The report explores the evolving nature of cyber-crime in securities markets and the threat it poses to the fair and efficient functioning of markets. Importantly, it highlights the urgent need to consider cyber threats to securities markets as a potential systemic risk.
Cyber-crime in securities markets and systemic risk
The first part of the report assesses what is known of the cyber-threat so far. It also presents a framework for monitoring the extent of cyber-crime in securities markets going forward. This is in line with IOSCO´s commitment to identifying emerging risks in a proactive way.
The report also points out that certain types of cyber-crime constitute more than an ‘IT issue’ or simple extension of financial crime. While cyber-crime in securities markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, motives, complexity and frequency. The number of high-profile and critical ‘hits’ is also increasing. The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.
On the other hand, efforts to neutralize cyber-crime in securities markets can be assisted through high levels of awareness and a concerted cross-border, cross-sectoral, collaborative approach.
A Focus on Exchanges
The second part of the report provides the results of a survey to the world exchanges. The survey explores the experiences of exchanges in dealing with cyber-crime and perceptions of the risk. The focus on exchanges is not due to any perceived or particular vulnerability. The survey is intended as part of a series of surveys exploring the experiences of different groups of securities market actors.
The survey revealed that a significant number of exchanges are already under attack with 53% suffering an attack in the last year. Attacks tend to be disruptive in nature, rather than motivated by financial gain. This distinguishes these cyber-crimes from traditional crimes in the financial sector such as fraud and theft.
So far, cyber-attacks on stock exchanges have focused on non-trading related online services and websites and have not come close to knocking out critical systems or trading platforms. Importantly, as technology hubs housing advanced technological capabilities, exchanges are well aware of the cyber-threat and prepared to prevent and respond. Some 93% of respondents have disaster recovery protocols or measures in place to deal with the fall-out of a cyber-attack. All organizations are able to identify a cyber-attack within 48 hours of it occurring. Also, 93% report that cyber-threats are discussed and understood by senior management.
However, some respondents noted that complete security in the face of a widely unknown and rapidly evolving threat is impossible to attain. As such, a vast majority (89%) of stock exchanges agree that cyber-crime in securities markets should be considered a systemic risk. The `potential impact could affect confidence and reputation, market integrity and efficiency and financial stability. Therefore, a broader, system-wide response may be needed.
Respondents to the WFE/IOSCO survey suggested a role for IOSCO and securities market regulators in this space. A number of general policy tools and measures were mentioned that could help them better address the cyber-threat in a collaborative way, including:
The whitepaper is available without registration by following this link.