Global regulator says cyber-attack could hurt financial markets

Global market watchdog International Organisation of Securities Commissions (Iosco) has warned that the next major financial shock - or 'black swan event' - could come from a cyber-attack.

Global regulator says cyber-attack could hurt financial markets
Global regulator says cyber-attack could hurt financial markets

Speaking to The Financial Times on Sunday, Iosco chairman Greg Medcraft said that cyber-crime has a “huge potential impact on markets” and said that the next major financial downturn could come from cyber-criminals targeting broker dealers, fund managers, listed companies or even stock markets themselves.

“The next black swan event will come from cyber space. It is important that we pay attention,” said Medcraft.

He added that big financial players have an ‘uneven' response to countering the threat of online attacks and says that the industry must work together to develop effective risk management plans.

“The feedback we have had from industry in discussions is that there is not a consistency in approach,” he went onto say.

Iosco published a report last July with the World Federation of Exchanges which warned that the number of high-profile and critical “hits” is increasing. The report claimed that over half (53%) of all exchanges reported a cyber-attack in 2012, but that most of these focused on disruption rather than financial gain.

This news follows on from a McAfee report in June which revealed that cyber-crime costs the global economy around £265 billion - or 0.8 percent of global annual income, although various industry figures suggest that other unseen costs – such as brand reputation damage (currently being felt by Target and eBay, following their respective breaches) – could be considerably higher.

Meanwhile, malware defence specialist FireEye and international law firm Freshfields Bruckhaus Deringer have both reported in recent months that cyber-criminals are increasingly turning their attention to disrupting mergers and acquisitions (M&A), with the latter detailing how there is a ‘worrying level of complacency' when it comes to firms assessing their cyber threats during M&A deals.

Independent advisor Neira Jones said that the news – while not surprising - ‘stresses the importance of risk management when developing a cyber-crime management strategy', but warns that ‘one size rarely fits all'.

As examples, she said that the finance, information services, utilities, manufacturing, education and management sectors were best placed to focus on application security, perimeter protection and intrusion prevention, before adding that construction, manufacturing and those in the public sector should look to train their staff on the risks of ID theft through social engineering.

Payment security, Jones says, should be the focus for accommodation, finance, retail and management.

“Evidently, the above breakdown stresses the importance of effective risk management, but also the effective deployment of standards as well as threat intelligence and cooperation across industries.”

Jones,  who is chairman of the advisory board at Ensygnia and a former head of payment security at Barclaycard, added that whilst she would expect most financial services organisations to have at least “adequate” risk management processes in place, the difficulty is that companies struggle to keep up with cyber-criminals.

“Where it becomes tricky, is the sheer pace at which cyber-crime advances and the notable disconnect between IT, information security, fraud and business imperatives,” Jones told SC. “As we've seen with Target, organisations are starting to realise that the impact is far wider than just a technology issue. 

"I would say the first step is to understand what assets are of interest to criminals and get all stakeholders involved to determine the risk appetite.”

Roger Rawlinson, group managing director of assurance at NCC Group, added in an interview with SC that the possibility of a cyber-attack is certainly ‘plausible' given the interest in financial services companies, not only from bedroom hackers but also from cyber-criminal groups (seeking profit) and governments (possibly looking to destabilise economies).

The key, he says, is for companies to properly assess what are the key information assets within their organisation.

“The threats come from all angles. When you consider cyber security mitigation it really starts with what you want to protect and the potential weaknesses around that.”

Rawlinson adds that the boardroom must also be involved when developing risk assessment plans, but he's not sure that is always the case. “Even where processes are implemented for counter measures, I am not convinced organisations know what to do when [a breach] happens.”

Iosco promotes the implementation of internationally recognised standards for securities regulation, and says that  95 percent of the world's securities markets are its members. Its members include over 120 securities regulators and 80 other securities markets participants, such as stock exchanges.