On 6 April 2016, the International Organisation of Securities Commissions (IOSCO) published a report (FR02/2016 – Cyber Security in Securities Markets – An International Perspective – report on IOSCO’s cyber risk coordination efforts) reviewing the high level regulatory approaches and tools available to regulators to improve securities market participants’ cyber security frameworks.

The report also describes certain practices adopted by particular market participants and illustrates that in general, policy response to cyber security issues by regulators is still in its infancy.

This report has been published in response to an increased cyber risk and the growing threat of cyberattack to market participants, together with the increased challenges presented by this rapidly evolving and complex phenomenon. IOSCO is of the view that cyber risk is a substantial one. The human element of the manner in which cyber threats evolve over time requires regulators to adopt a specific cyber risk regime.

Reporting issuers – disclosure 

In line with the existing disclosure framework, IOSCO reminds issuers of the importance of disclosing material information, including in relation to cyber risk. 

Where issuers identify cyber risk to be a material risk that IOSCO members may take into account when regulating issuer disclosure in their jurisdiction, IOSCO recommends that issuers consider making the following disclosures:

  • the reasons why the issuer is subject to cyber risk;
  • the source and nature of the cyber risk, and how the risk may materialise;
  • the possible outcome of a cyber-incident (e.g. effects on third parties, costs of remediation);
  • the adequacy of preventative measures and management’s strategy for mitigating cyber risk; and
  • whether a material breach has occurred before, and how this might affect the issuer’s overall cyber risk.

IOSCO reminds reporting issuers that any disclosure should be tailored to the particular issuer and should not include information that could compromise their cyber security.

Trading venues 

The report identifies specific cyber threats that are considered to be the most relevant to trading venues and outlines in detail the steps in the transaction chain, from the pre-trade stage to the on-going monitoring of the venues, that are considered to be particularly vulnerable to cyber security threats. 

IOSCO identifies the main threats to the cyber security of trading venues as including:

  • hacktivists seeking to draw attention to a particular cause and targeting specific trading venues, as highlighted by the Hong Kong Exchange in 2011, where trading was halted following a targeted attack on several blue-chip companies’ securities;
  • cyber criminals breaching trading venues’ security systems with a view to illegally acquiring funds; and
  • breaches of confidential information, including documents stored at trading venues as well as the threat of the inappropriate use of inside information by employees or former employees of such venues.

By way of guidance for firms that are considering their cyber security policies and procedures, IOSCO sets out in some detail a range of practices that market participants have adopted to date, along with an analysis of various authorities’ regulatory approaches to current cyber security threats. IOSCO recognises that the different regulatory approaches are broadly internationally compatible, as regulators in general place comparable expectations on trading venues’ security processes. The report also highlights the need for trading venues to ensure that sound testing regimes are in place to ensure the on-going adequacy of the policies and procedures that have been implemented.

Market intermediaries 

IOSCO has established a working group to provide feedback and assistance in relation to the issue of intermediaries and cyber security. Chapter 4 briefly sets out examples of regulatory actions taken in Mexico and the United States in relation to this issue.

Asset managers 

Chapter 5 identifies the following as the main potential cyber security risks for asset managers:

  • data theft;
  • data and algorithm manipulation;
  • availability of systems, and the ability to execute trades and maintain public websites; and
  • the risks posed by trusted insiders.

The US Securities and Exchange Commission’s data from 2014 shows that an average of 74% of advisers stated that they had experienced cyber-attacks directly or through one of their vendors.

The chapter then considers the results of the AMCC Asset Management Cybersecurity Benchmarking Survey, which was completed by members of IOSCO’s AMCC working group. The survey gathers data relating to market practices and security systems in relation to respondents’ cyber security.

IOSCO concludes that regulators around the world have taken different approaches towards tackling the cyber security risks that asset managers face. IOSCO advises that an increasing number of investment managers may start to be sanctioned for failings in their cyber security practices, whilst, generally speaking, the majority of regulators promote a robust cyber security posture across the industry through guidance. It is broadly acknowledged that a detailed and prescriptive approach to regulating cyber security risk is unlikely to work given the pace of technological innovation and changing sophistication of adversaries.

Financial market infrastructures 

The Committee on Payment and Market InfrastructuresIOSCO Working Group on Cyber Resilience (WGCR) was formed in September 2014 to address the issues that cyber risk may pose to the well-functioning of financial market infrastructures and to financial stability. The WGCR published a draft document to provide guidance to financial market infrastructures to enhance their approach to cyber risk. The draft document identifies five key risk management categories that should be addressed:

  • sound governance, involving a clear and comprehensive cyber resilience framework;
  • identification of critical business functions and supporting information assets that should be protected;
  • protection of confidentiality, integrity and availability of financial market infrastructures through effective security controls;
  • detection of anomalies and cyber security events; and
  • response and recovery, financial markets infrastructures should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a cyber-disruption.

Concluding remarks 

The Report concludes by recognising the important cyber security challenges faced at an international level by both regulators and market participants and the importance of ensuring that cross-jurisdictional mechanisms are in place to promote greater awareness and information sharing at an international level to mitigate the risk of potential cyber attacks.