and law enforcement authorities; embracing such an interpretation would run counter to the international and interdependent nature of the financial system. Treating financial cybersecurity as a national security issue may inhibit cross-border information sharing and undermine the cybersecurity of the EU’s digital single market and of the international financial system more broadly. Cybersecurity threat information sharing in the financial system may more appropriately fall under the public interest justification as outlined in Article 6 (1)(e) of the GDPR.157 The public interest justification may not face the same potential barriers to cross-border sharing that face the national security justification.

Ultimately, it would be ironic if confusion about data protection regimes led the financial industry to reduce cybersecurity threat information sharing and resulted in weaker protections for personal data held in the purview of financial institutions. Since the GDPR is seen internationally as a leading model in data privacy and is used as a template for data protection regulations around the world, Europe has an opportunity to clarify this important issue and set an example that would help countries beyond Europe’s borders avoid this conflict in their own privacy frameworks.

  • Recommendation 1.6: G20 Finance Ministers and Central Bank Governors should highlight, ideally in their 2021 communiqué, the necessity of cybersecurity threat information sharing—including being clear about what information should be shared, why, with whom, how, and when—in order to protect the global financial system.
    • Supporting Action 1.6.1: Data protection regulators (for example, the European Data Protection Board), together with financial authorities, should assess the impact of data protection regulation on different cyber threat information-sharing initiatives and clarify, where necessary, that such sharing arrangements serve the public interest and that they comply with the General Data Protection Regulation (GDPR) or other relevant regulations.
    • Supporting Action 1.6.2: Governments should assess the potential negative impact of broader data localization requirements on the ability to protect against cyber threats and consider actions to balance these different policy objectives.

Influence Operations and Deepfakes in the Context of the Financial System

Financial markets are shaped by their information environments. The internet has transformed how information flows through financial markets. This creates new ways for actors to manipulate information in financial markets for malign purposes—for example, through influence operations. The FSB’s consultative document “Effective Practices for Cyber Incident Response and Recovery” highlights the “sector-wide implications of a cyber incident, including any market confidence issues arising through, for example, social media, news media, and market reactions.”158

Influence operations are the organized attempt to achieve a specific effect among a target audience.159 They employ a variety of tactics, techniques, and messaging, including disinformation (the deliberate spreading of misleading or false information), astroturfing (creating the illusion of a grassroots movement), hack-and-leaks, and other cyber attacks.

Recent attention paid to influence operations has focused on the threat to political processes, especially elections, but little attention has been paid to how influence operations affect financial markets. Influence operations targeting financial markets are not new, and innovating technologies continue to empower their speed, scale, and scope. It is therefore prudent to examine whether and how modern influence operations could pose a threat to the financial system.

Influence operations that might threaten the financial sector can be broadly split into two categories based on target and aim: (1) operations that target a specific business, brand, or institution (mostly led by criminals and competition); and, (2) operations aimed at overall markets or a country (mostly led by nation-states and terrorist groups).

The first category of influence operations, those targeting individual firms, is generally profit-driven and carried out by individuals, criminal organizations, or lobbyists. Organized actors will spread fraudulent rumors to manipulate stock prices and generate profit based on how much the price of the stock was artificially moved. Firms and lobbyists use astroturfing campaigns, which create a false appearance of grassroots support, to tarnish the value of a competing brand or attempt to sway policymaking decisions by abusing calls for online public comments. Fortunately, while these operations might cause short-term financial harm, because they are precise in their targeting, they pose little systemic risk to the financial system.

The second category of influence operations, those aimed at the overall market, is rare and more challenging to carry out but may pose systemic risk, at least temporarily. Attacks in this category are likely to be carried out by a politically motivated actor like a terrorist group or even a nation-state. This type of influence operation may directly target the financial system to manipulate markets, for example, by spreading rumors about market-moving decisions by central banks. Alternatively, influence operations may aim to spread false information that does not directly reference financial markets but that causes financial markets to react. For example, the state-sponsored Syrian Electronic Army caused the U.S. stock market to briefly lose $136 billion in value by disseminating false news on Twitter in 2013 (see Figure 7).160

It is important to note that not every part of an influence operation is malign. Operations may make use of a mix of social media and online advertising that then crosses over to mainstream media with the goal of spreading disinformation across these various platforms. In addition, the accidental spread of false or misleading information, even if not connected to an influence operation, should also be a concern.

On May 13, 2019, a false rumor circulating on WhatsApp led to a minor run on Metro Bank, a commercial bank in London. One posting read: “Urgent . . . You need to empty as soon as possible. The bank is facing lot of financial difficulties [sic].”161 The false information was made more credible due to a mistake Metro Bank had made months earlier when it failed to hold sufficient capital to meet UK regulatory requirements.162 While minor, the incident illustrates how misinformation can affect financial institutions.

The problem is that while organizations tend to be good at having playbooks, they are bad at organizing how to respond. A good indicator of an organization’s ability to respond quickly is the number of people required to review and sign off on a statement or tweet in response to an incident: an organization that needs clearance from multiple people will inevitably be less nimble. Another indicator is whether a playbook envisions a response only as a press statement or includes plans to respond across platforms; social media in particular requires repeated and persistent messaging to quickly counter any potential influence operation.

Spotlight

Rapid advances in artificial intelligence (AI) are enabling novel forms of deception. AI algorithms can produce realistic deepfake video and audio clips—which show people saying and doing things they never said or did—as well as fake photos and writing. Collectively called synthetic media, these tools have already been documented in multiple financial crimes.

