Pierluigi Paganini July 18, 2013

“Cyber-crime, securities markets and systemic risk” is the study issued by IOSCO and WFE that discussed systemic impact by cybercrime on securities markets

“Cyber-crime, securities markets and systemic risk” is the title of a paper issued by The International Organization of Security Commissions (IOSCO), a leading policy forum for securities regulators, and the World Federation of Exchanges (WFE).

“The Cyber-crime, securities markets and systemic risk” paper revealed that securities markets haven’t been systemic impacted by cybercrime since now. But the scenario is dynamic, cyber threats are increasing in volume and complexity, the severity of emerging risks must be properly evaluated. The study highlights the urgent need to consider cyber threats to securities markets as a potential systemic risk.

The number of attacks on exchanges is increased in concerning way, 53% of exchanges have suffered an attack over the last year, the worrying data is that different from the past the attackers acted with destructive intent and not motivated by financial gain, another element of distinction is that the number of high-profile attacks is also increasing.

“The costs of cyber-crime to society so far may already be substantial. Some studies cite figures as high as $388 billion2 or $ 1 trillion3. While these high numbers are contentious due to lack of reliability when it comes to reporting direct and indirect costs, a growing number of highprofile cyber-attacks, high financial losses incurred, and other real-world manifestations suggest a potential for widespread impact.”

With the increase registered in the number of cyber threats security experts have observed that cyber criminals have focused their interest also on trading systems. The first part of the paper assesses the level of knowledge of the cyber threats, it also introduces a framework for monitoring the extent of cybercrime activities in securities markets. Identification of emerging risks in a proactive way is essential to mitigate cyber threats. The threats are rapidly evolving in terms of actors, motives, level of sophistication and volume.

“there is high correlation between the categories selected as the most disruptive form of cyber-attack, and the categories selected as the most common form of cyber-attack experienced: Denial of Service attacks and Malicious software (viruses). ‘Other’ forms of common attacks reported related to: SQL Injection, Laptop Theft, Website Defacement attempts, Port scanning and spam emails, Phishing email attack, social engineering, Website scanning. ‘Other’ forms of disruptive threats included: Website defacement attempts, Port scanning and spam emails, Selfreplicating email virus, Advanced Persistent threats, infrastructure damaging threats.” the study states.

The second part of the report is focused on Exchanges and provides the results of a survey to the world exchanges exploring their experience with cybercrime and perceptions of the risks.

The analysis conducted revealed that the majority of organizations is aware of the cyber threats and are prepared to respond to cyber attacks, 93% of them have in fact adopted a disaster recovery procedure, almost totality of them is confident to be able to detect an attack within 48 hours.

“There is also a high level of awareness of the threat across exchanges surveyed. Around 93% of exchanges surveyed report that cyber-threats are discussed and understood by senior management and almost 90% report having in place internal plans and documentation addressing cyber-crime.” the Cyber-crime, securities markets and systemic risk report states.

Some respondents noted the impossibility to complete mitigate cyber threats that rapidly evolve. 89% of stock exchanges agree that cybercrime in securities markets should be considered a systemic risk, it could impact confidence and reputation, market integrity and efficiency and financial stability.

“a small but significant number of exchanges surveyed recognize that 100% security is illusionary, with around a quarter recognizing that current preventative and disaster recovery measures may not be able to stand up against a large-scale and coordinated attack”

Following activities to face with cyber crimes that were highlighted most frequently by exchanges surveyed :

• Updating/implementing regulation and standards (in collaboration with other authorities);
• Identifying and providing guidance on best practice, principles and/or frameworks;
• Building, partaking in and promoting information sharing networks;
• Acting as a repository of knowledge for securities market participants to tap into (e.g. keep up to date with trends, house technical expertise to answer industry questions, collect and record cases, identify biggest risks).

The fight against the cybercrime is hard and it is necessary a broader approach based on proactive response to cyber threats and information sharing on on-going malicious events and past experiences.

Pierluigi Paganini

(Security Affairs – Cyber-crime, securities markets and systemic risk, Cybercrime)