Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Financial Market Infrastructures (FMIs) from 29 jurisdictions.

This report raised issues of concern relating to cyber response and recovery plans, as well as resilience planning and testing:

1. The first serious issue of concern relates to principle 17 (operational risk), key consideration 6 that states an FMI’s business continuity plan should be designed to ensure that critical information technology systems resume operations within two hours following disruptive events. The assessment found that a small number of FMIs had not developed their cyber response and recovery plans to meet this recovery time objective.

2. In addition, another small number of FMIs with established plans were not able to meet the two-hour window under extreme attack scenarios

3. Furthermore, a number of FMIs are not conducting cyber resilience testing after a significant systems change. Such testing would include backup data integrity, vulnerability assessments and penetration testing

4. Multiple FMIs may not be conducting comprehensive scenario-based testing

5. Some FMIs did not include external parties such as critical service providers

The report also provides nine observations concerning practices, metrics and testing.