Synthetic media are unlikely to pose a serious threat to the stability of the global financial system or national markets in mature, healthy economies. But they do present risks to emerging markets and to developed countries experiencing financial crises, and they can harm individually targeted people, businesses, and government regulators. Technically savvy bad actors who favor tailored schemes are more likely to incorporate synthetic media, although many others will continue to rely on older, simpler techniques.

Three malicious techniques (further described in the paper cited below) are particularly worrisome and should be prioritized in any response: deepfake voice phishing (or “vishing”), fabricated private remarks, and synthetic social botnets. The latter two are “broadcast” attacks that spread widely via social and traditional media, much like politically themed deepfakes. But deepfake vishing is a novel “narrowcast” threat, tailored and delivered directly to a small audience. This threat is more distinctive to the financial sector and presents an opportunity for policy leadership.

The financial system should take an incremental approach to synthetic media: start with small steps to stay ahead of this emerging challenge without diverting too many resources from larger, already extant threats. This will require a range of actors, both inside and outside the financial sector, to collaborate on technological solutions, organizational practices, and broad public awareness.

To learn more, including about the ten specific scenarios explored as part of this research, see the Carnegie FinCyber working paper “Deepfakes and Synthetic Media in the Financial System: Assessing Threat Scenarios” by Jon Bateman (July 2020): https://carnegieendowment.org/specialprojects/fincyber/workingpapers/

  • Recommendation 1.7: Financial authorities and industry should ensure they are properly prepared for influence operations and hybrid attacks that combine influence operations with malicious hacking activity; they should integrate such attacks into tabletop exercises (such as the G7 exercise) and apply lessons learned from influence operations targeting electoral processes to potential attacks on financial institutions.
    • Supporting Action 1.7.1: Major financial services firms, central banks, and other financial supervisory authorities should identify a single point of contact within each organization to engage with social media platforms for crisis management. Quick coordination with social media platforms is necessary to organize content takedowns. Social media platforms will be more responsive to a single collective point of contact than to ad hoc communication with many financial institutions.
    • Supporting Action 1.7.2: Financial authorities, financial services firms, and tech companies should develop a clear communications and response plan focused on being able to react swiftly. A quick response can effectively dampen the effect of an incident, but conventional communication channels are often insufficient to fill the information vacuum in such an event. Given the speed of social media content sharing, limiting the number of people required to review and approve a response is essential for a swift response. Financial institutions should ensure potential influence operations are part of their cyber-related communications planning and be familiar with the rules on platforms relating to key areas, including impersonation accounts and hacked materials.
    • Supporting Action 1.7.3: In the event of a crisis, social media companies should swiftly amplify communications by central banks, such as corrective statements that debunk fake information and calm the markets. Central banks and social media platforms should work together to determine what severity of crisis would necessitate amplified communication and develop escalation paths similar to those developed in the wake of past election interference, as seen in the United States and Europe.
    • Supporting Action 1.7.4: Financial authorities and financial services firms should review their current threat monitoring systems to ensure that they include and actively try to identify and detect potential influence operations.

Spotlight

Cyber insurance is a potential complement to existing efforts aimed at addressing cybersecurity risk in the financial sector. The cyber insurance market is growing rapidly, with both established insurance companies and start-ups hoping to develop sustainable models to assess and price cyber risk. So far, the full potential of cyber insurance remains unrealized as limited data and a quickly evolving security environment complicate the emergence of a more mature marketplace.

The financial sector may have a unique vantage point from which to develop innovative approaches to cyber insurance and unlock its potential. The financial services industry plays a dual role in the cyber insurance market as both buyer and seller, while financial regulators are familiar with the governance of risk.

To learn more about cyber insurance, see Carnegie’s publications “Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance,” by Ariel E. Levite, Scott Kannry, and Wyatt Hoffman (2018), and “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” by Jon Bateman (2020).163

Notes

1 G20 Finance Ministers and Central Bank Governors, “Communiqué,” March 17, 2017, Carnegie Endowment for International Peace, https://carnegieendowment.org/files/g20-communique.pdf.

2 “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices,” October 13, 2017, https://www.fsb.org/2017/10/fsb-publishes-stocktake-on-cybersecurity-regulatory-and-supervisory-practices/.

3 “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices.”

4 GFMA and IIF, “Discussion Draft Principles Supporting the Strengthening of Operational Resilience Maturity in Financial Services,” October 2019, https://www.gfma.org/wp-content/uploads/2019/10/discussion-draft-iif-gfma-operational-resilience-principles-october-2019.pdf.

5 Bank of England, Financial Conduct Authority, and Prudential Regulatory Authority, “Building Operational Resilience: Impact Tolerances for Important Business Services.”

6 Davey Winder, “$645 Billion Cyber Risk Could Trigger Liquidity Crisis, ECB’s Lagarde Warns,” Forbes, accessed March 10, 2020, https://www.forbes.com/sites/daveywinder/2020/02/08/645-billion-cyber-risk-could-trigger-liquidity-crisis-ecbs-lagarde-warns/.

7 Art Lindo, “Oversight of Cyber Resilience in the Financial Regulatory System: Seminar for Senior Bank Supervisors from Emerging Economies,” October 25, 2019, http://pubdocs.worldbank.org/en/388141572546457065/Day-5-ArtLindo-FRB-CyberResilience.pdf.

8 G7 Finance Ministers and Central Bank Governors, “Press Release,” G7 Information Centre, University of Toronto, October 13, 2017, http://www.g7.utoronto.ca/finance/171013-cybercrime.html.

