As the financial services business increasingly migrates to the online world, the industry’s appeal as a target for hackers and cybercriminals grows, too. As a result, regulators are pushing firms to pay closer attention to their increasing vulnerability.
Earlier this year, global securities regulators — the International Organization of Securities Commissions (IOSCO), along with the World Federation of Exchanges — warned of the growing risk of cyberattacks against the financial services industry, particularly attacks aimed at market infrastructure such as clearing and settlement systems. A joint report on the issue warns that these attacks are becoming increasingly sophisticated and tougher to detect and fight.
Moreover, the threats are becoming more prevalent. In a survey of securities exchanges from around the world, the groups found that more than half say they’ve faced a cyberattack over the past year and 89% believe that this potentially represents a systemic risk.
In late September, the Cana-dian Securities Administrators (CSA) issued its own notice highlighting these risks to issuers, registered firms and other regulated entities. The CSA’s notice calls on firms to take steps to ensure they have considered and planned for these risks by educating their staff, following guidance and best practices in this area, and testing their defences. The notice also indicates that the CSA will be considering these risks in both issuers’ disclosure and in the regulators’ oversight of dealers, investment managers and other market players.
CONCERNED REGULATORS
Federal financial regulators also are signalling their concern. In late October, the Office of the Superintendent of Financial Institutions (OSFI) published new guidance designed to help firms assess their defences against possible cyberattacks. In particular, OSFI’s new guidance advises firms on how to evaluate their current level of preparedness and aims to help firms develop effective security practices.
But what Canadian regulators don’t appear to be doing is testing the industry’s capability to withstand a systemic attack. During the summer, the U.S. Securities and Financial Markets Association (SIFMA) co-ordinated a major cybersecurity exercise known as Quantum Dawn 2, which tested the U.S. industry’s response to a variety of attacks.
Then, in late October, SIFMA released a report that makes several recommendations for improving the U.S. industry’s preparation for a large-scale attack on financial markets. Among other issues, the report highlights the need for the industry to be ready to co-operate in order to assess whether it’s facing a systemic event. The report recommends bolstering the procedures used to decide whether to shut markets in response and stresses that firms must have the ability to ensure communication, both within the industry and to the general public.
As SIFMA CEO Judd Gregg says in the report: “Cybersecurity is a top priority for the financial [services] industry…. The exercise helped participants identify areas where we can improve. Complacency is not an option in the fight against cybercrime.”
Yet, at this point, Canada’s regulators aren’t planning to carry out a similar test for the domestic industry. For the most part, regulatory responses here are confined to the preparations of individual firms, not the system overall.
Lucy Becker, vice president of public affairs with the Invest-ment Industry Regulatory Organi-zation of Canada (IIROC) indicates that there are no plans for a similar sort of test here: “IIROC members are expected to have appropriate compliance supervision and risk-management measures in place to safeguard themselves and their clients with respect to their business activities, including the risk of cyberthreats.”
OSC FOCUSED ON SECURITY
The Ontario Securities Com-mission’s director of market regulation, Susan Greenglass, says that cybersecurity is an area of focus for the regulator: “And we will be further reviewing this as part of our ongoing oversight of regulated entities.”
Although there are no plans for a specific cybersecurity exercise in Canada, there are regular industrywide business continuity plan (BCP) tests every couple of years (most recently, on Oct. 5) that test various disaster scenarios. Canada’s industry got a chance to try out its BCPs in the summer of 2010 during the G20 summit in Toronto. But that is not the same as specifically testing plans for a systemic cyberattack.
The IOSCO report notes that many exchanges recognize that there is no such thing as impenetrable security. Although most exchanges reported that current attacks are detected immediately, the report says, about 25% also recognize that “current preventative and disaster recovery measures may not be able to stand up against a large-scale and co-ordinated attack.”
The magnitude of cyberthreats is inherently hard to gauge. In addition, the costs of cybercrime also are hard to pin down, as the IOSCO report notes, “due to lack of reliability when it comes to reporting direct and indirect costs.”
Certainly, firms generally don’t advertise when they fall victim to online assaults. Too many reported cyberattacks may shake public confidence and reveal vulnerabilities that entice further attacks.
This reluctance to publicize security failures was highlighted earlier this year, when IIROC revealed that an employee had lost an electronic device that contained the personal information of thousands of brokerage firms’ clients. Although that incident was an accident rather than the result of a malicious attack, the regulator was wary of giving out too much detail about the episode for fear of increasing the risk that the lost information could be misused.
The CSA’s investigation into that incident now is complete. However, the CSA is reluctant to say anything about its findings, citing the existence of an ongoing class-action lawsuit in Quebec.
Nevertheless, Greenglass says, the CSA will be monitoring the implementation of IIROC’s new action plan for information security “on an ongoing basis.” IE