Perspectives 2019 2020 Public Sector

Citi Perspectives 89 Key themes from Citi’s Africa Exercise (continued) • Decision-Making for All Needs Work —— Responses were sometimes slow and uncertain. Confidence and decision-making ability started to really break down as the event became cross-border and cross-sectoral. —— At a domestic level, participants recognized much value in identifying a single umbrella organization to help coordinate responses by sharing threat intelligence, responses, and changes in the market and risk to the market. —— More discussions were called for regarding what triggers should exist regarding central bank intervention in a cyber event. —— There was a recognized need for a “rapid-response unit” at strategic CEO and CRO levels (i.e., how do they all get on a call and ensure proper understanding of business impacts?). • Systemic risk —— The participants were in agreement that cyber related risks/events could easily escalate into a full/ system wide crisis if not well managed by all the relevant stakeholders in a quick and timely manner (as a result of panic, reputation damage, or loss of confidence in the financial system). —— Tension/fine balance between taking action to save your firm (but risk market stability) vs. taking action to protect market stability (risking individual stability); need more discussion on individual vs collective market actions in a cyber event — and there is a need for clear regulatory guidance on this and their expectations (at a multi-country level). —— Scope of impact could extend to the capital market and impact settlement done via the financial market. Given a cyber event is likely a multiple day event, public and private sectors need to consider the T+2 impacts. —— Views that existing liquidity back-stop arrangement and similar initiatives on reaching out to a pre- agreed partner bank in case of a need for liquidity or injection of funds will not work in a cyber event, as they were not designed with a cyber-attack in mind. —— The longer term trade-offs require further discussion and exploration from a systemic perspective and if short-term containment had been prioritized (possibly appropriately). —— Clarity is required on who provides assurance to the market that the systems of the impacted bank(s) are operational with integrity — how do you know you have recovered from a cyber-event? Who provides the attestation? What do you trust/take comfort from? Timeframe for this can be months.