Centenial Celebration

Transaction Search Form: please type in any of the fields below.

Date: November 22, 2024 Fri

Time: 11:57 am

Results for securities markets

1 results found

Author: Tendulkar, Rohini

Title: Cyber-crime, Securities Markets and Systemic Risk

Summary:  The soundness, efficiency and stability of securities markets relies on the quality of information provided; the integrity of people and service provision; the effectiveness of regulation; and increasingly the robustness of supporting technological infrastructure. Yet, there is limited public, targeted and in-depth study into how one of the more prominent technology-based risks: cyber-crime could and is impacting securities markets.  Cyber-crime can be understood as an attack on the confidentiality, integrity and accessibility of an entity’s online/computer presence or networks – and information contained within. The Evolving Nature of Cyber-Crime  In recent years, cyber-crime has become increasingly sophisticated, making it difficult to combat, detect and mitigate. The rise of a relatively new class of cyber-attack is especially troubling. This new class is referred to as an ‘Advanced Persistent Threat’ (APT).1  The costs of cyber-crime to society so far may already be substantial. Some studies cite figures as high as $388 billion2 or $ 1 trillion3. While these high numbers are contentious due to lack of reliability when it comes to reporting direct and indirect costs, a growing number of high-profile cyber-attacks, high financial losses incurred, and other real-world manifestations suggest a potential for widespread impact. A focus on the world’s exchanges  To gather unique insights into the cyber-crime threat from a securities market perspective, the IOSCO Research Department, jointly with the World Federation of Exchanges Office, conducted a cyber-crime survey (hereafter the WFE/IOSCO survey) to some of our core financial market infrastructures - the world’s exchanges.4  This survey is intended as part of a series of surveys exploring perspectives and experiences with cyber-crime across different groups of securities market actors, financial institutions and regulators.  In this first survey, a vast majority of respondents agree that cyber-crime in securities markets can be considered a potentially systemic risk (89%). The following factors shed light on why:  Size, complexity and incentive structure  Cyber-crime is already targeting a number of exchanges. Over half of exchanges surveyed report experiencing a cyber-attack in the last year (53%).  Attacks tend to be disruptive in nature (rather than aiming for immediate financial gain). The most common forms of attack reported in the survey are Denial of Service attacks and malicious code (viruses). These categories of attack were also reported as the most disruptive. Financial theft did not feature in any of the responses.  This suggests a shift in motive for cyber-crime in securities markets, away from financial gain and towards more destabilizing aims. It also distinguishes cyber-crime in securities markets from traditional crimes against the financial sector e.g. fraud, theft.  Potential effect on market integrity and efficiency; infiltration of non-substitutable and/or interconnected services  The instances of attacks against exchanges means that cyber-crime is already targeting securities markets’ core infrastructures and providers of essential (and non-substitutable services). At this stage, these cyber-attacks have not impacted core systems or market integrity and efficiency. However, some exchanges surveyed suggest that a large-scale, successful attack may have the potential to do so.  Level of transparency and awareness  Transparency in the form of information sharing is occurring widely. 70% of exchanges surveyed note that they share information with authorities, overseers or regulators. However, most of these arrangements are national in nature.  There is also a high level of awareness of the threat across exchanges surveyed. Around 93% of exchanges surveyed report that cyber-threats are discussed and understood by senior management and almost 90% report having in place internal plans and documentation addressing cyber-crime.  Level of cyber-security and cyber-resilience  All exchanges surveyed appear to have in place myriad proactive and reactive defence and preventative measures (see Annex B) and report that cyber-attacks are generally detected immediately. Annual cyber-crime training for general (non-IT) staff is also a staple amongst the majority of respondent exchanges.  However, a small but significant number of exchanges surveyed recognize that 100% security is illusionary, with around a quarter recognizing that current preventative and disaster recovery measures may not be able to stand up against a large-scale and coordinated attack.  Around half of exchanges surveyed report having two separate groups for handling physical and cyber threats. Separation of the two teams could lead to challenges in engaging with cyber-physical threats, however these challenges may be easily overcome (if not already) through efficient and on-going coordination between the two groups. Further information around the level of coordination between these two groups could shed light on this point.  Around 22% of exchanges surveyed report having cyber-crime insurance or something similar. This is mainly due to lack of availability or insufficient coverage of available insurance.  Effectiveness of regulation  A number of respondents expressed doubt over the effectiveness of current regulation in deterring cyber-criminals from damaging markets, since the global nature of the crime makes it difficult to identify and prosecute them. Only 59% of exchanges surveyed report sanctions regimes being in place for cyber-crime, in their jurisdiction. Of these, only half (55%) suggest that current sanction regimes are effective in deterring cyber-criminals. Engaging with the risk  In terms of the future role of securities market regulators in engaging with cyber-crime in securities markets, the following activities were highlighted most frequently by exchanges surveyed:  Updating/implementing regulation and standards (in collaboration with other authorities);  Identifying and providing guidance on best practice, principles and/or frameworks;  Building, partaking in and promoting information sharing networks;  Acting as a repository of knowledge for securities market participants to tap into (e.g. keep up to date with trends, house technical expertise to answer industry questions, collect and record cases, identify biggest risks).  Many of the exchanges surveyed underline a need for further policy but assert that any efforts in this space should:  avoid being prescriptive;  maintain flexibility to adapt to changing risks;  concentrate on information sharing; effective regulations/legislation; providing guidance and principles; and not interfere with an institution’s own tailored internal measures or policy.

Details: Paris: International Organisation of Securities Commissions or the World Federation of Exchanges. 2013. 59p.

Source: Internet Resource: Staff Working Paper: [SWP1/2013]: Accessed July 18, 2013 at: http://www.world-exchanges.org/files/statistics/pdf/IOSCO_WFE_Cyber-crime%20report_Final_16July.pdf

Year: 2013

Country: International

URL: http://www.world-exchanges.org/files/statistics/pdf/IOSCO_WFE_Cyber-crime%20report_Final_16July.pdf

Shelf Number: 129445

Keywords:
Computer Crime
Cybercrime (International)
Financial Crimes
Internet Crime
Securities Markets