9 G7 Finance Ministers and Central Bank Governors, “Press Release,” G7 Information Centre, University of Toronto, October 13, 2017, http://www.g7.utoronto.ca/finance/171013-cybercrime.html.

10 Italian Ministry of the Economy and Finance, “The G7 Reaffirms Its Commitment to Strengthening Cybersecurity in the Financial Sector,” October 11, 2018, http://www.dt.mef.gov.it/en/news/2018/G7_cyber_security.html.

11 Bank of Japan, “G-7 Fundamental Elements for Threat-Led Penetration Testing and Third Party Cyber Risk Management in the Financial Sector,” Press Release, October 15, 2018, https://www.boj.or.jp/en/announcements/release_2018/rel181015k.htm/.

12 “Cybersecurity: Coordinating Efforts to Protect the Financial Sector in the Global Economy,” (conference, Banque de France and the French Ministry for the Economy and Finance, Paris, France, May 10, 2019), https://www.banque-france.fr/en/conferences-and-media/seminars-and-symposiums/research-conferences-and-symposiums/french-presidency-g7-2019-cybersecurity-coordinating-efforts-protect-financial-sector-global-economy.

13 Leigh Thomas, “G7 Countries to Simulate Cross-Border Cyber Attack Next Month: France,” Reuters, May 10, 2019, https://www.reuters.com/article/us-g7-france-cyber-idUSKCN1SG1KZ.

14 Jaime Vazquez and Martin Boer, “Addressing Regulatory Fragmentation to Support a Cyber-Resilience Global Financial Services Industry,” n.d., https://www.iif.com/portals/0/Files/private/iif_cyber_reg_04_25_2018_final.pdf.

15 GFMA and IIF, “Discussion Draft Principles Supporting the Strengthening of Operational Resilience Maturity in Financial Services.”

16 Marc Saidenberg, John Liver, and Eugene Goyne, “2020 Global Bank Regulatory Outlook: Four Major Themes Dominating the Regulatory Landscape in 2020,” EY, January 20, 2020, https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/banking-and-capital-markets/ey-global-regulatory-outlook-four-major-themes-dominating-the-regulatory-landscape-in-2020_v2.pdf.

17 Bank of England and Financial Conduct Authority, “Building the UK Financial Sector’s Operational Resilience,” July 2018, https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf.

18 “Building Operational Resilience: Impact Tolerances for Important Business Services,” Bank of England and Financial Conduct Authority, December 2019, https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper.

19 “Building Operational Resilience: Impact Tolerances for Important Business Services.”

20 Bank of England, “CBEST Implementation Guide,” Bank of England, 2016, https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide.pdf.

21 Jeffrey Roman, “Bank of England Launches Cyber Framework,” BankInfoSecurity, June 10, 2014, https://www.bankinfosecurity.com/bank-england-launches-cyber-framework-a-6934.

22 Alex Hern, “Operation ‘Waking Shark II’ Tests the Ccybersecurity of Britain’s Banks,” Guardian, November 12, 2013, https://www.theguardian.com/technology/2013/nov/12/operation-waking-shark-ii-tests-cybersecurity-banks; Bank of England, “Sector Simulation Exercise: SIMEX 2018 Report,” September 27, 2019, https://www.bankofengland.co.uk/report/2019/sector-simulation-exercise-simex-2018-report.

23 David Milliken, “U.S. and UK to Test Financial Cyber-Security Later This Month,” Reuters, November 2, 2015, https://www.reuters.com/article/us-britain-usa-cybersecurity-idUSKCN0SR1DW20151102.

24 SIFMA, “Cybersecurity Exercise: Quantum Dawn V,” February 28, 2020, https://www.sifma.org/resources/general/cybersecurity-exercise-quantum-dawn-v/.

25 National Cyber Security Centre, “Cyber Security Information Sharing Partnership (CiSP),” September 2016, https://www.ncsc.gov.uk/information/cyber-security-information-sharing-partnership--cisp-.

26 Andrew Gracie, “Cyber in Context,” Speech at the UK Financial Services Cyber Security Summit, London, July 2015, https://www.bankofengland.co.uk/-/media/boe/files/speech/2015/cyber-in-context.pdf.

27 Stephen Jones, “A Resilient Banking Sector,” UK Finance, December 7, 2018, https://www.ukfinance.org.uk/blogs/resilient-banking-sector.

28 Bank for International Settlements (BIS), “Cyber Resilience: Range of Practices,” December 2018, https://www.bis.org/bcbs/publ/d454.pdf.

29 European Commission, “Executive Summary of the Impact Assessment Accompanying the Document: Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector,” Commission Staff Working Document, September 24, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:199:FIN.

30 The ESAs are the European Banking Authority, the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA). European Commission, “FinTech Action Plan: For a More Competitive and Innovative European Financial Sector,” March 2018, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en.

31 European Supervisory Authorities, “Joint Advice of the European Supervisory Authorities,” April 10, 2019, https://www.esma.europa.eu/sites/default/files/library/jc_2019_26_joint_esas_advice_on_ict_legislative_improvements.pdf.

32 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management,” November 28, 2019, https://eba.europa.eu/eba-publishes-guidelines-ict-and-security-risk-management.

33 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management,” November 28, 2019, https://eba.europa.eu/eba-publishes-guidelines-ict-and-security-risk-management.

34 European Banking Authority, “Guidelines on Outsourcing Arrangements,” June 5, 2019, https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements.

