Oversight of cyber risk

Cyber risk

Cyber risk is one of the main sources of operational risk. It is becoming an increasingly important focus for regulators, due to the crippling effects a major cyber incident could have on financial market infrastructures (FMIs). The November 2014 report on cyber resilience in market infrastructures published by the Bank for International Settlements’ Committee on Payment and Market Infrastructures (CPMI) defines cyber threats as "a circumstance or event with the potential to intentionally or unintentionally exploit one or more vulnerabilities in an FMI’s systems resulting in a loss of confidentiality, integrity or availability”.

Oversight framework

Cyberattacks pose extreme risks, such as data corruption or distributed-denial-of-service (DDoS), which can force an infrastructure to shut down and prevent it from delivering vital services to participants. These types of attack are a major challenge for FMIs as they make it difficult to ensure a return to operations (RTO) within the target 2-hour deadline set in the 2012 PFMI (CPMI-IOSCO Principles for Financial Market Infrastructures). For example, in the case of data corruption, the operator needs to identify the last “trusted” point to which it can restore operations, restore the unaffected data from before this point, and handle all new operations recorded in the system since that time.

In 2016, the CPMI and IOSCO published guidelines on the cyber resilience of market infrastructures, setting out detailed expectations for operators. These complement the general expectations on operational risk management (see PFMI published in 2012). The Eurosystem, which plays a major role in supervising market infrastructures, published a set of cyber resilience oversight expectations (CROE) at the end of 2018. It also defined three levels of maturity, providing a more operational application basis for the CPMI-IOSCO 2016 guidelines. The more systemic a market infrastructure, the higher its expected level of maturity.

These recommendations on the cyber resilience of financial market infrastructures are broken down into eight categories:

1. governance
2. risk identification
3. protection
4. detection
5. response and recovery
6. testing
7. situational awareness
8. learning and evolving

The aim is to provide a methodological approach and tools to enable financial market infrastructures to enhance their resilience to cyber threats.

The European DORA regulation (the financial sector Digital Operational Resilience Act) adopted at the end of 2022 and effective from January 2025, aims to ensure that nearly all financial sector entities (including banks and insurers, administrators of critical benchmarks, service providers and crypto-asset issuers) put in place the necessary safeguards to mitigate risks linked to cyberattacks. DORA will also require all firms to:

1. implement measures to protect against all types of threat and disruption linked to information and communication technologies (ICT)
2. put in place a system for managing, classifying and reporting ICT-related incidents
3. in the case of systemic entities, regularly conduct advanced tests on ICT tools, systems and processes using threat-led penetration testing (or red teaming)

In addition, DORA will introduce a framework for the direct oversight by financial supervisors of critical service providers, including cloud service providers.

TIBER-FR, a framework to strengthen the cybersecurity of the French financial system

In light of the financial sector’s exposure to the risk of cyberattacks, the Banque de France and the Autorité de Contrôle Prudentiel et de Résolution (ACPR – Prudential Supervision and Resolution Authority) have jointly decided to implement TIBER-FR in France as part of their mandate to preserve financial stability. TIBER-FR is the national version of the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), and is accompanied by the publication of a national implementation guide.

TIBER is a common, EU-wide framework that delivers a controlled, bespoke, intelligence-led red team test of financial entities’ critical live production systems. It allows the tested entities to understand their real-world resilience by stressing all elements of their business against the tactics, techniques and procedures (TTPs) of threat actors specific to their organisation. The intelligence-led red team test provides a comprehensive end-to-end understanding of weaknesses present in people, business processing, technology, and their associated intersection points, and provides a detailed threat assessment that can be used to further enhance the entity’s situational awareness.

The cyber resilience of the European financial sector is a major priority. The European legislator has therefore established the Digital Operational Resilience Act (DORA) regulation defining obligations related to risk management and IT security. The DORA regulation requires inter alia a Threat Lead Penetration Testing (TLPT) framework, in accordance with TIBER-EU. The TIBER-EU framework and supplementary guidance, and the implementation of TIBER-FR should thus be seen as providing additional guidance and contextualisation to the DORA TLPT requirements laid down in the Regulatory Technical Standards (RTS).

For further information about TIBER-FR contact us: TIBER-FR@banque-france.fr