ECB Speech on Eurosystem Cyber Resilience Strategy for FMIs


The Director General Market Infrastructure and Payments of the European Central Bank (“ECB“), Marc Bayle de Jessé, gave a speech on the ECB’s views on the regulation of cyber security on November 21, 2017.

In his speech, Mr. Bayle de Jessé provided an overview of the Eurosystem cyber resilience strategy for financial market infrastructures (“FMIs“). The strategy was approved by the ECB’s governing council in March 2017 and is intended to implement the June 2016 joint guidance (Guidance) of the Committee on Payments and Market Infrastructures (“CPMI“) and the International Organization of Securities Commissions (“IOSCO“) on cyber resilience for FMIs.

The strategy is based on three pillars:

  • Pillar 1. Working with financial firms and FMIs to ensure that they build defenses and enhance their level of cyber maturity. The Eurosystem is developing a harmonized approach to assessing payment systems in use in the Eurozone against the CPMI-IOSCO guidance. It is also developing tools for use by FMI operators to enhance their cyber resilience maturity. These tools include a cyber survey, which has been sent by the ECB to all payment systems in the Eurosystem, and a “European Red Team Testing Framework”, which involves testing FMIs’ cyber resilience without prior warning by mimicking the tactics of real cyber attackers.
  • Pillar 2. Strengthening the resilience of the sector. The ECB is working on cross-regulatory collaboration, information sharing, improved threat intelligence, close collaboration with European law enforcement agencies, market-wide exercises based on cyberattack scenarios, and a deeper understanding of third parties and the supply chain.In particular, the ECB is developing an analytical framework and methodology for sector mapping with the aim of producing sector and network maps that will be used to understand key risk areas and improved crisis communication procedures. The ECB also calls for cross-authority collaboration to be enhanced to ensure that authorities have a similar approach and focus on cyber resilience and for the efficient sharing of information on threats by market participants and regulators.

Pillar 3. Establishing strategic dialogue between the industry and regulators. The ECB is in the process of establishing the Euro Cyber Resilience Board. The aim of this board is to provide a forum that brings together market participants, competent authorities and cyber-security service providers. The aim of the Forum is to raise awareness and catalyze joint initiatives for developing effective solutions for the market, as well as sharing best practices and fostering trust and collaboration.