08:59 AM
Cybercrime A Systemic Risk, Say IOSCO & Exchanges
More than half, 53% to be exact, of security exchanges around the world suffered from a cybercrime attack in the last year. Does this number surprise you? Perhaps given the media coverage you thought it would be higher.
That figure came from a recently published survey in a joint Staff Working Paper by the International Organization of Securities Commissions (IOSCO) Research Department and World Federation of Exchanges. The survey is the first in a series on how cybercrime could and is impacting securities markets.
The findings should keep market regulators on their toes.
The cybercrimes reported in the survey were said to be disruptive rather than fraudulent (i.e. theft for financial gain), but this doesn’t lessen the blow. The paper suggests the cost of Denial of Service attacks and viruses may already be substantial, with some studies citing damages between $388 billion and $1 trillion, including direct and indirect costs. According to those surveyed most of the costs came from "dealing with reputational fall-out and trust in the wake of an attack."
It could easily be worse. The volume, sophistication and complexity of cyber attacks are on the rise. Exchanges agree a large-scale attack has the power to drastically impact market efficiency and cause a widespread reaction.
"So far, cyberattacks against the financial system have displayed little capability for global shock, but historic instances may not, in this case, be a sound basis for predicting future safety. Motives, capabilities and vulnerabilities can quickly change as cybercriminals of all stripes rapidly innovate," reads the IOSCO Staff Working Paper. "Thus, it is worth defining whether and under what circumstances cybercrime in securities markets could pose a systemic risk."
Looking for Help
A whopping 89% of surveyed stock exchanges agree that cyber-crime in securities markets should be considered a systemic risk. The survey further revealed that 90% of exchanges have an internal plan in place in case of a high-level cyber threat, but they largely recognize it is impossible to guarantee total prevention and protection. In fact, less than half of the large securities surveyed felt their preventative measures would be sufficient in the face of a coordinated, large-scale cyber attack.
So what can exchanges and other financial firms do to protect themselves?
"Respondents to the WFE/IOSCO survey suggested a role for IOSCO and securities market regulators in this space," explains an IOSCO news releases on the paper. "A number of general policy tools and measures were mentioned that could help them better address the cyber threat in a collaborative way, including: guidance and principles, internal measures and promotion of international security standards/frameworks; a cross-jurisdictional and cross-sector information sharing repository, dedicated monitoring and training centers, information security awareness campaigns and education; and more effective regulation for deterring cybercriminals."
"The study increases awareness of cyberattacks and demonstrates that the regulated exchanges are taking necessary measures to make sure the critical systems and trading infrastructures are not affected," says Huseyin Erkan, CEO of the World Federation of Exchanges. "The survey showed that the exchanges are well aware of the issue and of the potential systemic risk but until today there was no impact on market integrity as only non-core systems (eg websites) have been attacked."
More Interesting Findings from the WFE/IOSCO Survey
- Large firms reported more cyber attacks in the last year than their medium sized peers, which suffered more than smaller firms. Organizations in the Americas reported the most attacks.
- The most common form of cyber attacks are Denial of Service attacks, closely followed by malicious software (viruses). These are considered the most hazardous. Financial theft was not reported, although it is also considered hazardous.
- 93% of all exchanges and 100% of the large exchanges surveyed said cybercrime is generally understood and discussed by senior management.
[Cybercrime On Wall Street]
- 100% of large firms and all Asia Pacific firms surveyed have a formal plan addressing cyber threats, which include security plans, response procedures, crisis management and recovery plans, etc.
- 70% of exchanges surveyed (72% of larger exchanges and 92% of medium exchanges) report that they share information on attempted or successful cyber attacks with authorities, overseers or regulators.
- 22% of exchanges surveyed have cybercrime insurance or something similar.
--- IOSCO is the leading international policy forum for securities regulators and is recognized as the global standard setter for securities regulation. The organization's membership regulates more than 95% of the world's securities markets in more than 115 jurisdictions and it continues to expand.
WFE is the trade association for the operators of regulated financial exchanges. With 57 members from around the globe, the WFE develops and promotes standards in markets, supporting reform in the regulation of OTC derivatives markets, international cooperation and coordination among regulators. WFE exchanges are home to more than 46,000 listed companies. Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio