Cyber resilience 'just as important' as capital and liquidity
Senior regulators ramped up warnings on Wednesday about the potentially destabilising effects of a major cyberattack on the financial system, while drawing attention to the vulnerability of clearinghouses in particular given the critical role these institutions play in financial markets.
“To keep financial institutions and the financial system safe, resilience against cyberattacks has become just as important as holding sufficient capital and liquidity,” Steven Maijoor, executive board member and chair of supervision at De Nederlandsche Bank, told the ISDA annual general meeting in Amsterdam.
“Cyber resilience will absolutely be a key focus area in our supervision of the financial industry in the coming years,” Maijoor said, adding later that it is a “race we cannot afford to lose”.
Maijoor highlighted the “unique position” that market infrastructure firms such as central counterparties occupy in the cyberthreat landscape. CCPs act as middlemen in financial transactions such as derivatives trades to prevent losses cascading through the financial system if one of the parties involved defaults. Their importance has grown over the years after regulators made pushing large swathes of the US$730trn over-the-counter derivatives market through central clearing one of their landmark reforms in the wake of the 2008 financial crisis.
Maijoor said CCPs seem to be targeted less than other institutions. However, if they are attacked successfully “the impact could be very high”, partly because there aren’t many of them and because they operate highly advanced systems that are "very important" for the functioning of the financial system.
“These features make them an attractive target for nation-state actors who want to cause maximum disruption. This does not mean that market infrastructure parties are currently being attacked. But given the geopolitical situation, tomorrow's reality could be different,” Maijoor said.
"Digital arms race"
The fact that most CCPs have outsourced part of their cybersecurity potentially makes them more vulnerable than banks, Maijoor said, because it makes their cyber defence “more complex”.
“Many financial institutions have taken big steps in recent years to boost their cyber resilience. But given the size, urgency and evolving nature of the threat, we need to do even more to keep financial services safe. It seems more and more that we are involved in a digital arms race,” Maijoor said.
Sarah Breeden, deputy governor for financial stability at the Bank of England, also highlighted the threat of cyber risk to CCPs in a separate speech on Wednesday to the ISDA AGM that focused on the importance of a system-wide approach to regulating clearinghouses.
“The ability for CCPs to fulfil their central role in the financial system hinges on them remaining operationally resilient. As we face a landscape characterised by rapid technological change and heightened geopolitical tensions, our expectations of their operational resilience, including to cyber risk, have to evolve,” Breeden said.
“CCPs must navigate these dynamics to mitigate risks and avoid amplifying threats to the broader financial system.”