Global financial market infrastructure (FMI) companies' strong ratings reflect their robust strategic positioning, high margins and cashflow generation, and track record of strong risk management. In their position at the heart of national and global financial markets, their smooth operation is critical to global financial system stability.

Weak operational resilience--that is, institutions' ability to prevent, respond to, recover, and adapt to disruption--could undermine FMIs' smooth functioning and dent stakeholders' trust in them. Under extreme circumstances, their franchises and therefore their ratings might also become more vulnerable. We note, for example, that persistent events have affected ratings in the recent past (see ASX Ltd. 'AA-/A-1+' Ratings Affirmed Despite Governance Weaknesses; Outlook Stable, published April 6, 2023). To this end, we believe that cyber and other operational risks can test FMIs' resilience, and so are among the most significant risks that the industry faces.

Cyber-attacks are becoming ever more frequent and complex. With that, they pose an increasingly high-profile concern across corporate sectors. FMIs are no exception to this, though we believe that cyber risk should be viewed in the broader context of their operational resilience. FMIs' capacity to monitor, maintain, and resume their services, regardless of the source of disruption, is an essential competency and one that their regulators and customers monitor closely. In fact, among the many potential operational risk events--of which cyber-attacks are just one--service outages are by far the most prevalent risk. While our strong ratings on global FMIs acknowledge their solid foundations and track record of operational resilience, a material weakening in the effectiveness of their risk management--whether from long-term underinvestment or serious and sustained operational risk and cyber events--could undermine FMI ratings.

Chart 1

FMIs run essential market infrastructure that demands their resilience to operational disruption. They also deliver a host of data and analytics solutions that are essential to their clients' business needs. Furthermore, the industry's delivery of new products and services, adoption of new technologies, and habit of acquisitive growth mean that most FMIs are in a perpetual cycle of operational change. In this way, operational disruption could pose systemic consequences for FMIs.

We see operational resilience as an essential discipline for FMIs. It enables them to serve their customers through volatile market conditions, adapt to evolution in the markets they serve, and meet growing regulatory demands. Delivering operational resilience is not straightforward for the industry, though. If we look across a range of essential disciplines, as outlined in chart 1 above, the dynamic and complex nature of FMIs means that they face a significant challenge to constantly monitor and manage their resilience.

Cyber Risk Management Is An Important Discipline

We view cyber risk as a cornerstone of FMIs' operational resilience. Managing cyber risk and investing in cyber defence are therefore essential. The cyber threat landscape continues to evolve rapidly as technological innovation and global geo-political volatility persist and financial institutions, like FMIs, are prominent targets. Indeed, the profitability of the industry, the vast amounts and sensitivity of customer information and data they process, the systemic implications of their failure, and their international prominence make them a clear target for a range of malicious actors. Data from Guidewire suggests that the motivation to target FMIs is higher than for typical financial institutions and corporates given their prominence and size (see chart 2). In addition, FMIs are among the most difficult institutions to defend given their complex networks and extensive digital footprints. They are also likely to be targeted by sophisticated state actors whose motives are often political rather than financial. The sum of these risks leaves their overall Guidewire scoring in line with that of the world's largest banks (see chart 3).

Chart 2

Chart 3

This creates a threat environment that requires a strong response from FMIs as they confront diverse risks. Like other corporates, FMIs face standard cyber infiltration and disruption techniques like spear/phishing, or DDoS attacks and ransomware across their technological infrastructure. More unique are FMIs' trading systems, which they often run as part of closed systems connected by private lines, where access by malicious actors is incredibly difficult. That said, the ancillary services that support trading services, like regulatory announcement platforms, can operate outside of the closed trading infrastructure, and their disruption affects the operability of a market even as the market technology itself remains resilient. Many FMIs we rate must confront all these risks as they run exchanges, post trade businesses, and data and analytics feeds.

We generally view the response of rated FMIs to these diverse challenges as effective. Investment in protection and surveillance is high; a cadence of testing and learning is common practice; technological and cyber hygiene is embedded in firms; and overarching governance regimes are mature. Between themselves, firms cooperate closely on cyber risk insights, liaise with intelligence-sharing networks, and are subject to attentive regulatory scrutiny. Nonetheless, the industry has not been immune to attacks, though no high-profile event has occurred among our rated peer set to date. Most prominently, NZX, New Zealand's main cash equities, derivatives, and commodities trading platform, was the victim of a distributed denial of service attack in August 2020 that led to a four-day outage for its main exchange.

Chart 4

Though exceptional, we see NZX as a cautionary tale for the industry. FMIs are an important target for sophisticated actors, and failure to prioritize cyber resilience in a difficult and evolving risk environment can lead to major events. Cyber risk can acutely test the strategic and operational foundations of FMIs in the medium term, and, where weak governance is exposed, could lead to rating actions in the short term. Indeed, since NZX, the ION Cleared Derivatives attack in February 2023 further highlighted the deep industry disruption that can occur if third-party services are interrupted or compromised. Similarly, the six-hour outage of the Bank of England's CHAPS real-time gross settlement system on August 14, the first major outage since 2014, left U.K. banks unable to make large payments between them. This highlights the generally good reliability of financial infrastructure, but also the scale of disruption to domestic and global markets when it fails. It's this disruption that can undermine the trust placed in FMIs and affect their ratings.

