Clearing houses must be able to recover from hacking in 2 hours

(Reuters) — Clearing houses and payment systems must show by June 2017 how their core operations would recover within two hours from a cyber attack, regulators said Wednesday in their first global financial sector guidelines for tackling hackers.

Central banks and other regulators worry that hackers can freeze often interlinked payment and clearing systems to undermine financial stability.

Mary Jo White, chair of the U.S. Securities and Exchange Commission — one of the watchdogs behind the new guidelines — told Reuters in May that cyber security is the biggest risk facing the financial system.

"This is a landmark report for the financial industry," Benoit Coeure, chairman of the Committee on Payments and Market Infrastructures, said as CMPI published its final guidelines in a report. "Financial market infrastructures (FMI) should take action immediately to implement its recommendations."

The aim is to make sure that responsibility for cyber defense rests in the board room and not in the IT department.

The guidelines from CPMI, a global central bank panel, and IOSCO, an umbrella group for securities regulators, say core functions of payment systems, trade repositories, and clearing and settlement houses must be able to recover quickly from a cyber attack.

The guidelines, based on proposals made in 2014, will also be implemented by SWIFT, the global messaging network used by banks even though it is not formally an FMI.

FMIs are the "plumbing" of the financial system, linking major players like exchanges, banks and brokers.

"An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption," the guidelines say.

"FMIs should also plan for scenarios in which the resumption objective is not achieved," the guidelines stipulate.

FMIs must have concrete plans to meet the two-hour time limit in place for regulators by June 2017.

Draft proposals in 2014 had implied this two-hour requirement would come into effect when the final guidelines are published. All other aspects of the guidelines come into effect immediately.

FMIs must also be able to identify the status of all transactions and positions of members at the time of a disruption in a timely manner.

Aware that defenses are only as strong as the weakest link, the guidelines also emphasize the need for building up resilience to hackers collectively.