By Rasmeet Kohli
Securities market regulators around the world face a significant challenge in controlling cyberattacks which pose a systemic risk to the international financial system. A two-pronged approach to tackle this issue involves implementing a set of controls for listed companies, and for market infrastructure institutions such as clearing corporations and depositories along with associated market intermediaries.
The International Organisation of Securities Commission (IOSCO) and Bank of International Settlement’s Committee on Payments and Market Infrastructure (CPMI) in its 24 PFMIs (Principles for financial market infrastructures) have prescribed an evolving cyber resilient framework for financial market infrastructures (FMIs) i.e. clearing corporations, depositories. These FMIs have been urged to “identify cyber threats, gather threat intelligence, and establish metrics for assessing cyber resilience maturity against a predefined criteria”. A recent cyber-resilience evaluation of 37 global FMIs highlights four pressing concerns. First, there are shortcomings in established response and recovery plans to meet the 2hRTO (two-hour recovery time objective) standard under extreme cyber-attack scenarios. [2hRTO refers to the recovery time after any cyber disruption and is prescribed as a quantitative PFMI disclosure.] Secondly, multiple FMIs were not conducting cyber resilience testing after significant changes. Thirdly, there is lack of comprehensive scenario-based testing. Lastly, there is inadequate involvement of relevant stakeholders i.e. critical service providers and linked FMIs in testing their responses, resumption and recovery plan.
It is relevant to cite here that SEBI has mandated market infrastructure institutions to carry out self-assessments and submit quarterly/annual reports disclosing compliance with these 24 PFMIs which would enhance and uphold international financial stability. However, the current reporting style of PFMI disclosures by the Indian market infrastructure institutions on their websites is of generic nature. For instance, when clearing corporations report about their business continuity plan (BCP), they are merely affirming existence of BCPs aimed at ensuring swift resumption of operations. An analysis of PFMI disclosures by international institutions such as the DTCC, Nasdaq and CME also reveal a similar approach to disclosures mirroring that of Indian market infrastructure institutions.
Nonetheless, it is crucial for market infrastructure institutions to graduate towards a more detailed and granular level of disclosures when reporting to regulators. For instance, clearing corporations and depositories should report in detail about cyberattack encountered (if any) and how it successfully recovered/resumed operations. Thereafter, the regulator could think of disseminating this information to the public maintaining anonymity of the concerned entity. The MIIs should own up to any gaps regarding the 2hRTO and utilize concrete, tangible metrics for explicit reporting. Currently, MIIs are not reporting any information (even if it is nil) pertaining to the ‘2hRTO’ metric on their websites. Needless to mention, the information which is detrimental to national security and public safety can be reported to the regulator and the National Critical Information Infrastructure Protection Centre (NCIIPC). SEBI has extant guidelines to bolster the cyber-resilience framework of MIIs.
Another critical element is the cyberthreat faced by listed companies. The US Securities and Exchange Commission (SEC) has introduced a rule mandating public companies to disclose “material” cyber security incidents and their risk management strategies to the SEC within four business days of discovery. Materiality as defined by US Supreme Court is “substantial likelihood that a reasonable investor would consider it important”. The SEC has not used a quantifiable trigger for material cybersecurity incidents because some cybersecurity incidents may be material yet not cross a particular financial threshold. For example, a cybersecurity incident that results in theft of information may not be deemed material based on quantitative financial measures alone. It could be important based on the impact it has on the company regarding the extent or nature of harm to its customers, individuals or other. Thus, disclosures are important. According to these rules, disclosures may be delayed if deemed detrimental to national security/public safety by the US attorney general. Other noteworthy details, although not mandatory, include reporting by companies on board proficiency in understanding cyber risk management. Furthermore, the SEC has also issued interpretative guidance pertaining to insider trading prohibitions in context of cybersecurity.
“Material” cybersecurity incident is the most discussed topic in US securities market and has led to stakeholder consultations for finding best ways to address the issue of cybersecurity and formulating standard operating procedures. Undoubtedly, information about company’s cybersecurity posture aids informed investment decisions.
SEBI mandates listed entities to disclose details of cybersecurity incidents, breaches or loss of data. However, key takeaways from the new US rule could be aspects such as “materiality”, “reduced timeline for reporting cyberattacks” and “application of insider trading prohibitions in context of cybersecurity”. Another add-on could be to encourage the company boards to include individuals knowledgeable about cyber-risk management and allocate additional resources to mitigate cyber security-threats. Indian regulator could perhaps think of including these aspects in its cyber-resilience framework.
(Author is working with the National Institute of Securities Markets. Views expressed in this article are of the author and do not necessarily reflect the official position or policy of the Outlook Media group or its employees.)