Operational Risk Events Are Common For The Industry

While cyber risk events can be acute, if infrequent, tests of the FMI industry's foundations, its history of operational risk events and failures is far more chronic (see chart 5). Looking back to 2010, our sample of outages totals around 30, with the length of system downtime ranging from an hour to four days and affecting many of the leading institutions in this global sector. Most of the events have not directly affected the standing of the institutions where they occurred, though some have led to regulatory investigations, costly remediation and fines, and even the resignation of senior management.

Chart 5

In addition to the individual events themselves, we see a cadence of regular service outages as a pronounced medium-term threat to ratings in the industry. For example, ASX's steady pattern of operational failures between 2021 and 2023 led us to revise our view of the group's management and governance. And the downside scenario in our stable outlook now states that if these operational shortcomings dilute the group's franchise and earnings, we could lower our ratings. By contrast, while the settlement suspensions at Euroclear UK and Ireland after failures in the CREST system were notable in 2021 and 2022, we do not yet think they represent a meaningful trend for the Euroclear group. Outages have also risen at global clearing houses (CCPs) in the past 12 months as per the recent CPMI IOSCO disclosure--although CCPs have more flexibility in their settlement cycle than an exchange, so even if they are unable to return to service within their two-hour objective, the spillover effects on market stability are more limited.

Risk Events Have Yet To Spark Sustained Franchise Deterioration

Against a backdrop of rising cyber risk and a steady accumulation of operational risk events, we have yet to see difficulties in operational resilience affecting FMIs' well-rooted strategic positions. Indeed, NZX shows how hard it is to replace essential market infrastructure, even after acute failures--the exchange remains the dominant player in New Zealand. Even so, we continue to see operational resilience failings that bleed into strategic franchises as a meaningful risk to ratings. Of the 22 FMIs we rate, we consider 17 to have "strong" or "excellent" business risk profiles, with most of the remainder no lower than "satisfactory". These assessments tend to correlate with comfortable investment-grade ratings (even moderately leveraged players have 'A' grade ratings, and many are in the 'AA' grade). As such, any failings that weaken franchises or increase financial risk could materially alter ratings--most likely because of a sustained erosion in customer confidence and/or policymaker or regulatory intervention. When franchise deterioration is layered on top of adjustments to ratings that account for risk management and governance faults, which would likely precede a sustained erosion in confidence, operational resilience failings could lead to multiple notch downgrades.

Steepening Regulatory Scrutiny Has Shaped FMI Preparedness

Policymakers have helped to shape the industry's approach to operational resilience. The Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) has provided a set of principles on building cyber resilience. This framework aligns with the industry standard expectation for a two-hour recovery time objective (RTO) in the event of an outage to a critical service, regardless of cause. In fact, in December 2022 the CPMI called out the lack of planning for a two-hour RTO in the event of a cyber-attack as a material risk to FMI resilience. It singled out a subset of FMIs as being notably deficient in this respect and encouraged local regulators to act to ensure appropriate RTO planning is in place. As this shows, while the CPMI lays out policy frameworks, it is up to local regulators to design and implement binding regulations. To this end, the Bank of England has extended its policy on operational resilience to central counterparties and central securities depositories, the Fed has laid out resilience expectations as part of its operational risk framework, and the European Central Bank has a clear cyber mandate for the industry.

FMIs are technology-centred businesses, and are evolving to incorporate tools, like cloud-hosted services, that will form the basis of the financial ecosystem over the long term. While these services can provide increased operational capacity, adaptability, and cyber security, they also create a critical reliance on third-party providers. To this end, green shoots of heightened regulation of unregulated third-party service providers are emerging. For example, DORA in the EU and parallel "critical third party" legislation in the U.K. should enhance regulatory oversight of providers--primarily cloud services though this will likely widen in time to incorporate a host of service industries. This should support FMIs' operational resilience but will continue to increase the burden of regulation.

Operational Resilience Will Remain Crucial

We expect that the increasing regulatory scrutiny will support FMIs' existing strategic focus on and investment in operational resilience. Indeed, the industry's attention has notably shifted to resilient infrastructure in recent years after a long-running emphasis on and heavy investment in ultra-low latency capacity. To this end, given that the industry is highly cash-generative most players have the financial resources to build their resilience if they can deploy resources effectively. We believe that rated FMIs are already reaping the benefits of efforts to reinforce their operational resilience. We see this, for example, in their capacity to handle the huge surges in trading volumes in 2020 and 2022, the seemingly reduced rate and severity of operational outages in recent years, and a solid track record on cyber risk. Nevertheless, as the technological environment and FMIs' own strategies continue to evolve, operational resilience will remain crucial.

Related Research

• Australian Mutual Lenders: Path Of Least Resistance May Lead To Higher Cyber Risk, Aug. 29, 2023
• Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk, March 23, 2023
• Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
• Key Rating Metrics For Global Financial Market Infrastructure Companies (July 2023), July 6, 2023
• FMIs To Ride Out Economic Gloom Amid Financial Stability Risks, Says Report, Jan. 31, 2023