Financial market infrastructures (FMIs) such as exchanges, depositories and clearing corporations will have to ramp up their network resilience so as to recover and resume operations within two hours of a cyberattack.
On Wednesday, the Bank for International Settlements (BIS) and International Organization of Securities Commissions (IOSCO), the standard-setting bodies for banking and securities regulators around the world, jointly issued guidelines to ensure the safe operation of FMIs.
Under current norms, SEBI has not prescribed any time-frame for Indian stock exchanges and other players to resume operations following a cyberattack. The Indian market regulator has, however, put in place most of the other proposals outlined in the guidelines. The new note comes in the wake of the increased threat of online attacks by “enemy countries” and terrorists.
“An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme… scenarios,” the guidelines said.
“Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption, FMIs should exercise judgment…so that risks to itself or its ecosystem do not thereby escalate…” it added.
These are the first internationally agreed guidelines on cyber security for the financial industry. SEBI was part of the working group on cyber resilience, which framed the guidance. Regulators in India usually tailor the guidance to Indian requirements, typically within a couple of quarters.
The guidelines note that if FMIs are not properly managed, they could become sources of financial shocks, such as liquidity dislocations and credit losses, or a channel through which shocks are transmitted across financial markets.