35 European Commission, “Consultation Document: Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure,” December 2019, https://ec.europa.eu/info/sites/info/files/business_economy_euro/banking_and_finance/documents/2019-financial-services-digital-resilience-consultation-document_en.pdf.

36 European Commission, “Consultation Document: Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure.”

37 European Banking Federation, “Digital Operational Resilience Framework: EBF Key Messages on the Commission Consultation,” April 6, 2020, https://www.ebf.eu/cybersecurity/ebf-key-messages-on-the-commission-consultation-on-a-digital-operational-resilience-framework/.

38 European Commission, “Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU,” September 24, 2020, https://ec.europa.eu/transparency/regdoc/rep/1/2020/EN/COM-2020-591-F1-EN-MAIN-PART-1.PDF.

39 European Commission, “Executive Summary of the Impact Assessment Accompanying the Document: Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector,” Commission Staff Working Document, September 24, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:199:FIN.

40 European Commission, “Executive Summary of the Impact Assessment Accompanying the Document: Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector,” Commission Staff Working Document, September 24, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:199:FIN.

41 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management.”

42 European Commission, “Executive Summary of the Impact Assessment Accompanying the Document: Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector,” Commission Staff Working Document, September 24, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:199:FIN.

43 Euro Cyber Resilience Board Secretariat, “Cyber Information and Intelligence Sharing: A Practical Example,” Cyber Information Sharing and Intelligence Sharing Initiative, European Central Bank, September 2020, https://www.ecb.europa.eu/paym/groups/euro-cyber-board/shared/pdf/ciisi-eu_practical_example.pdf.

44 Euro Cyber Resilience Board Secretariat, “Cyber Information and Intelligence Sharing: Community Rulebook,” Cyber Information Sharing and Intelligence Sharing Initiative, European Central Bank, August 2020, https://www.ecb.europa.eu/paym/groups/euro-cyber-board/shared/pdf/ciisi-eu_community_rulebook.pdf

45 EU member states currently implementing TIBER-EU: Belgium, Denmark, Finland, Germany, Ireland, Italy, Norway, Romania, Sweden, and the Netherlands.

46 Weuro Jaakko, “Resilience of Financial Market Infrastructure and the Role of the Financial Sector in Countering Hybrid Threats,” Presidency Issues Note for the Informal ECOFIN Working Session, September 9, 2019, https://eu2019.fi/documents/11707387/15400298/Hybrid+Threats+Informal+ECOFIN+final+Issues+Note+2019-09-09_S2.pdf/29565728-f476-cbdd-4c5f-7e0ec970c6c4/Hybrid+Threats+Informal+ECOFIN+final+Issues+Note+2019-09-09_S2.pdf.

47 Based on written input received from officials at Singapore’s Cyber Security Agency and the Monetary Authority of Singapore on October 16, 2020.

48 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, November 2019, http://pubdocs.worldbank.org/en/940481575300835196/CybersecDIGEST-NOV2019-FINAL.pdf.

49 Monetary Authority of Singapore, “Technology Risk Management Guidelines,” Consultation Paper, March 2019, https://www.mas.gov.sg/-/media/Consultation-Paper-on-Proposed-Revisions-to-Technology-Risk-Management-Guidelines.pdf.

50 “Consultation Paper on Proposed Revisions to Business Continuity Management Guidelines,” Monetary Authority of Singapore, March 2019, https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Consultation-Paper-on-Proposed-Revisions-to-Business-Continuity-Management-Guidelines.pdf.

51 “Minutes of the Federal Open Market Committee” (U.S. Federal Reserve System, January 28, 2020), https://www.federalreserve.gov/monetarypolicy/files/fomcminutes20200129.pdf.

52 FS-ISAC, “FS-ISAC & MAS to Strengthen Cyber Info Sharing Across Nine Countries,” Press Release, November 14, 2017, https://www.fsisac.com/newsroom/fs-isac-and-mas-to-strengthen-cyber-information-sharing-across-nine-countries.

53 FS-ISAC, “FS-ISAC Launches the Ceres Forum: World’s Premier Threat Information Sharing Group for Central Banks,” Reston, Virginia and Singapore, June 11, 2018, https://www.fsisac.com/newsroom/fs-isac-launches-the-ceres-forum-worlds-premier-threat-information-sharing-group-for-central-banks-regulators-and-supervisors; CSA Singapore, “11 CII Sectors Tested on More Complex Cyber Attack Scenarios,” September 4, 2019, https://www.csa.gov.sg/news/press-releases/exercise-cyber-star-2019.

54 Federal Reserve System, “Enhanced Cyber Risk Management Standards,” Advance Notice of Proposed Rulemaking, Fall 2019, 7100-AE61, Office of Information and Regulatory Affairs, OMB, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=7100-AE61.

55 Robert Armstrong, Kiran Stacey, and Laura Noonan, “US Banks Face Tighter Scrutiny of Cyber Defences,” Financial Times, June 17, 2019, https://www.ft.com/content/69a25232-8eaa-11e9-a1c1-51bf8f989972.

56 Federal Reserve System, “Enhanced Cyber Risk Management Standards,” Advance Notice of Proposed Rulemaking, Fall 2019, 7100-AE61, Office of Information and Regulatory Affairs, OMB, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=7100-AE61.

57 Randal Quarles, “Speech by Vice Chairman for Supervision Quarles on the Financial Regulatory System and Cybersecurity,” Board of Governors of the Federal Reserve System, February 2018, https://www.federalreserve.gov/newsevents/speech/quarles20180226b.htm.

