July 16, 2013

The Research Department of the International Organization of Securities Commissions (IOSCO) today published a joint Staff Working Paper, with the World Federation of Exchanges (WFE), entitled Cyber-crime, securities markets and systemic risk.

The report explores the evolving nature of cyber-crime in securities markets and the threat it poses to the fair and efficient functioning of markets. Importantly, it highlights the urgent need to consider cyber threats to securities markets as a potential systemic risk.

Cyber-crime in securities markets and systemic risk

The first part of the report assesses what is known of the cyber-threat so far. It also presents a framework for monitoring the extent of cyber-crime in securities markets going forward. This is in line with IOSCO´s commitment to identifying emerging risks in a proactive way.

The report also points out that certain types of cyber-crime constitute more than an 'IT issue' or simple extension of financial crime. While cyber-crime in securities markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, motives, complexity and frequency. The number of high-profile and critical 'hits' is also increasing. The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.

On the other hand, efforts to neutralise cyber-crime in securities markets can be assisted through high levels of awareness and a concerted cross-border, cross-sectoral, collaborative approach.

A Focus on Exchanges

The second part of the report provides the results of a survey to the world exchanges. The survey explores the experiences of exchanges in dealing with cyber-crime and perceptions of the risk. The focus on exchanges is not due to any perceived or particular vulnerability. The survey is intended as part of a series of surveys exploring the experiences of different groups of securities market actors.

The survey revealed that a significant number of exchanges are already under attack with 53% suffering an attack in the last year. Attacks tend to be disruptive in nature, rather than motivated by financial gain. This distinguishes these cyber-crimes from traditional crimes in the financial sector such as fraud and theft.

So far, cyber-attacks on stock exchanges have focused on non-trading related online services and websites and have not come close to knocking out critical systems or trading platforms.Importantly, as technology hubs housing advanced technological capabilities, exchanges are well aware of the cyber-threat and prepared to prevent and respond. Some 93% of respondents have disaster recovery protocols or measures in place to deal with the fall-out of a cyber-attack. All organisations are able to identify a cyber-attack within 48 hours of it occurring. Also, 93% report that cyber-threats are discussed and understood by senior management.

However, some respondents noted that complete security in the face of a widely unknown and rapidly evolving threat is impossible to attain. As such, a vast majority (89%) of stock exchanges agree that cyber-crime in securities markets should be considered a systemic risk. The potential impact could affect confidence and reputation, market integrity and efficiency and financial stability. Therefore, a broader, system-wide response may be needed.

Respondents to the WFE/IOSCO survey suggested a role for IOSCO and securities market regulators in this space. A number of general policy tools and measures were mentioned that could help them better address the cyber-threat in a collaborative way, including:

  • guidance and principles, internal measures and promotion of international security standards/frameworks;
  • a cross-jurisdictional and cross-sector information sharing repository, dedicated monitoring and training centers, information security awareness campaigns and education;
  • and more effective regulation for deterring cyber-criminals

NOTES FOR EDITORS 

  1. This Staff Working Paper should not be reported as representing the views of IOSCO or the WFE. The views and opinions expressed in this Staff Working Paper are those of the author and do not necessarily reflect the views of the International Organization of Securities Commissions or the World Federation of Exchanges, or its members.
  2. IOSCO is the leading international policy forum for securities regulators and is recognised as the global standard setter for securities regulation.The organisation's membership regulates more than 95% of the world's securities markets in more than 115 jurisdictions and it continues to expand.
  3. WFE is the trade association for the operators of regulated financial exchanges. With 57 members from around the globe, the WFE develops and promotes standards in markets, supporting reform in the regulation of OTC derivatives markets, international cooperation and coordination among regulators. WFE exchanges are home to more than 46,000 listed companies.

Tags: cyber


For more information, please contact:

Cally Billimore
Manager, Communications
Email: [email protected]
Phone: +44 7391 204 007
Twitter: @TheWFE