Cyber risk is the primary issue that calls for immediate attention: IOSCO

K Raghavendra Rao Mumbai | Updated on January 22, 2018

Tajinder Singh Deputy Secretary General, IOSCO

International regulators body suggests ways and means for effective turnaround time

Cyber risk has emerged as the number one systemic risk, according to Tajinder Singh, Deputy Secretary General, International Organisation of Securities Commissions (IOSCO). IOSCO is the international policy forum for securities regulators.

Consultation report

Systemic risk is the risk of collapse of a financial system due to default by one or a group of entities, for instance the global credit crisis of 2008.

In a recent one-to-one interaction with BusinessLine, Singh said, “There are surveys where many people are saying that cyber risk is number one systemic risk. We have taken this very seriously and just a few days ago published a consultation report — Guidance on Cyber Resilience for Financial Market Infrastructures. FMIs include exchanges, depositories, and clearing corporations.

Singh said the type of turnaround time (TAT) to respond to cyber attacks that are being talked about is two hours — that is already coming from the PFMIs (Principles for FMIs).

“The PFMIs do not talk anything specific on cyber risks but they talk about any disruption and the point is if you have a disruption then the indicative TAT is two hours. Cyber security threat is a type of disruption.

“The recent report also talks about a two-hour TAT. The whole point is about the robustness/ accuracy with which you are able to come out of it rather than the timing of it. So, the two hours is indicative but the fact is you should be able to do it well and accurately,” Singh explained.

Covers wider area

On the issue of strengthening IT systems, Singh felt that the entire cyber area was not just an IT issue. “It is broader. Hence, the first principle that we have issued recently talks about governance — it is not just a matter for your IT department/ Chief Information Officer but a matter for your board also — top down.

“It is about governance, identification, protection, detection, response and recovery. And then, there are these overarching components about continuous stress testing, awareness of threat intelligence, learning and evolving.”

On outsourcing of activities by FMIs, Singh observed that the whole point was to be able to control the risks that came from outsourcing because it was impossible to avoid outsourcing.

Factoring in advance

Finally, on the issue of technology going redundant frequently, necessitating upgradation/ replacement, putting FMIs in a dilemma on rising costs versus security, Singh said, “This will have to be in-built into the processes. That is why we have the overarching components about testing, situational awareness, learning and evolving, so that the next time you are doing a system change or an upgrade you are already factoring in the cyber element into that.”

Published on December 24, 2015

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor

You May Also Like