58 Randal Quarles, “Speech by Vice Chairman for Supervision Quarles on the Financial Regulatory System and Cybersecurity,” Board of Governors of the Federal Reserve System, February 2018, https://www.federalreserve.gov/newsevents/speech/quarles20180226b.htm.

59 Robert Armstrong, Kiran Stacey, and Laura Noonan, “US Banks Face Tighter Scrutiny of Cyber Defences,” Financial Times, June 17, 2019, https://www.ft.com/content/69a25232-8eaa-11e9-a1c1-51bf8f989972.

60 Art Lindo, “Oversight of Cyber Resilience in the Financial Regulatory System: Seminar for Senior Bank Supervisors from Emerging Economies.”

61 Board of Governors of the Federal Reserve System, “Strategic Plan 2020–23, December 2019,” 2019, 20.

62 “Minutes of the Federal Open Market Committee” (U.S. Federal Reserve System, January 28, 2020), https://www.federalreserve.gov/monetarypolicy/files/fomcminutes20200129.pdf.

63 New York State Department of Financial Services, “NYDFS 23 NYCRR 500,” 2017, https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf.

64 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, July 2020, http://pubdocs.worldbank.org/en/361881595872293851/CybersecDigest-v5-Jul2020-FINAL.pdf.

65 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, July 2020, http://pubdocs.worldbank.org/en/361881595872293851/CybersecDigest-v5-Jul2020-FINAL.pdf.

66 Institute for Development and Research in Banking Technology, “Indian Banks—Center for Analysis of Risks and Threats (IB-CART),” last modified September 30, 2020, https://www.idrbt.ac.in/ib-cart.html.

67 Institute for Development and Research in Banking Technology, “Indian Banks—Center for Analysis of Risks and Threats (IB-CART),” last modified September 30, 2020, https://www.idrbt.ac.in/ib-cart.html.

68 Reserve Bank of India, “Financial Stability Report,” July 2020, https://www.rbi.org.in/Scripts/FsReports.aspx.

69 “Cyber Threats Against Banking Industry on the Rise in post Covid-19 Lockdown Phase, says RBI,” Hindu Business Line, https://www.thehindubusinessline.com/money-and-banking/cyber-threats-against-banking-industry-on-the-rise-in-post-covid-19-lockdown-phase-says-rbi/article32201404.ece.

70 Reserve Bank of India, “Financial Stability Report,” July 2020, https://www.rbi.org.in/Scripts/FsReports.aspx.

71 “CBI to Set Up Cyber-Crime Investigation Branch in Mumbai,” Business Standard, March 1, 2016, https://www.business-standard.com/article/news-ians/cbi-to-set-up-cyber-crime-investigation-branch-in-mumbai-116030100949_1.html.

72Rajeev Jayaswal, “Govt Plans Cyber Security System for Financial Sector,” Hindustan Times, August 18, 2020, https://www.hindustantimes.com/india-news/govt-plans-cyber-security-system/story-bHRwwBeFVGLIrA3VMmOaDO.html.

73 Bank of England, Financial Conduct Authority, and Prudential Regulatory Authority, “Building Operational Resilience: Impact Tolerances for Important Business Services.”

74 European Banking Authority, “EBA Guidelines on ICT and Security Risk Management,” https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management.

75 “Consultation Paper on Proposed Revisions to Business Continuity Management Guidelines,” Monetary Authority of Singapore, March 2019, https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Consultation-Paper-on-Proposed-Revisions-to-Business-Continuity-Management-Guidelines.pdf.

76 Art Lindo, “Oversight of Cyber Resilience in the Financial Regulatory System: Seminar for Senior Bank Supervisors from Emerging Economies.”

77 Global Financial Markets Association, “Response to Bank of England and FCA Discussion Paper on ‘Building the UK Financial Sector’s Operational Resilience,’” October 2018, https://www.afme.eu/portals/0/globalassets/downloads/consultation-responses/tao-gfma-response-to-bank-of-england-fca-building-uk-financial-resilience-5-oct-2018.pdf.

78 International Organization of Securities Commissions, “About CPMI-IOSCO,” accessed July 20, 2020, https://www.iosco.org/about/?subsection=cpmi_iosco.

79 Committee on Payments and Market Infrastructures and The Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures.”

80 Committee on Payments and Market Infrastructures and The Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures.”

81 The Board of the International Organization of Securities Commissions, “Cyber Task Force Final Report,” June 2019, https://www.iosco.org/library/pubdocs/pdf/IOSCOPD633.pdf.

82 Committee on Payments and Market Infrastructures, “Reducing the Risk of Wholesale Payments Fraud Related to Endpoint Security,” Bank for International Settlements, May 8, 2018, 178, https://www.bis.org/cpmi/publ/d178.htm.

83 “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices,” October 13, 2017, https://www.fsb.org/2017/10/fsb-publishes-stocktake-on-cybersecurity-regulatory-and-supervisory-practices/.

84 Financial Stability Board, “Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices,” October 13, 2017, https://www.fsb.org/2017/10/summary-report-on-financial-sector-cybersecurity-regulations-guidance-and-supervisory-practices/.

85 Financial Stability Board, “FSB Publishes Stocktake on Cybersecurity Regulatory and Supervisory Practices,” press release, October 13, 2017, https://www.fsb.org/2017/10/fsb-publishes-stocktake-on-cybersecurity-regulatory-and-supervisory-practices/.

86 Financial Stability Board, “Effective Practices for Cyber Incident Response and Recovery: Consultative Document,” April 20, 2020, https://www.fsb.org/2020/04/effective-practices-for-cyber-incident-response-and-recovery-consultative-document/.

