The susceptibility of the financial markets to cyber-attack is explored in a staff working paper released last week by the International Origination of Securities Commissions and the World Federation of Exchanges.

To gather unique insights into the cybercrime threat from a securities market perspective, Iosco and WFE conducted a survey of some of the core financial market infrastructures.

A vast majority of respondents (89%) agree that cybercrime in securities marks can be considered a potentially systemic risk.

Cybercrime is already targeting a number of exchanges. Over half of the exchanges surveyed report experiencing a cyber-attack in the last year.

Attacks tend to be disruptive in nature. The most common form of attack reported are Denial of Service attacks and malicious code (viruses). These categories of attack were also reported as the most disruptive.

Financial theft did not figure in any of the responses.

“This suggests a shift in motive for cybercrime in securities markets, away from financial gain and towards more destabilizing aims,” said Rhohini Tendulkar, a member of the Iosco Research Department.

The instances of attacks against exchanges mean that cybercrime is already targeting securities markets’ core infrastructures and providers of essential services. “At this stage, these cyber-attacks have not impacted core systems or market integrity and efficiency,” said Tendulkar. “However, some exchanges surveyed suggest that a large-scale, successful attack may have the potential to do so.”

Last week’s Quantum Dawn 2 exercise held by Sifma provided an opportunity for both individual firms and the sector as a whole to test their response plans in order to maintain effective and orderly markets in the event of a systemic attack.
Over 500 individuals from 50 firms participated in the one-day exercise, which simulated a multi-day period where companies had to contend with three major types of attacks. Firms participated from their own locations to ensure a realistic experience.

“This exercise gave participants the opportunity to run through their crisis response procedures, practice information sharing and refine their protocols relating to a systemic cyber-attack,” said Karl Schimmeck, Sifma’s vice president of financial services operations, upon completion of the Quantum Dawn 2 cyber security exercise. “We look forward to analyzing findings with our members to identify areas for improvement and best practices that will enable firms and the entire sector to better prepare for and defend against cyber threats. We expect an after action report will be available in the next month.”

It’s vital that Congress work quickly to pass legislation that promotes information sharing, updates the criminal penalties associated with cyber-attacks, and provides protections for companies that share information and respond to malicious activity, Schimmeck said.

All exchanges surveyed by Iosco/WFE appear to have in place myriad proactive and reactive defense measures and report that cyber-attacks are generally detected immediately.

However, a small but significant number of exchanges surveyed recognize that 100% security is illusionary, with around a quarter recognizing that current preventative and disaster recovery measures may not be able to withstand a large-scale and coordinated attack.