Cyber threats to securities markets are a potentially systemic risk, according to a joint staff working paper published by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE).
The report points out that certain types of cyber-crime constitute more than an ‘IT issue’ or simple extension of financial crime. While cyber-crime in securities markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, motives, complexity and frequency.
The number of high-profile and critical ‘hits’ is also increasing. The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.
On the other hand, efforts to neutralize cyber-crime in securities markets can be assisted through high levels of awareness and a concerted cross-border, cross-sectoral, collaborative approach.
The report also provides the results of a survey to the world exchanges. The survey explores the experiences of exchanges in dealing with cyber-crime and perceptions of the risk. The focus on exchanges is not due to any perceived or particular vulnerability. The survey is intended as part of a series of surveys exploring the experiences of different groups of securities market actors.
The poll revealed that a significant number of exchanges are already under attack, with 53% suffering an attack in the last year. Attacks tend to be disruptive in nature, rather than motivated by financial gain.
This distinguishes these cyber-crimes from traditional crimes in the financial sector such as fraud and theft.
Read: Banks enlist cyberspy agency to prevent attacks
So far, cyber-attacks on stock exchanges have focused on non-trading related online services and websites and have not come close to knocking out critical systems or trading platforms. Importantly, as technology hubs housing advanced technological capabilities, exchanges are well aware of the cyber threat and prepared to prevent and respond.
Some 93% of respondents have disaster recovery protocols or measures in place to deal with the fall-out of a cyber-attack. All organizations are able to identify a cyber-attack within 48 hours of it occurring. Also, 93% report that cyber-threats are discussed and understood by senior management.
However, some respondents noted that complete security in the face of a widely unknown and rapidly evolving threat is impossible to attain. As such, a vast majority (89%) of stock exchanges agree that cyber-crime in securities markets should be considered a systemic risk. The potential impact could affect confidence and reputation, market integrity and efficiency and financial stability. Therefore, a broader, system-wide response may be needed.
Read: Your password is not safe: Deloitte
Respondents to the WFE/IOSCO survey suggested a role for IOSCO and securities market regulators in this space. A number of general policy tools and measures were mentioned that could help them better address the cyber-threat in a collaborative way, including:
- guidance and principles, internal measures and promotion of international security standards/frameworks;
- a cross-jurisdictional and cross-sector information sharing repository, dedicated monitoring and training centers, information security awareness campaigns and education; and
- more effective regulation for deterring cyber-criminals