Cyber risk represents a unique threat to the security and stability of financial markets, warns a report published by the International Organization of Securities Commissions (IOSCO) on Wednesday.
According to the report, cyber risk is not “just another risk”; rather, it describes the threat as a “highly complex and rapidly evolving phenomenon.”
“As organizations upgrade their defenses, criminals continuously develop new and more complex approaches. Ultimately, in a highly interconnected and interdependent financial ecosystem, cyber attacks may have systemic implications for the entire financial system, and also affect over time the trust on which financial markets are built,” the report says.
IOSCO’s work, which was co-ordinated by the Quebec-based Autorité des marches financiers (AMF) along with the China Securities Regulatory Commission (CSRC) and the Monetary Authority of Singapore (MAS), also surveys the tools available to regulators to respond to the cyber risk, and details some of the practices adopted by market participants to address the threat.
Regulators are generally “still in the early stages” of developing policy responses to deal with cyber security, the report says. “Overall, regulatory approaches tend to be high-level and allow for flexibility, recognizing that there is no “one size fits all” approach that market participants should adopt.”
In general, regulators are demanding that firms have appropriate risk management systems to minimize their exposure to cyber risks, it says, “for instance, implementing adequate physical and electronic security arrangements, ensuring compliance with financial stability standards, notifying appropriate authorities of incidents, and having appropriate protections for electronic trading.” They are also using other tools, such as compliance sweeps, issuing guidance, or carrying out cyber security exercises to test the industry defences and responses.
For firms, the report covers efforts the industry has made in terms of identification, protection, detection, response and recovery to cyber security events.
The report also highlights the importance of sharing information related to cybersecurity between the industry and regulators. “As part of their regulatory framework, securities regulators may want to require or encourage some or all market participants to participate in information sharing networks or initiatives,” the report says, adding that information sharing at the international level “is also essential”.
Photo copyright: rabbit75123/123RF