Mitigating Systemic Cyber Risk, from the European Systemic Risk Board (ESRB)

January 2022 - Mitigating Systemic Cyber Risk, from the European Systemic Risk Board (ESRB)

The constantly evolving cyber risk landscape and recent increase in cyber incidents are indicators of a greater threat to financial stability within the European Union. In the worst case, a cyber incident could affect operational systems in the financial system and impair the provision of critical economic functions, trigger financial contagion or lead to an erosion of confidence in the financial system. If the financial system is not able to absorb these shocks, financial stability is likely to be put at risk and a systemic cyber crisis could unfold (ESRB, 2020).

Of particular importance is the need to overcome the risk to financial stability stemming from a coordination failure during the response to an incident. A cyber incident’s scale, speed and propagation call for a swift response from firms and financial authorities in order to preserve financial stability. Financial authorities in the EU need to coordinate among themselves, at global level and with parties that they do not usually interact with, such as cyber authorities. The risk of a coordination failure by authorities also exists. Uncoordinated action could contradict or even jeopardise the response of other authorities, lead to an erosion of confidence in the functioning of the financial system and thereby amplify the shock for the financial system. In the worst case, financial stability may be threatened.

This report identifies the need for the establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF) to mitigate the risk of a coordination failure. The objective behind such a mechanism is to increase the level of preparedness of financial authorities in the EU and to define a coherent and thus more effective response to a cyber incident. The EU-SCICF should help bridge any coordination and communication gaps between financial authorities themselves, with other sector authorities and with other key actors at international level. As such, it should complement existing coordination and communication protocols. To ensure the non-duplication of frameworks, the EU-SCICF should correlate with the existing financial crisis framework and EU cyber incident landscape.

European financial authorities are well placed to support the implementation of an EU-SCICF. Successful management of a systemic cyber crisis will depend on the capabilities of each financial authority to interact with other financial and cyber authorities at European level. Here, the principles underpinning the EU-SCICF mechanism should serve as a reference point for the required capabilities of European financial authorities.

A new set of macroprudential tools is required to address systemic cyber risk. An all-encompassing set of tools should address both cyber and financial risk stemming from cyber incidents. It should complement the existing strategies and instruments of microprudential and oversight authorities in this domain. While macroprudential authorities are familiar with addressing financial risk, addressing cyber risk is somewhat new. Consequently, the current macroprudential policy framework has limited capacity to develop specific mitigants and needs to be amended. Moreover, a better understanding of systemic cyber risk is required.

This report presents a strategy for developing the capabilities needed to mitigate the risk of financial instability in the event of a cyber incident. It reviews the current macroprudential framework and suggests how it could be adapted to better address the risks and vulnerabilities stemming from systemic cyber risk. Furthermore, the report sets out how macroprudential authorities should improve their analytical and monitoring capabilities and discusses mitigants which could contribute to financial stability.

A monitoring and analytical framework for systemic cyber risk needs to be implemented in order to help design and calibrate this new set of macroprudential tools. The report presents an overview of monitoring concepts that require further reflection by the ESRB on their implementation. Systemic cyber resilience stress tests are identified as a valuable tool to test how systemic institutions in the financial system would respond to and recover from a severe but plausible cyber incident scenario. To draw conclusions from systemic cyber resilience stress tests on financial stability, macroprudential authorities need to define an acceptable level of disruption to operational systems providing critical economic functions. To increase the understanding of vulnerabilities and contagion channels in the financial system, systemically important nodes at financial and operational level need to be identified – including third-party providers through cyber mapping.

The ESRB intends to explore a monitoring and analytical framework for systemic cyber risk and required tools to address this risk in its future work. In doing so, it could provide advice for the legislative review of the EU macroprudential framework, as requested by the European Commission.

The need for a pan-European cyber incident coordination framework

Early coordination and communication in the event of a cyber incident that has the potential to become systemic can assist in ensuring the early detection of such an incident, maintain confidence in the financial system and limit contagion effects on other financial institutions, thus preventing the incident from becoming systemic. Against this background, the ESRB (2020) highlighted the importance of rapid and effective communication and coordination between authorities. To reduce the time required to resolve an impending crisis, the implications of a cyber incident for financial stability need to be understood quickly. Aside from financial aspects, the overall risk assessment must include the scale and impact of operational disruption, as this may influence the choice of (macroprudential) tools. Likewise, financial stability may also influence the choice of operational mitigants by cyber experts.

