Daily transfers in the Danish financial system average almost kr. 600 billion. This corresponds to more than a quarter of Denmark's GDP. To ensure correct and timely settlement of these transactions, the financial sector uses complex IT systems and is interconnected via data centres and payment and settlement systems. Sector participants must safeguard their own systems, but there is also a need for a concerted and coordinated effort to ensure that the overall financial system is resilient to operational risks, including e.g. cyber risks, which constitute a special type of operational risk.
Danmarks Nationalbank put operational risks and cyber risks on the agenda of the Systemic Risk Council in December 2015, and at follow-up discussions with the financial sector there was broad agreement that formalised sector collaboration in this area was required. Consequently, Danmarks Nationalbank set up the Financial Sector forum for Operational Resilience (FSOR) aiming to increase operational resilience, including cyber resilience, in Denmark.
The FSOR is a forum for collaboration between authorities and key financial sector participants. Danmarks Nationalbank chairs and acts as secretariat of the FSOR.
The FSOR's vision is that the Danish financial sector should be best in class in Europe when it comes to countering the threat from cybercrime, so that it:
- continues to provide a secure and efficient infrastructure, and
- supports the Danes' continued trust in the digital solutions of the Danish financial sector.
The tasks of the FSOR are to:
- ensure a common overview of operational risks that may have a cross-sector impact and that could potentially pose a threat to financial stability in Denmark,
- decide on and ensure implementation of joint measures to ensure financial sector resilience to major operational incidents, including cyberattacks,
- create a framework for collaboration and information sharing – within the sector, between different sectors and internationally.
The FSOR held its first meeting in June 2016. Since then, the following initiatives have been carried out:
- Cross-sector crisis response has been established to manage serious operational incidents, including cyberattacks.
- A cyber stress test of the cross-sector crisis response plans has been conducted.
- Critical participants and core functionality have been identified. The infrastructure has been mapped and mapping of interdependencies between the various participants has begun.
- Danmarks Nationalbank and the Danish Financial Supervisory Authority have mapped the cyber resilience capability of key participants in relation to cyberattacks.