New CPMI report claims that restoring payment systems after disruptive cyber-attacks could involve compromising analysis of incidents

In the event of a cyber-attack what should be a business’ main priority? Should the enterprise prioritise restoring services or should it concentrate its efforts on reporting the cyber-breach? Well, that’s the dilemma faced by many businesses in the financial markets. But which priority should businesses concentrate their resources on? Well, according to a Committee on Payments and Market Infrastructures (CPMI) report, operators of systemically important payment systems and other financial market infrastructures might need to forego detailed analysis of cyber-attacks if they want to restore critical services to operational functionality within two hours.

The CPMI is a standard setting body in the global payments market and acts as a forum for central banks from around the world to cooperate on ‘oversight, policy and operational matters’. In 2012, in its previous incarnation as the Committee on Payment and Settlement Systems, the CPSS together with the technical committee of the International Organisation of Securities Commissions, set out the principles which financial market infrastructures (FMIs) should adhere to “ensure that the infrastructure supporting global financial markets is robust and thus well placed to withstand financial shocks”.

FMIs include systemically important payment systems, central securities depositories, securities settlement systems and trade repositories. According to the CPMI, the FMI principles are ‘in the process of being implemented in many jurisdictions’. One of the principles requires FMI operators to ‘ensure a high degree of security and operational reliability’ of systems and ‘aim for timely recovery of operations in the event of a wide-scale or major disruption’. However, in practice FMI operators’ business continuity plans must ‘be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events’ and also that there can be complete settlement” of transactions by the end of the day of the disruption, even in the case of extreme circumstances.

However, in its new report, the CPMI accepted that whilst senior managers of FMIs understood and supported the two hour deadline, it acknowledged that operators of FMIs had faced severe challenges and had experienced difficulties in adhering to the two-hour recovery time objective (2h-RTO) in extreme cases of cyber disruption.  In such cases it accepted that restoring critical services within a two hour timeframe of a cyber-attack ‘could involve trade-offs with other aspects of cyber security and resumption’:

“For example, in some cases, ensuring a 2h-RTO may mean that forensic analysis of the attack, needed to preserve the integrity of the evidence collected and to ensure that it can be used effectively in a legal case, cannot be completed as easily or comprehensively as in the case of a long closure of systems. While forensic analysis may be postponed, creating the conditions to perform it post-event is a responsibility that cannot be dismissed,” it said.

So what’s the legal position in such cases? Well, technology and payments law expert, John Salman, of Pinsent Masons, told that new cyber security incident and data breach notification rules set to be introduced in the EU should be worded in a way which reflects the overriding need to restore payment systems to working order in the event of a serious and disruptive cyber-attack:

“There remains uncertainty, and in some respects inconsistency, between the draft data protection regulation and network and information security directive, both pieces of EU legislation currently being negotiated, as to when to report cyber breaches and the nature of what is to be reported”, he said.

“While attaining more transparency through security and breach reporting is a positive development, there must be some acknowledgement that it is critical to focus on recovery rather than administration during a cyber-attack scenario and that in some circumstances this may require a change of behaviour or what is required of an organisation.”

The CPMI for its part has said that FMI operators should take the necessary steps to ensure that they can achieve their two hour or end-of-day recovery time and settlement targets under the FMI principles, even in ‘an extreme cyber event’. In its report the CPMI one of the measures that could aid recovery times was layered technology which allows FMI operators to restore some services in the event of an attack because only some of the underlying systems are compromised due to their separation from one another:

“The measures necessary are likely to require investments in a combination of prevention, detection and recovery techniques,” the CPMI said. “These three elements, in the context of 2h-RTO, are mutually reinforcing and must be considered jointly.”

“Robustness to integrity attacks is important, as an inability to quickly resume operations in a stable state may cause systemic risk and could potentially be transmitted to the wider financial system. Even if recovery as such is quickly achieved, that does not necessarily imply cyber-resilience. An FMI that manages to resume operations within two hours may simply be recovering to the vulnerable state which had permitted the attack to succeed in the first place.”

“With layered technology, it may in some instances be possible to partially resume services – that is, to recover some functionality while still remediating other compromised system components. In the event that intraday recovery of critical components is not possible, many FMIs could extend operating hours beyond the normal end-of-day, on a case by case basis, taking into account linked systems and interdependencies,” it said.

If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].