Cybercrime in securities markets is evolving, and it poses a threat to fair and efficient functioning markets. Cyber threats to securities markets need to be considered a potential systemic risk. Certain measures for effective regulation may help in combating the threat.
What’s Inside?
The author presents a joint staff research effort of the International Organization of Securities Commissions (IOSCO) research department and the World Federation of Exchanges. The goal of the research is to investigate the level of awareness of cybercrime and the number of control measures in place among the world’s exchanges. She proposes a framework to determine under what circumstances cybercrime in securities markets could pose a systemic risk. The author applies this framework to the results of a survey of the world’s exchanges on their current views, experiences, and responses to the cybercrime threat. She also suggests further research and options for fighting the threat.
How Is This Research Useful to Practitioners?
The stability of securities markets relies on the quality of information provided, the integrity of people and services in the industry, and the effectiveness of regulation. But increasingly, stability is also dependent on the robustness of the supporting technological infrastructure. Thus, it is critical that cyber-based attacks on securities markets’ technological infrastructure be investigated thoroughly. There is an added urgency in addressing these risks as the financial system struggles to recover and because public confidence in the system is fragile.
The author notes that more than half of the world’s securities exchanges dealt with cyber-attacks over the past year. She warns that underestimating the severity of this emerging risk could expose securities markets to a black swan event. In fact, 89% of exchanges view cybercrime in securities markets as a potential systemic risk. Cybercrimes in securities markets are generally disruptive in nature rather than motivated by financial gain. This difference distinguishes cybercrimes from traditional crimes in the financial sector, such as fraud and theft. Furthermore, the survey results revealed that 93% of exchanges have disaster-recovery protocols and use several preventative and detection mechanisms to fight cybercrime. All exchanges are able to identify a cyber-attack within 48 hours of it occurring. In addition, 22% of the surveyed exchanges have cybercrime insurance.
The set of recommendations the author offers to combat cybercrime includes more effective regulations to deter cybercriminals; information sharing, dedicated monitoring and training centers, and information technology security awareness campaigns; and the promotion of international security standards and frameworks. The research is useful for securities market regulators and participants.
How Did the Author Conduct This Research?
In the first part of the report, the author assesses what is known of the cyber threat so far. She also presents a framework composed of eight indicators that could be used to monitor trends of and vulnerabilities to cybercrime in securities markets. This framework is in line with IOSCO’s commitment to identifying emerging risks in a proactive way. Data and analysis around these indicators form the foundation of a number of potential systemic risk scenarios in which cybercrime could pose a systemic risk.
In the second part of the report, the author provides the results of a comprehensive survey of exchanges around the world. The survey results, which are based on a set of 25 questions, provide insight into the experiences of exchanges in dealing with cybercrime and their perceptions of the risk. The survey is intended to be part of a series of surveys that explore the experiences of different groups of securities market actors. The author also spends some time discussing the topic of engaging risk along with ways to control risk and to identify gaps that require effort on the part of exchange regulators. She suggests some questions for further research as well. The report also contains in the appendices descriptions of cyber-attack techniques and prevention and detection mechanisms.
Abstractor’s Viewpoint
There is limited public, targeted, and in-depth study into how cybercrime does and could affect the world’s securities markets. Although cybercrime in securities markets has not had systemic effects so far (e.g., knocking out critical systems or trading platforms), it is rapidly evolving in terms of actors, motives, complexity, and frequency. The report brilliantly achieves its aim of raising a high level of awareness along with conducting a concerted cross-border, cross-sector, collaborative approach.