Global Regulator Warns Financial Markets of Major Cyber Risk

The next major shock to the global financial system will come as a result of a cyber attack, according to Greg Medcraft, chairman of regulator the International Organization of Securities Commissions (IOSCO).

Medcraft told the FT on Sunday that the financial markets were at risk because of the “uneven” response to online threats around the world.

“The issue of cyber resilience is a bit of a sleeper issue, and one that we have to be proactive [about] in terms of making sure the risk management approach is robust,” he said in an interview with the paper.

“Cybercrime has a huge potential impact on markets.”

Medcraft claimed that the best approach would be to build on the work being done in the US, which is apparently developing risk management standards which firms in the industry could better use to spot and block cyber-attacks.

The SEC has already stated it plans to assess the ability to deflect threats of 50+ broker-dealers and investment advisors.

The IOSCO published a report last July with the World Federation of Exchanges which warned that the number of high profile and critical “hits” is increasing.

It claimed over half (53%) of all exchanges reported a cyber-attack in 2012, but that most focused on disruption rather than financial gain.

The report also urged securities markets to regard cyber-attacks as a potential systemic risk in the future, and presented a framework for monitoring the extent of cybercrime in markets going forward.

A massive cyber-attack on South Korean banks and media companies last year known as Dark Seoul was blamed on Pyongyang and caused mass disruption for customers in the world’s most wired nation.

Toyin Adelakun, vice president of products at Sestus, argued that any program to improve cyber-resilience should begin with a “regime of multi-level penetration testing”.

“These security tests may be technical, and attack firewalls and intrusion-detection systems; or physical, and try to get staff and contractors or even end-customers to divulge sensitive data,” he told Infosecurity. “There is a veritable panoply of social-engineering and penetration-testing exercises that may be performed, but what is just as important is what is done with the results.”

Aside from remediating and vulnerabilities found, procedures and policies should be revisited after such tests, he claimed.

“Co-ordination can be effected through pseudonymous submissions to a cybersecurity clearing-house (set up by IOSCO), in addition to more open forms of collaboration,” Adelakun concluded.

“Resilience has both competitive and cooperative implications, and calls into play industry standards on business continuity such as ISO 22301.”

Mark James, security specialist at Eset, argued that financial services firms need to look more closely at how data is stored, with a designated role put in charge of the correct use of data in the organization.

“It is often sold to the lowest bidder on hardware we have no control over so a good maintenance plan on software procedures needs to be in place and reviewed on an ongoing basis along with a good ‘what if’ plan if things go wrong,” he told Infosecurity.

“This needs to include monitoring data coming in and going out of the premises, simulated attacks and an open approach of how their data is vulnerable.”

What’s Hot on Infosecurity Magazine?