Out-Law News 3 min. read

Restoring payment systems after disruptive cyber attacks could involve compromising analysis of incidents, says report


A new report on cyber resilience in financial market infrastructures has highlighted potential conflicts between legal obligations on the reporting of cyber security or data breaches and the need to restore services quickly following those incidents, an expert has said.

In its report, the Committee on Payments and Market Infrastructures (CPMI) said that operators of systemically important payment systems and other financial market infrastructures might need to forego detailed analysis of cyber incidents (19-page / 248KB PDF) if they want to restore critical services to operational functionality within two hours.

The CPMI is a standard setting body in the global payments market and acts as a forum for central banks from around the world to cooperate on "oversight, policy and operational matters".

In 2012 it, under its previous guise as the Committee on Payment and Settlement Systems, together with the technical committee of the International Organisation of Securities Commissions, set principles for financial market infrastructures (FMIs) to adhere to which are designed to "ensure that the infrastructure supporting global financial markets is robust and thus well placed to withstand financial shocks".

FMIs include systemically important payment systems, central securities depositories, securities settlement systems and trade repositories. According to the CPMI, the FMI principles are "in the process of being implemented in many jurisdictions".

One of the principles requires FMI operators to "ensure a high degree of security and operational reliability" of systems and "aim for timely recovery of operations  …  in the event of a wide-scale or major disruption".

In practice, FMI operators' business continuity plans must "be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events" and that there can be "complete settlement" of transactions "by the end of the day of the disruption, even in the case of extreme circumstances".

In its new report, the CPMI said that operators of FMIs had "identified challenges to achieving" the two-hour recovery time objective (2h-RTO) "in an extreme cyber scenario". However, it said senior managers at the organisations "understand and support" the two-hour target.

The CPMI said, though, that restoring critical services within a two hour timeframe of a cyber attack "could involve trade-offs with other aspects of cyber security and resumption".

"For example, in some cases, ensuring a 2h-RTO may mean that forensic analysis of the attack, needed to preserve the integrity of the evidence collected and to ensure that it can be used effectively in a legal case, cannot be completed as easily or comprehensively as in the case of a long closure of systems," the CPMI said. "While forensic analysis may be postponed, creating the conditions to perform it post-event is a responsibility that cannot be dismissed."

Technology and payments law expert John Salmon of Pinsent Masons, the law firm behind Out-Law.com, said that new cyber security incident and data breach notification rules set to be introduced in the EU should be worded in a way which reflects the overriding need to restore payment systems to working order in the event of a serious and disruptive cyber attack.

"There remains uncertainty, and in some respects inconsistency, between the draft data protection regulation and network and information security directive, both pieces of EU legislation currently being negotiated, as to when to report cyber breaches and the nature of what is to be reported", he said.

"While attaining more transparency through security and breach reporting is a positive development, there must be some acknowledgement that it is critical to focus on recovery rather than administration during a cyber attack scenario and that in some circumstances this may require a change of behaviour or what is required of an organisation."       

The CPMI said that FMI operators had said there are some "near-term steps" they can take to achieve their two hour or end-of-day recovery time and settlement targets under the FMI principles, even in "an extreme cyber event".

"The measures necessary are likely to require investments in a combination of prevention, detection and recovery techniques," the CPMI said. "These three elements, in the context of 2h-RTO, are mutually reinforcing and must be considered jointly."

One of the measures considered in the report which could be deployed to aid recovery times is "layered technology", which allows FMI operators to restore some services in the event of an attack because only some of the underlying systems are compromised due to their separation from one another.

"Robustness to integrity attacks is important, as an inability to quickly resume operations in a stable state may cause systemic risk and could potentially be transmitted to the wider financial system," the report said. "Even if recovery as such is quickly achieved, that does not necessarily imply cyber resilience. An FMI that manages to resume operations within two hours may simply be recovering to the vulnerable state which had permitted the attack to succeed in the first place."

"With layered technology, it may in some instances be possible to partially resume services – that is, to recover some functionality while still remediating other compromised system components. In the event that intraday recovery of critical components is not possible, many FMIs could extend operating hours beyond the normal end-of-day, on a case by case basis, taking into account linked systems and interdependencies," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.