Global securities regulators are calling on dealers and trading venues to ensure that their plans for handling a major business disruption are up to snuff, and to factor the risk of cyber attacks into that process.
The International Organization of Securities Commissions (IOSCO) published two consultation reports Thursday that aim to ensure that financial markets and firms are prepared for a variety of potentially catastrophic events, including fires, floods, pandemics, and cyber attacks; and, that firms have plans that would allow them to swiftly resume operations following one of these sorts of events. One of the reports focuses on trading venues, while the other targets intermediaries, such as brokerage firms.
Both reports make recommendations for regulators, calling on them to set standards for firms to adopt and maintain business continuity plans (BCPs). “Recent disruptive events and emerging threats in major international financial markets highlighted the need to examine and identify the key measures and arrangements in place at trading venues and market intermediaries to restore their ‘critical’ functions should a disruption occur,” IOSCO says.
The reports were also informed by surveys of IOSCO members and other market players, and feedback from roundtables organized with industry participants, it notes. “A key objective of the reports is to address possible weaknesses or gaps in the business continuity plans and recovery strategies of trading venues and market intermediaries,” the regulators say.
In addition to conventional threats, such as natural disasters, pandemics, or terrorist events, the report focusing on financial firms calls on them to also address the need to protect data and client privacy, whether as part of BCP, or not.
“This would include measures to address the risk of potential loss or compromising of the firm’s and investors’ information or assets due to cyber-attacks,” it says. For example, it says that firms should have a defined security and IT policy outlining the appropriate controls to restrict access to physical assets and information, particularly during a major disruption; and, to consider the use of offsite storage facilities for electronic data, and the need to encrypt that backed up data.
The report focusing on trading venues examines the steps they should take to manage the risks associated with electronic trading, and the ways they plan for and manage disruptions. “As technology continues to evolve, trading venues will need to continuously adapt to these changes,” it says.
It also provides recommendations to help regulators ensure that trading venues are able to manage effectively a broad range of evolving risks, and it proposes practices that should be considered by trading venues when developing and implementing risk mitigation mechanisms and BCPs aimed at safeguarding the integrity, resiliency and reliability of their critical systems.
The reports are out for comment until June 6.