87 Aquiles A. Almansi and Yejin Carol Lee, “Financial Sector’s Cybersecurity: A Regulatory Digest,” World Bank Group, Financial Sector Advisory Center, November 2019, http://pubdocs.worldbank.org/en/940481575300835196/CybersecDIGEST-NOV2019-FINAL.pdf.

88 Basel Committee on Banking Supervision, “Consultative Document: Principles for Operational Resilience,” August 2020, https://www.bis.org/bcbs/publ/d509.pdf.

89 Basel Committee on Banking Supervision, “Consultative Document: Principles for Operational Resilience,” August 2020, https://www.bis.org/bcbs/publ/d509.pdf.

90 Bank for International Settlements (BIS), “Cyber Resilience: Range of Practices,” December 2018, https://www.bis.org/bcbs/publ/d454.pdf.

91 Committee on Payments and Market Infrastructures, “Payment, Clearing and Settlement Operators Meet on Global Cyber-Resilience,” Press Release, September 14, 2018, https://www.bis.org/press/p180914.htm.

92 Committee on Payments and Market Infrastructures and The Board of the International Organization of Securities Commissions, “Guidance on Cyber Resilience for Financial Market Infrastructures,” Bank for International Settlements, 2016, http://www.bis.org/cpmi/publ/d138.htm.

93 Bank for International Settlements, “BIS Annual Report 2018/2019,” 2019, https://www.bis.org/about/areport/areport2019.pdf#bis2025.

94 Agustin Carstens, “The New BIS Strategy—Bringing the Americas and Basel Closer Together” (Speech, Fourteenth ASBA-BCBS-FSI High-level Meeting on Global and Regional Supervisory Priorities, Lima, 1 October 2019), https://www.bis.org/speeches/sp191001.htm.

95 Bank for International Settlements, “FSI Publications,” https://www.bis.org/fsi/publications.htm?m=1%7C17%7C161.

96 Senior officials at the Financial Stability Institute in written correspondence with the authors, May 2020.

97 European Banking Federation, Global Financial Markets Association, and International Swaps and Derivatives Association, “International Cybersecurity, Data and Technology Principles,” letter, May 2016, https://www.gfma.org/wp-content/uploads/0/83/197/211/13187d1e-077f-43c5-85a1-1da370608a2b.pdf.

98 Financial Services Sector Coordinating Council, “The Financial Services Sector Cybersecurity Profile,” October 25, 2018, https://fsscc.org/files/galleries/Financial_Services_Sector_Cybersecurity_Profile_Overview_and_User_Guide_2018-10-25.pdf.

99 Financial Services Sector Coordinating Council, “The Financial Services Sector Cybersecurity Profile,” October 25, 2018, https://fsscc.org/files/galleries/Financial_Services_Sector_Cybersecurity_Profile_Overview_and_User_Guide_2018-10-25.pdf.

100 European Banking Authority, “EBF Response to the EBA Guidelines on ICT and Security Risk Management,” accessed July 20, 2020, https://eba.europa.eu/node/82021/submission/62742.

101 Asia Securities Industry & Financial Markets Association (ASIFMA), “Response to Consultation Paper: Proposed Revisions to Guidelines on Business Continuity Management,” April 2019, https://www.asifma.org/wp-content/uploads/2019/04/final-asifma-response-to-mas-consultation-paper-on-guidelines-on-business-continuity-management.pdf.

102 SIFMA, “Quantum Dawn V Fact Sheet,” accessed January 5, 2020, https://www.sifma.org/wp-content/uploads/2019/11/QuantumDawnV-Factsheet_2019.pdf.

103 FS-ISAC, “FS-ISAC Upcoming Events, Summits, Webinars and Exercises,” accessed July 20, 2020, https://www.fsisac.com/events.

104 Chris Keeling, “Waking Shark II Desktop Cyber Exercise: Report to Participants,” November 12, 2013, https://www.bba.org.uk/wp-content/uploads/2014/02/Banking_3192106_v_1_Waking-Shark-II-Report-v1.pdf.pdf.

105 Bank of England, “Sector Simulation Exercise: SIMEX 2018 Report,” September 27, 2019, https://www.bankofengland.co.uk/report/2019/sector-simulation-exercise-simex-2018-report.

106 Shaun Waterman, “Bank Regulators Briefed on Treasury-Led Cyber Drill,” FedScoop, July 20, 2016, https://www.fedscoop.com/us-treasury-cybersecurity-drill-july-2016/.

107 Financial Services Information Sharing and Analysis Center, “Exercises Overview,” accessed July 20, 2020, https://www.fsisac.com/hubfs/Resources/FS-ISAC_ExercisesOverview.pdf.

108 David Milliken, “U.S. and UK to Test Financial Cyber-Security Later This Month,” Reuters, November 2, 2015, https://www.reuters.com/article/us-britain-usa-cybersecurity-idUSKCN0SR1DW20151102.

109 European Central Bank, “UNITAS Crisis Communication Exercise Report,” December 2018, https://www.ecb.europa.eu/pub/pdf/other/ecb.unitasreport201812.en.pdf.

110 Leigh Thomas, “G7 Countries to Simulate Cross-Border Cyber Attack next Month: France,” Reuters, May 10, 2019, https://www.reuters.com/article/us-g7-france-cyber-idUSKCN1SG1KZ.

111 Leigh Thomas, “G7 Countries to Simulate Cross-Border Cyber Attack next Month: France,” Reuters, May 10, 2019, https://www.reuters.com/article/us-g7-france-cyber-idUSKCN1SG1KZ.

