Comments
Cyber risk has emerged as the number one systemic risk, according to Tajinder Singh, Deputy Secretary General, International Organisation of Securities Commissions (IOSCO). IOSCO is the international policy forum for securities regulators.
Consultation reportSystemic risk is the risk of collapse of a financial system due to default by one or a group of entities, for instance the global credit crisis of 2008.
In a recent one-to-one interaction with BusinessLine , Singh said, “There are surveys where many people are saying that cyber risk is number one systemic risk. We have taken this very seriously and just a few days ago published a consultation report — Guidance on Cyber Resilience for Financial Market Infrastructures. FMIs include exchanges, depositories, and clearing corporations.
Singh said the type of turnaround time (TAT) to respond to cyber attacks that are being talked about is two hours — that is already coming from the PFMIs (Principles for FMIs).
“The PFMIs do not talk anything specific on cyber risks but they talk about any disruption and the point is if you have a disruption then the indicative TAT is two hours. Cyber security threat is a type of disruption.
“The recent report also talks about a two-hour TAT. The whole point is about the robustness/ accuracy with which you are able to come out of it rather than the timing of it. So, the two hours is indicative but the fact is you should be able to do it well and accurately,” Singh explained.
Covers wider areaOn the issue of strengthening IT systems, Singh felt that the entire cyber area was not just an IT issue. “It is broader. Hence, the first principle that we have issued recently talks about governance — it is not just a matter for your IT department/ Chief Information Officer but a matter for your board also — top down.
“It is about governance, identification, protection, detection, response and recovery. And then, there are these overarching components about continuous stress testing, awareness of threat intelligence, learning and evolving.”
On outsourcing of activities by FMIs, Singh observed that the whole point was to be able to control the risks that came from outsourcing because it was impossible to avoid outsourcing.
Factoring in advanceFinally, on the issue of technology going redundant frequently, necessitating upgradation/ replacement, putting FMIs in a dilemma on rising costs versus security, Singh said, “This will have to be in-built into the processes. That is why we have the overarching components about testing, situational awareness, learning and evolving, so that the next time you are doing a system change or an upgrade you are already factoring in the cyber element into that.”
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.