Getting cyber-resilience right matters. In July 2018, we published our analysis on the European Central Bank’s (ECB) first foray into setting its expectations on cyber-resilience. In September, it finalized the TIBER-EU Framework on ethical red teaming by setting out standards that firms ought to meet in selecting eligible providers of recognized TIBER tests. All of this marked a “crossing of the Rubicon” for the ECB, acting in its central banking and financial stability role as opposed to its financial regulatory and supervisory role at the head of the Banking Union’s Single Supervisory Mechanism (SSM) – which itself continues to put cyber-resilience as a key supervisory priority for 2019 and beyond. The ECB continued work on cyber-resilience on December 3, 2018 by publishing its Cyber-Resilience Oversight Expectations (the CROE) for financial market infrastructures (FMI).
CROE in 2018 replaces the 2016 version, and it does so with quite some effect. It sets very comprehensive and prescriptive expectations that, in its 62 pages, translate into in-scope entities needing to consider on-going risk assessments, introducing more detailed compliance and governance…