Out-Law / Your Daily Need-To-Know

Stock exchange cyber attacks aimed at market disruption, rather than financial gain, according to survey

Out-Law News | 22 Jul 2013 | 2:11 pm | 2 min. read

Cyber attacks on global stock exchanges and financial markets are usually designed to disrupt markets, rather than for immediate financial gain, a new report has found.

The report, produced jointly by staff at the International Organisation of Securities Commissions (IOSCO) and World Federation of Exchanges (WFE) (59-page / 2.3MB PDF), found that 53% of exchanges had experienced some form of cyber attack in the last year. These attacks differed from traditional financial sector crimes such as fraud or theft, the report said; being instead mainly disruptive attacks such as viruses or denial of service attacks.

According to the report, the "vast majority" of stock exchanges agree that cyber crime should be considered a "systemic risk" to securities markets. However, exchanges are "well aware" of the threats: 93% of the respondents to a survey by the report's authors had disaster recovery protocols in place, while the same number said that emerging cyber threats were regularly discussed by senior management. All organisations were able to identify a cyber attack within 48 hours of it occurring, according to the report.

The report was produced as part of an “annual information mining exercise” into systemic and emerging risks in the global securities market, rather than in response to any specific incident according to its authors. The research showed that cyber attacks had not yet “impacted core systems or market integrity and efficiency”. However, some exchanges surveyed by the report’s authors said that a “large-scale, successful” cyber attack could have the “potential” to do so.

Respondents to the survey said that securities market regulators and trade bodies such as IOSCO should do more to raise awareness of and target cyber crime. Among their suggestions were the creation of guidance, principles and international security standards; a cross-jurisdictional and cross-sector information-sharing mechanism with dedicated monitoring for emerging threats; training and information security awareness campaigns; and more effective regulation to deter potential cyber attackers.

A number of surveyed exchanges expressed doubt over the effectiveness of current regulatory regimes, citing the global nature of the crime as a particular barrier to identifying and prosecuting the perpetrators. Only 59% of respondents said that sanction regimes were in place for cyber crime in their jurisdiction, while only 55% of these said that the current sanction regime was an effective deterrent.

A growing number of companies in the UK financial services sector are expressing concern about risks to cyber security, according to a Bank of England survey published last month. The Bank of England has identified a spike in the number of financial services companies concerned about the risk presented to the UK’s financial system by cyber security threats, up 10 percentage points since the previous survey, in October 2012, it said.

Last year the Department for Business, Innovation and Skills (BIS), the Centre for the Protection of National Infrastructure and UK intelligence agency GCHQ produced joint new guidelines on cyber security. The guidance included ten steps that businesses can take to reduce cyber risks.