Cyber risk has emerged as the number one systemic risk, according to Tajinder Singh, Deputy Secretary General, International Organisation of Securities Commissions (IOSCO). IOSCO is the international policy forum for securities regulators.
Consultation reportSystemic risk is the risk of collapse of a financial system due to default by one or a group of entities, for instance the global credit crisis of 2008.
In a recent one-to-one interaction with
Singh said the type of turnaround time (TAT) to respond to cyber attacks that are being talked about is two hours — that is already coming from the PFMIs (Principles for FMIs).
“The PFMIs do not talk anything specific on cyber risks but they talk about any disruption and the point is if you have a disruption then the indicative TAT is two hours. Cyber security threat is a type of disruption.
“The recent report also talks about a two-hour TAT. The whole point is about the robustness/ accuracy with which you are able to come out of it rather than the timing of it. So, the two hours is indicative but the fact is you should be able to do it well and accurately,” Singh explained.
Covers wider areaOn the issue of strengthening IT systems, Singh felt that the entire cyber area was not just an IT issue. “It is broader. Hence, the first principle that we have issued recently talks about governance — it is not just a matter for your IT department/ Chief Information Officer but a matter for your board also — top down.
“It is about governance, identification, protection, detection, response and recovery. And then, there are these overarching components about continuous stress testing, awareness of threat intelligence, learning and evolving.”
On outsourcing of activities by FMIs, Singh observed that the whole point was to be able to control the risks that came from outsourcing because it was impossible to avoid outsourcing.
Factoring in advanceFinally, on the issue of technology going redundant frequently, necessitating upgradation/ replacement, putting FMIs in a dilemma on rising costs versus security, Singh said, “This will have to be in-built into the processes. That is why we have the overarching components about testing, situational awareness, learning and evolving, so that the next time you are doing a system change or an upgrade you are already factoring in the cyber element into that.”