IOSCO study – Cyber-crime, securities markets and systemic risk

Earlier this month the IOSCO Research Department and World Federation of Exchanges released a rather interesting working paper on the potentially systemic risk of cyber crime in securities markets. The full paper is available at

 The report explores the evolving nature of cyber-crime in securities markets and the threat it poses to the fair and efficient functioning of markets. Importantly, it highlights the urgent need to consider cyber threats to securities markets as a potential systemic risk.

While the paper covers in length what is basically a literature review and fact summary on the topic of financial cyber crime and risks there are several points worth noting. According to the survey ‘a vast majority of respondents agree that cyber-crime in securities markets can be considered a potentially systemic risk (89%).‘ Although it appears from the participant response excerpts that the statement is largely based on ‘what if’ scenarios involving ‘APT’ style attacks rather than currently experienced attacks which seem to be mainly DoS focused. ‘Financial theft did not feature in any of the responses.

 The paper makes the assumption that ‘This suggests a shift in motive for cyber-crime in securities markets, away from financial gain and towards more destabilizing aims.‘; I tend to disagree with the view of a shift in motive towards destabilizing goals (which we mostly see in hacktivism and large-scale hostile conflicts) but rather believe it is the low end of a attack maturity curve. Adversaries may not yet have figured out how to best monetize attacks on the securities markets (or found the cost/benefit ratio to be not desirable at this point) but to conclude that this is a shift in motive away from value extraction is jumping to conclusions.

The survey data itself makes for an interesting read even if the worlds exchanges is not close to your home. Some noteworthy findings –

 To the question ‘Has your organization suffered a cyber-attack in the last year?‘ responses were mainly in the positive with noticeable peak (~80%)  for the ‘large’ institutions and no less noticeable low (25%) for the ‘small’ organizations. This raises the question whether large exchanges are a more prominent target or if they are just better resourced to detect such attacks.

 According to the survey ‘Direct financial costs suffered so far are negligible.‘ which translates into less than 1 million USD over the last 12 months. The result is not as interesting as the question how this figure was calculated. Unfortunately the paper gives no indication which factors the participants took into consideration to arrive at their stated cost estimate.

 The responses to the question ‘Most common and most potentially hazardous form of cyber-attack to exchanges?‘ surprised me; there are certainly severe consequences for exchanges and trading platforms suffering from availability issues (DoS) but ranking it as primary risk (~75%)  followed by Malware (~55%) casts at the very least some doubts whether the responses were given by the right stakeholders or as considerate as they should have been.

 The responses on detection time for attacks appear illusory unless the participants were exclusively focused on DoS events which, by nature, are readily noticeable as the paper correctly states. ‘Nearly all exchanges surveyed state that the most common and most disruptive cyber-attacks are generally detected immediately (within 48 hours).

 One of the most worrying findings in the paper is, in my view, this response by a participant –

 “The wave of APT last year proved that adversaries may not have direct access to core systems, but by burrowing into internal systems, they gain line of sight indirectly.”

 This statement makes me cringe for multiple reasons; the assumption that there was a wave of APT is thoroughly flawed and solely based on perception following media reports. APT style attacks are not a recent ‘thing’ and the fact that these actors were/are undetected for years while extracting whatever value they seek to obtain from their targets shows that often organizations have very little idea if and how bad they are compromised. Assuming that there is any proof core systems are not compromised just because you didn’t see or hear of it yet is wishful thinking, not risk management. How would you know whether your HFT code/trading algorithm has been stolen/tampered with? Market behavior is explained by DSGE theory (or pick your preferred theory) after all, there could be no foul interference, right?