More than half of the world’s stock exchanges have suffered some sort of cyber attack, according to a new report from the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE).

The two organizations published a joint paper Tuesday examining cybercrime, securities markets and systemic risk. The report includes the results of a survey of exchanges, which reveals that 53% report suffering a cyber attack in the last year. The paper notes that the attacks tend to focus on disruptions, such as denial of service attacks and viruses, rather than efforts to seek financial gain. For the most part, these attacks have, so far focused on exchanges’ websites, rather than their trading platforms, and “have not come close to knocking out critical systems or trading platforms.”

Exchanges are well aware of these threats, the report says, and almost all of them have disaster recovery protocols, or measures in place to deal with the fallout of an attack. The survey found that all the exchanges are able to identify a cyber attack within 48 hours, and 93% say that cyber-threats are discussed and understood by senior management.

That said, the report also found that some respondents said that complete security is impossible, given that the threat may be widely unknown and rapidly evolving. And, as such, it reports that a vast majority (89%) of stock exchanges “agree that cybercrime in securities markets should be considered a systemic risk”.

Indeed, it warns that while cybercrime in securities markets has not had any systemic impact so far, “it is rapidly evolving in terms of actors, motives, complexity and frequency. The number of high-profile and critical ‘hits’ is also increasing.” And, it warns that underestimating the severity of the risk “may lay open securities markets to a black swan event.”

Given the scope of the threat, exchanges see a role for securities regulators in dealing with these issues, it notes; which they can do, by issuing guidance, developing principles, and, promoting international security standards. Currently, they suggest that regulation is inadequate, and while they’d welcome more regulatory attention to the threat, they caution that it should be flexible, avoid being prescriptive, and should not interfere with exchanges’ own measures.