112 UK National Cyber Security Centre, “Exercise in a Box,” 2019, https://exerciseinabox.service.ncsc.gov.uk/

113 Isabel Skierka et al., “CSIRT Basics for Policy-Makers: The History, Types & Culture of Computer Security Incident Response Teams,” Working Paper, New America and Global Public Policy Institute, May 2015, https://static.newamerica.org/attachments/2943-csirt-basics-for-policy-makers/CSIRT%20Basics%20for%20Policy-Makers%20May%202015%20WEB%2009-15.16efa7bcc9e54fe299ba3447a5b7d41e.pdf.

114 GEANT, “TF-CSIRT: Computer Security Incident Response Teams—GÉANT,” accessed July 20, 2020, https://www.geant.org:443/People/Community_Programme/Task_Forces/Pages/TF-CSIRT.aspx.

115 Isabel Skierka et al., “CSIRT Basics for Policy-Makers: The History, Types & Culture of Computer Security Incident Response Teams,” Working Paper, New America and Global Public Policy Institute, May 2015, https://static.newamerica.org/attachments/2943-csirt-basics-for-policy-makers/CSIRT%20Basics%20for%20Policy-Makers%20May%202015%20WEB%2009-15.16efa7bcc9e54fe299ba3447a5b7d41e.pdf.

116 Robert Morgus et al., “National CSIRTs and Their Role in Computer Security Incident Response,” New America and Global Public Policy Institute, November 2015, https://d1y8sb8igg2f8e.cloudfront.net/documents/CSIRTs-incident-response.pdf.

117 European Union Agency for Cybersecurity, “NIS Directive Details,” https://www.enisa.europa.eu/topics/nis-directive. Accessed September 26, 2020.

118 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.

119 CERTFin, “CERT Finanziario Italiano (CERTFIN) - RFC 2350,” Bank of Italy, https://www.certfin.it/media/pdf/rfc2350.pdf. Accessed September 26, 2020.

120 CERTFin, “CERT Finanziario Italiano (CERTFIN) - RFC 2350,” Bank of Italy, https://www.certfin.it/media/pdf/rfc2350.pdf. Accessed September 26, 2020.

121 GEANT, “TF-CSIRT: Computer Security Incident Response Teams - GÉANT,” accessed July 20, 2020, https://www.geant.org:443/People/Community_Programme/Task_Forces/Pages/TF-CSIRT.aspx.

122 Finance and Cyber Continuity Center, “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” April 16, 2020.

123 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.

124 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.

125 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.

126 “FC3—Finance and Cyber Continuity Center: Israel’s National Financial CERT,” senior officials from the Israeli Ministry of Finance in written correspondence with the authors, April 16, 2020.

127 Brian F. Tivnan, “Financial System Mapping,” November 7, 2018, https://www.mitre.org/publications/technical-papers/financial-system-mapping.

128 Telis Demos, “Banks Build Line of Defense for Doomsday Cyberattack,” Wall Street Journal, December 3, 2017, https://www.wsj.com/articles/banks-build-line-of-defense-for-doomsday-cyberattack-1512302401.

129 Sheltered Harbor, “Sheltered Harbor - About,” accessed July 20, 2020, https://shelteredharbor.org/index.php/about#who.

130 Stacy Cowley, “Banks Adopt Military-Style Tactics to Fight Cybercrime,” New York Times, May 20, 2018, https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html.

131 Rob Nichols, Gregory Baer, Jim Nussle, Kevin Fromer, Steven Silberstein, and Kenneth Bentsen to Financial Institution CEOs, May 14, 2019, https://www.shelteredharbor.org/images/SH/Docs/Sheltered_Harbor_Trade_Assn_Exec_Letter_Genericfinal_051619.pdf.

132 Rob Nichols, Gregory Baer, Jim Nussle, Kevin Fromer, Steven Silberstein, and Kenneth Bentsen to Financial Institution CEOs, May 14, 2019, https://www.shelteredharbor.org/images/SH/Docs/Sheltered_Harbor_Trade_Assn_Exec_Letter_Genericfinal_051619.pdf.

133 Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency, “Joint Statement on Heightened Cybersecurity Risk,” January 16, 2020, https://occ.gov/news-issuances/bulletins/2020/bulletin-2020-5a.pdf.

134 U.S. Federal Financial Institutions Examination Council, “Cybersecurity Resource Guide for Financial Institutions,” October 2018, https://www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity%20Resource%20Guide%20for%20Financial%20Institutions.pdf.

135 For the purposes of this section, exchanges refer to those that operate in a regulated and secure market, and are distinct from “cryptocurrency exchanges.”

136 European Central Bank, “Cyber Resilience Oversight Expectations for Financial Market Infrastructures,” December 2018, https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf.

137 Darrell Duffie and Joshua Younger, “Cyber Runs: How a Cyber Attack Could Affect U.S. Financial Institutions,” Hutchins Center on Fiscal and Monetary Policy, Brookings Institution, June 2019, https://www.brookings.edu/research/cyber-runs/.

138 World Federation of Exchanges, “WFE Response to the EU Commission’s Digital Operational Resilience Framework for Financial Services: Making the EU Financial Sector More Secure,” March 2020, https://www.world-exchanges.org/storage/app/media/regulatory-affairs/WFE%20response%20EU%20Consultation%20Digital%20Resilience%20FINAL.pdf.

