Out-Law News | 27 Aug 2014 | 4:27 pm | 2 min. read
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, was commenting as the International Organisation of Securities Commissions (IOSCO) became the latest market regulator to warn of the dangers to financial firms from cyber crime. In an interview with the Financial Times Greg Medcraft, chair of the IOSCO board, said that regulators were planning to introduce a global 'toolbox' next year that could be used to assess firms' readiness for, and likely resilience to, cyber attacks.
Scanlon said that it would be vital for businesses to get involved in the creation of any global standards or practical tools at an early stage, to ensure that these took into account the impact that "prescriptive rules" could have on businesses.
IOSCO is a forum for international cooperation on regulatory matters affecting the world's securities and futures markets. It is made up of financial regulators from over 100 different countries that together regulate over 90% of the world's securities markets. IOSCO's intervention is the latest in a number of public statements on cyber security issues by financial regulators including the Securities and Exchange Commission in the US, the Bank of England, the Joint Committee of the European Supervisory Authorities and SWIFT, which coordinates payments between financial institutions located across the world.
"It seems that businesses remain unaware of what is expected of them at a number of different stages, from preparatory work to dealing with the aftermath of a security breach," said Scanlon. "IOSCO's focus on the preparatory stage and talk of introducing a global 'toolbox' is an interesting one, and highlights the fact that a problem that is global in nature needs a global solution."
"However, financial services firms need to be involved in the creation of any resulting framework at an early stage. The development of the EU's data protection reform proposals shows what can happen when legislators are not necessarily aware of the impact that prescriptive rules could have on businesses," he said.
Speaking to the Financial Times, Medcraft said that the idea behind a cyber security risk management 'toolbox' was to assess whether firms were managing risks adequately and would be "sufficiently robust" in the event of an attack. He said that the work would "identify risk management standards for detecting and responding to cyber incursions", with a particular focus on firms including broker dealers, fund managers, companies listed on stock markets and the stock markets themselves.
"The issue of cyber resilience is a bit of a sleeper issue, and one that we have to be proactive [about] in terms of making sure the risk management approach is robust," he said. "Cyber crime has a huge potential impact on markets."
Medcraft said that IOSCO would "look at what the Americans have done" in this area already and consider "how [those risk management principles] could translate globally". Feedback the regulator had received from industry in discussions was that there was not "a consistency in approach", he said.
A survey conducted by IOSCO and the World Federation of Exchanges (WFE) last year found that more than half of WFE members had experienced a cyber incident in 2012 and also highlighted growing demand for cyber insurance policies in both the US and Europe. WFE is the trade association for the world's regulated stock exchanges. The "vast majority" of those surveyed also agreed that cyber crime should be considered a "systemic risk" to securities markets, while a number of respondents expressed doubt over the effectiveness of current regulatory regimes.
Earlier this year, the Bank of England began using a voluntary framework to test how well regulated financial institutions were set up to defend against cyber attacks. Its 'CBEST' framework uses intelligence from the government and accredited commercial providers to identify potential attackers of a particular financial institution, and then replicates the techniques these attackers use in order to 'penetration test' the institution's defences.