London, 18 January 2018 – The World Federation of Exchanges ("The WFE"), which represents more than 200 market infrastructure providers including exchanges and CCPs, has today published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.
The paper takes a behavioural approach to the issue, as evidence shows that moving away from classroom-based refresher sessions and thinking more creatively about how to get staff to consider cyber defences in everything they do is more effective in creating long-term cyber compliance. Applying behavioural insights and 'nudge theory' - brought to prominence by Nobel Economics laureate Dr Richard Thaler with Cass Sunstein* - can be useful to change staff security behaviour. Applying small 'nudges', or offering incentives regularly to staff, leads to greater discussion and awareness of cyber threats which may result in better cultural outcomes.
The best practice guidelines for WFE members to consider when creating a cyber compliance framework include:
- Behavioural incentives
These include focusing on cyber security in the home environment; bringing hackers into the workplace to demonstrate to staff how easily devices can be compromised; linking compensation to compliance; rewards programmes; awareness campaigns; and the use of 'gamification' - making desired security behaviours fun or competitive.
- Cultural incentives
These incentives start with creating a culture of personal responsibility and common sense, relating cyber awareness to personal life, family and home. Other incentives include making cyber security awareness and compliance a Key Performance Indicator (KPI); using language that is simple, jargon-free, creative and graphical; and finally, story-telling, using analogies and anecdotes to explain complicated concepts.
- Operational support
- Training: Ensure training is regular and accessible, particularly for new joiners; always train technical staff on cyber awareness (often the first group targeted in cyber-attacks); and implement a strong password/locked computer screen policy, to create a sense of personal ownership.
- Transparency: Security policies, disaster recovery and post-breach communications plans should be clear and shared with employees; provide a list of approved and restricted websites, services, software and applications.
- Technology: Develop 'bring your own device' guidelines; and deploy software tools that launch test phishing emails.
Nandini Sukumar, CEO, The WFE said: "Exchanges and CCPs spend significant time and money on ensuring the technology that underpins the markets they operate and clear meets - and exceeds - the complicated patchwork of technical standards, rules and regulations they are subject to. Our best practice guidelines show that by making small changes to cyber compliance behaviour, the humans using that technology can become a stronger line of defence against cyber-attacks."
Gavin Hill, Head of Regulatory Affairs, The WFE added: "This set of guidelines is also designed to support future dialogue with regulatory authorities as they continue to consider how best to strengthen the system in response to an ever-increasing degree of sophistication of cyber-criminals."
These principles were compiled by the WFE's dedicated cyber security group (GLEX) of more than 30 information security professionals within global exchange and CCP groups, drawing upon their collective experience of what works, and what has proven to be less effective in approaching staff training and behaviour around cyber security.
You can read the paper here.
* 'Nudge' – Dr Richard Thaler and Cass Sunstein (2008)
- Ends -
About the World Federation of Exchanges (WFE):
Established in 1961, the WFE is the global industry association for exchanges and clearing houses. Headquartered in London, it represents over 200 market infrastructure providers, including standalone CCPs that are not part of exchange groups. Of our members, 41% are in Asia-Pacific, 40% in EMEA and 19% in the Americas. WFE exchanges are home to nearly 45,000 listed companies, and the market capitalisation of these entities is over $67.9 trillion; around $84.18 trillion (EOB) in trading annually passes through the infrastructures WFE members safeguard (at end 2016).
The WFE is the definitive source for exchange-traded statistics, and publishes over 350 market data indicators. Its statistics database stretches back more than 40 years, and provides information and insight into developments on global exchanges.
The WFE works with standard-setters, policy makers, regulators and government organisations around the world to support and promote the development of fair, transparent, stable and efficient markets. WFE shares regulatory authorities' goals of ensuring the safety and soundness of the global financial system, which is critical to enhancing investor and consumer confidence, and promoting economic growth.
The Global Exchange Cyber Security Working Group (the GLEX) was established in December 2013 to connect Information Security leadership amongst the world's leading financial exchanges and CCPs. The primary purpose of the GLEX is to facilitate information sharing. The GLEX is both a conduit for internal communication amongst its members and an externally-facing presence available for relevant third parties needing to address members of the GLEX. It also actively comes together to help shape policy-making through reactive and proactive measures, reaching common consensus positions amongst its members. In April 2017 the WFE – through the GLEX – published a set of cyber resilience standards designed to be used by WFE members, and other market infrastructure providers, to ensure alignment and common minimum standards across the global system. The GLEX meets once annually and also virtually - via teleconference or other facilities - on a quarterly basis. Cyber continues to be one of the WFE's six business priorities for the year ahead.