Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Consultative report Guidance on cyber resilience for financial market infrastructures November 2015 This publication is available on the BIS website (www.bis.org) and the IOSCO website (www.iosco.org). © Bank for International Settlements and International Organization of Securities Commissions 2015. All rights reserved. Brief excerpts may be reproduced or translated provided the source is stated. ISBN 978-92-9197-288-3 (online) CPMI-IOSCO – Guidance on cyber resilience for financial market infrastructures – Consultative report – November 2015 iii Contents Executive summary ........................................................................................................................................................................... 1 1. Introduction ...................................................................................................................................................................... 4 1.1 Purpose of the guidance ..................................................................................................................................... 4 1.2 Design and organisation of the guidance ................................................................................................... 6 1.3 Expected usage ....................................................................................................................................................... 7 2. Governance ....................................................................................................................................................................... 9 2.1 Preamble ................................................................................................................................................................... 9 2.2 Cyber resilience strategy and framework ..................................................................................................... 9 2.3 Role of the board and senior management .............................................................................................. 10 3. Identification ................................................................................................................................................................... 11 3.1 Preamble ................................................................................................................................................................. 11 3.2 Identification and classification ...................................................................................................................... 11 3.3 Interconnections .................................................................................................................................................. 11 4. Protection ......................................................................................................................................................................... 12 4.1 Preamble ................................................................................................................................................................. 12 4.2 Protection of processes and assets .............................................................................................................. 12 4.3 Interconnections .................................................................................................................................................. 13 4.4 Insider threats ....................................................................................................................................................... 13 4.5 Training .................................................................................................................................................................... 14 5. Detection .......................................................................................................................................................................... 15 5.1 Preamble ................................................................................................................................................................. 15 5.2 Detecting an attack ............................................................................................................................................. 15 6. Response and recovery .............................................................................................................................................. 16 6.1 Preamble ................................................................................................................................................................. 16 6.2 Incident response, resumption and recovery ......................................................................