WFE Sets Cyber Security Guidelines
The World Federation of Exchanges (“The WFE”), which represents more than 200 market infrastructure providers including exchanges and CCPs, has today published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.
The paper takes a behavioural approach to the issue, as evidence shows that moving away from classroom-based refresher sessions and thinking more creatively about how to get staff to consider cyber defences in everything they do is more effective in creating long-term cyber compliance. Applying behavioural insights and ‘nudge theory’ – brought to prominence by Nobel Economics laureate Dr Richard Thaler with Cass Sunstein* – can be useful to change staff security behaviour. Applying small ‘nudges’, or offering incentives regularly to staff, leads to greater discussion and awareness of cyber threats which may result in better cultural outcomes.
The best practice guidelines for WFE members to consider when creating a cyber compliance framework include:
These include focusing on cyber security in the home environment; bringing hackers into the workplace to demonstrate to staff how easily devices can be compromised; linking compensation to compliance; rewards programmes; awareness campaigns; and the use of ‘gamification’ – making desired security behaviours fun or competitive.
These incentives start with creating a culture of personal responsibility and common sense, relating cyber awareness to personal life, family and home. Other incentives include making cyber security awareness and compliance a Key Performance Indicator (KPI); using language that is simple, jargon-free, creative and graphical; and finally, story-telling, using analogies and anecdotes to explain complicated concepts.
Training: Ensure training is regular and accessible, particularly for new joiners; always train technical staff on cyber awareness (often the first group targeted in cyber-attacks); and implement a strong password/locked computer screen policy, to create a sense of personal ownership.
Transparency: Security policies, disaster recovery and post-breach communications plans should be clear and shared with employees; provide a list of approved and restricted websites, services, software and applications.
Technology: Develop ‘bring your own device’ guidelines; and deploy software tools that launch test phishing emails.
Nandini Sukumar, CEO, The WFE said: “Exchanges and CCPs spend significant time and money on ensuring the technology that underpins the markets they operate and clear meets – and exceeds – the complicated patchwork of technical standards, rules and regulations they are subject to. Our best practice guidelines show that by making small changes to cyber compliance behaviour, the humans using that technology can become a stronger line of defence again cyber-attacks.”
Gavin Hill, Head of Regulatory Affairs, The WFE added: “This set of guidelines is also designed to support future dialogue with regulatory authorities as they continue to consider how best to strengthen the system in response to an ever-increasing degree of sophistication of cyber-criminals.”
These principles were compiled by the WFE’s dedicated cyber security group (GLEX) of more than 30 information security professionals within global exchange and CCP groups, drawing upon their collective experience of what works, and what has proven to be less effective in approaching staff training and behaviour around cyber security.
You can read the paper here.
* ‘Nudge’ – Dr Richard Thaler and Cass Sunstein (2008)
There is no standard approach to identify data that needs to be protected.
The new unit will employ up to 400 high value, experienced and graduate level roles.
Michael Corbat, chief executive of Citi, said partnering with fintechs is the future.
An international search to appoint a successor is underway.
There are network connectivity issues relating to DDoS cybersecurity attacks.