NOVEMBER 20249Financial Market Infrastructures (FMIs), like payment systems, provide a good example of the need for operational resilience. A malfunctioning of a payment system can create contagion across its network. For wholesale payments that are typical of high amounts and urgency, it can create liquidity risks for the receiving bank or jeopardize the functioning of other connected FMIs. For retail payments, a disruption may render a customer not able to pay a merchant and not receive the purchased goods.Operational resilience has been traditionally a key oversight requirement for FMIs. The basis for operational resilience is a sound ICT infrastructure, including systems and communication networks that use robust, mature, and tried-tested technology. But even if a sound ICT infrastructure is in place, a disruption may still occur, for instance, due to external events that an organization has no control over, like natural disasters, geopolitical events, power outages, strikes, pandemics ­ all events that we have unfortunately witnessed in the recent past years. For such events, business continuity- and contingency plans, accompanied by clear crisis management and communication plans come to the fore. All this also extends to any third-party provider that can be the source of operational risk. An organisation thus needs to pay attention to robust third-party risk management, including due diligence before contracting with the third party and closely managing the relation based on service level agreements, reporting requirements and the ability to obtain assurances such as audits. A specific aspect of third-party management that arose in the recent past is supply chain risks. Third parties themselves may outsource services to other parties as well (4th and 5th relations), in line with the saying that a chain is only as strong as its weakest link. To give an example, cyber-attackers may target third parties or providers in the supply chain, given that it could impact a multiplicity of other organizations or that the supply chain could be leveraged to attack the organisations that use them. Cyber-attacks are in many ways challenging: they can originate from anywhere, target anyone and have multiple motivations. They may aim for disruption of services, stealing data or financial gain ­ or a combination thereof. Attackers are becoming more advanced through learning and employing new tactics and techniques, new technologies and malicious `as a Service solution. One particular increasing threat is ransomware. During a ransomware attack, the attacker accesses a system, steals data, and makes data unavailable through encryption. In turn, the attacker offers to decrypt the data and not publish it if ransom is paid. The ransom is usually to be paid in crypto assets. Coming back to the example FMIs, specific cyber resilience standards and sector-wide initiatives were developed that can also serve as an inspiration beyond. Some main examples are: first, a European framework for threat intelligence-based ethical red-teaming (TIBER-EU). The aim is to test the cyber resilience of an organisation by running a controlled cyber-attack. The framework defines the interaction of the to-be-tested organisations, and authorizations as well as threat intelligence and red-team providers. The framework is also reflected as a main tool for cyber resilience in the EU's Digital Operational Resilience Act (DORA). Second, the Cyber Information and Intelligence Sharing Initiative (CIISI-EU) enables sharing of information about cyber threats using collective expertise and experience to identify, assess and manage cyber threats. Third, and likely the starting point, an all-encompassing strategy was developed composed of tools at three levels to increase resilience: first, for the single FMI (like the TIBER tests or resilience expectations); second, for the sector of all FMIs (like CIISI or sector-wide exercises around an operational scenario); and, third, a forum to exchange and steer cyber resilience across public and private entities at C-level. While this strategy is initiated at the central bank level for a regulated sector, several tools are optional and agnostic by design, i.e., they can generally be considered by other firms and other sectors and serve as very concrete inspirations.Looking forward, the trend of digitalisation will continue bringing manifold benefits and opportunities. Interconnections and reliance on third parties and new technologies will keep growing in parallel. Properly understanding and managing related risks, in particular third-party and cyber-risks, will be an essential activity. An operational event, whether a cyber-attack or another event, is a tail event. I.e., it has a low (though increasing) likelihood and high impacts ­ and they can occur at any time without warning. Even if no incident occurs ­ which one hopes for ­ an organization will need to withstand the idea to reduce resilience efforts and save costs. It is the responsibility of each firm, whether regulated or not, to pursue the ever-evolving goal of resilience. While digitalization and operational risks may still be coined in the same phrase, operational risk mitigation will support reaping the benefits of digitisation. It is the responsibility of each firm, whether regulated or not, to pursue the ever-evolving goal of resilience. While digitalization and operational risks may still be coined in the same phrase, operational risk mitigation will support reaping the benefits of digitisation
< Page 8 | Page 10 >