Communication and coordination between (financial) authorities in the event of a systemic cyber crisis can become complex. The financial authority universe is composed of microprudential and macroprudential supervisors, oversight authorities and central banks, which differ in their mandates and geographical and sectoral focus. This heterogeneity among financial authorities, together with the complexity, interconnectedness and cross-border nature of the financial sector itself (including different existing crisis-management frameworks), could hamper communication and coordination efforts in the event of a systemic cyber crisis. Challenges in communication and coordination during a systemic cyber crisis are likely to occur at a time when a swift and coordinated reaction is needed to ensure effective crisis management, and uncertainty will likely be pervasive.

Financial authorities need to be prepared to interact with other (financial) authorities to manage a cyber incident. In the event of a systemic cyber crisis, crisis-management protocols at national and European levels will likely be triggered. For cyber authorities, these protocols will seek to support the resolution of the technical aspects of the cyber incident itself. For financial authorities, which need to deal with the economic consequences of a cyber incident for the financial system, it is about managing the impact on financial stability caused by the disruption to financial services. In addition, financial authorities need to coordinate with others, including cyber authorities, to ensure that their responses consider the different facets of a systemic cyber crisis. Such orchestration needs close and swift coordination and open communication between financial authorities themselves and with cyber authorities in order to, inter alia, build situational awareness.

To mitigate the risk of a coordination failure, financial authorities need to increase their level of preparedness for a systemic cyber crisis by enhancing their communication and coordination capabilities at EU level. Financial authorities’ preparedness goes beyond information sharing. It also requires a coherent (but not necessarily standardised) plan for information sharing, incident communication and external communication as well as a collective and consistent response to systemic cyber incidents.

A balance needs to be reached between agility and consistency: some jurisdictions, for example, may experience unusual consequences, thereby requiring novel and innovative action in response. However, any agile approach calls for close coordination to ensure that all required financial authorities are involved.

While several initiatives on cyber risk exist at EU level, none of them cover all financial authorities in the EU. In the context of cyber risk, recent initiatives by the European Commission already foster EU-wide coordination for large-scale cybersecurity incidents at European level and across sectors to increase response effectiveness. These include the European Commission blueprint on coordinated response to large-scale cybersecurity incidents and crises (Commission blueprint) published in 2017 and the establishment of a Joint Cyber Unit (JCU).

A comparable level of coordination is required from financial authorities that will enable them to define and operationalise a rapid response to address the financial consequences of a major cyber incident. Moreover, it would assist effective interaction with cyber authorities regarding their response, which may likewise have repercussions for financial stability. In this context, the DORA proposal requests that financial authorities develop crisis-management and communication channels to enable an effective and coordinated response at EU level in the event of a major cyber incident.

A pan-European systemic cyber incident coordination framework (EU-SCICF) for European financial authorities would increase their level of preparedness for managing the impact of a cyber incident on the financial system, thus maintaining financial stability. This framework could be built on one of the envisaged roles of the ESAs under the DORA proposal to gradually enable an effective EU-level coordinated response in the event of a major cross-border ICT-related incident or related threat having a systemic impact on the EU financial sector as a whole. To be effective, a predefined framework needs to be commonly shared, remain sufficiently flexible and provide clear guidance to all authorities involved. In addition, it needs to be tested and practised regularly. Thus, a periodical review and rehearsal should be implemented as well.

An EU-SCICF should facilitate financial authorities in the EU to coordinate globally. As a significant number of EU financial institutions operate globally, a major cyber incident will likely not be limited to the EU or might be triggered outside the EU. In such cases, it will require global coordination. Therefore, the framework should also offer interfaces, established for example through a Memorandum of Understanding for all framework participants, which enable communication and coordination with authorities’ frameworks other than those of European financial authorities. The framework should facilitate liaison between the authorities that handle the technical aspects of the cyber incident and financial authorities. This would allow the former to also consider financial stability implications, while also helping financial authorities form a proper understanding of the situation and undertake adequate measure to ensure financial stability.

A future EU-SCICF should be designed not to replace existing frameworks but to bridge any coordination and communication gaps between financial authorities themselves, with other sector authorities and with other key actors at international level. As such, it should complement pre-existing coordination and communication protocols. To the extent necessary, the framework should overcome any friction in coordination between financial authorities and seek to ensure an information flow so as to facilitate the coordination of a cyber incident. As the proposed framework has a non-duplication objective, the positioning of the EU-SCICF in the existing financial crisis framework and EU cyber incident framework landscape needs to be considered. One option is to embed the EU-SCICF in the existing financial crisis framework by including preparedness for a systemic cyber crisis as a further objective in financial stability-focused EU frameworks. Another option would be to create a framework with a specific focus on systemic cyber crises. In the latter case, it is important to bear in mind that a situation with many different frameworks could lead to uncertainty and disagreement over which framework to follow.

The paper:

January 2022 - European Systemic Risk Board (ESRB), Mitigating Systemic Cyber Risk.