BIS/IOSCO: Implementation monitoring of the PFMI – Level 3 assessment on financial market infrastructures’ cyber resilience

The report reviews the state of cyber resilience (as of February 2021) at a sample of 37 FMIs from 29 jurisdictions. The report finds a reasonably high adoption of the 2016 guidance on cyber resilience for financial market infrastructures by FMIs. but is concerned that a small number of FMIs are not fully meeting expectations regarding the development of cyber response and recovery plans to meet the two-hour recovery time objective. Other concerns relate to shortcomings in established response and recovery plans; a lack of cyber resilience testing after a significant system change; a lack of comprehensive scenario-based testing; and inadequate involvement of relevant stakeholders in testing of their responses.