139 Rohini Tendulkar, “Cyber-Crime, Securities Markets, and Systemic Risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges, July 2013, https://www.world-exchanges.org/storage/app/media/research/Studies_Reports/2013-cyber-crime-securities-markets-amp-systemic-risk.pdf.

140 Rob Stock, “Five Eyes cybersecurity Agencies Will Be Involved in Fight Against NZX Cyberattackers,” Stuff, August 29, 2020, https://www.stuff.co.nz/business/122604872/five-eyes-cybersecurity-agencies-will-be-involved-in-fight-against-nzx-cyberattackers.

141 Nish and Naumaan, “The Cyber Threat Landscape: Confronting Challenges to the Financial System.”

142 “The Evolving Advanced Cyber Threat to Financial Markets,” SWIFT and BAE Systems, 2018. https://www.baesystems.com/en/cybersecurity/feature/the-evolving-advanced-cyber-threat-to-financial-markets.

143 Nish and Naumaan, “The Cyber Threat Landscape: Confronting Challenges to the Financial System.”

144 FinCyber Project, “Timeline of Cyber Incidents Involving Financial Institutions,” Carnegie Endowment for International Peace, accessed July 20, 2020, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline.

145 “Consultation Paper on Proposed Revisions to Business Continuity Management Guidelines,” Monetary Authority of Singapore, March 2019, https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Consultation-Papers/Consultation-Paper-on-Proposed-Revisions-to-Business-Continuity-Management-Guidelines.pdf.

146 European Commission, “Executive Summary of the Impact Assessment Accompanying the Document: Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector,” Commission Staff Working Document, September 24, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:199:FIN.

147 Carmen Reinicke, “3 Reasons One Wall Street Firm Says to Stick With Cloud Stocks Amid the Coronavirus-Induced Market Rout,” Business Insider, March 30, 2020, https://markets.businessinsider.com/news/stocks/wedbush-reasons-own-cloud-stocks-coronavirus-pandemic-tech-buy-2020-3-1029045273#2-the-move-to-cloud-will-accelerate-more-quickly-amid-the-coronavirus-pandemic2.

148 Sara Castellanos, “Nasdaq Ramps Up Cloud Move,” Wall Street Journal, September 15, 2020, https://www.wsj.com/articles/nasdaq-ramps-up-cloud-move-11600206624.

149 Mark Carney, “Enable, Empower, Ensure: A New Finance for the New Economy” (Speech, Mansion House Bankers’ and Merchants’ Dinner, London, June 20, 2019), http://www.bankofengland.co.uk/speech/2019/mark-carney-speech-at-the-mansion-house-bankers-and-merchants-dinner.

150 Tim Maurer and Garrett Hinck, “Cloud Security: A Primer for Policymakers,” Carnegie Endowment for International Peace, August 31, 2020, https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597.

151 Buckley LLP, “Democratic Members Request FSOC Designate Cloud Providers as Systemically Important,” InfoBytes Blog, August 29, 2019, https://www.lexology.com/library/detail.aspx?g=049d5593-658b-4379-835b-9a42bc26758b.

152 White and Williams LLP and Osborne Clarke LLP, “Threat Information Sharing and GDPR: A Lawful Activity That Protects Personal Data,” FS-ISAC, 2018, https://www.osborneclarke.com/wp-content/uploads/2019/01/Threat-Information-Sharing-and-GDPR_Final_TLP-WHITE.pdf.

153 Based on input from officials at the European Central Bank.

154 European Central Bank, “Major European Financial Infrastructures Join Forces against Cyber Threats,” February 2020, https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html.

155 “Exemptions,” ICO, May 15, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/.

156 “Exemptions,” ICO, May 15, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/.

157 Stephanie von Maltzan, “No Contradiction Between Cyber-Security and Data Protection? Designing a Data Protecton Compliant Incident Response System,” European Journal of Law and Technology 10, no. 1 (May 16, 2019), http://ejlt.org/article/view/665.

158Financial Stability Board, “Effective Practices for Cyber Incident Response and Recover: Consultative document,” April 20, 2020, https://www.fsb.org/2020/04/effective-practices-for-cyber-incident-response-and-recovery-consultative-document/.

159 Elise Thomas, Natalie Thompson, and Alicia Wanless, “The Challenges of Countering Influence Operations,” Carnegie Endowment for International Peace, June 10, 2020, https://carnegieendowment.org/2020/06/10/challenges-of-countering-influence-operations-pub-82031.

160 Jon Bateman, “Deepfakes and Synthetic Media in the Financial System: Assessing Threat Scenarios,” Cybersecurity and the Financial System Working Paper Series, Carnegie Endowment for International Peace, July 2020, https://carnegieendowment.org/2020/07/08/deepfakes-and-synthetic-media-in-financial-system-assessing-threat-scenarios-pub-82237.

161 Jim Edwards, “A False Rumor on WhatsApp Started a Run on a London Bank,” Business Insider, May 13, 2019, https://www.businessinsider.com/whatsapp-rumour-started-run-on-metro-bank-2019-5.

162 Patrick Collinson Money, “Metro Bank Shares Crash after Loans Blunder Revealed,” Guardian, January 23, 2019, https://www.theguardian.com/business/2019/jan/23/metro-bank-shares-crash-after-loans-blunder-revealed.

163 Ariel E. Levite, Scott Kannry, and Wyatt Hoffman, “Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance,” Carnegie Endowment for International Peace, 2018, https://carnegieendowment.org/files/Cyber_Insurance_Formatted_FINAL_WEB.PDF;

Jon Bateman, “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” Carnegie Endowment for International Peace, October 5, 2020, https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819.