Cyber-Crime: Study Warns Securities Markets Could Face “Black Swan” Event
One of the topics we think about a lot at CFA Institute is the stability of the global financial system and the potential for systemic risks to disrupt that system. In fact, “safeguarding the system” — by promoting stability and minimizing systemic risk — is one of the key areas of our Future of Finance project.
Increasingly, the topics of systemic risk and cybersecurity are intertwined. To that end, a new staff working paper, “Cyber-Crime, Securities Markets and Systemic Risk,” published jointly by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE), investigates the evolving nature of cyber-crime and proposes a framework for determining under what circumstances cyber-crime could pose a systemic risk to securities markets.
The author, Rohini Tendulkar, notes that this is an especially salient discussion given the global financial crisis of 2007–08, its lingering and damaging aftereffects, and the increasing role of securities markets as a financial channel around the world. The crisis is “a strong reminder that even those (perceived) ‘lower-probability, high impact’ risks should be considered and mitigated if the road towards financial resilience is to be paved,” she writes. “There is an added urgency in addressing these risks given that the financial system is still struggling towards recovery, and public trust and confidence in the system may be fragile.”
Tendulkar writes that while cyber-attacks against the financial system have displayed little capability for global shock, “motives, capabilities and vulnerabilities can quickly change as cyber-criminals of all stripes rapidly innovate.” With that in mind, she asks, under what circumstances could cyber-crime in securities markets pose a systemic risk?
Here are her proposed “systemic risk impact factors”:
- Size of the threat
- Incentive structure
- Effect on market integrity and efficiency
- Infiltration of non-substitutable and/or interconnected services
- Transparency and awareness
- Level of cyber-security and cyber-resilience
- Effectiveness of existing regulation
With regard to “effect on market integrity and efficiency” and “infiltration of non-substitutable and/or interconnected services,” Tendulkar writes: “Cyber-attacks in our complex, leveraged and interconnected financial system could be disruptive — potentially aiming to choke essential financial services; steal/damage/manipulate information, money supply and markets, damage the capability of the private sector to ensure orderly functioning of the economy and delivery of services; and severely damage investor confidence. . . . Attacks can thus reduce market integrity and efficiency.”
Tendulkar notes that “while there is uncertainty around the size of the cyber-crime threat in securities markets, there are clear signs that it is a growing threat to the financial sector, with potential for large costs. . . . One obvious potential systemic risk scenario would involve complex cyber-attacks executed with high frequency, against numerous targets (including infiltration of non-substitutable and/or interconnected services), with the move to disrupt/destabilize and impact the functionality, availability and accessibility of markets and/or data integrity.”
The paper concludes by warning that while cybersecurity in securities markets has not yet produced “systemic impacts,” a “reliance on an out-dated understanding of what cyber-crime entails; a perception of safety due to containment of past cyber-attacks; or assumption around the limited capabilities of cyber-criminals today — may mean we end up ‘bringing a knife to a gun fight’ in the future. Worse, a presumption of safety (despite the reach and size of the threat) could open securities markets to a cyber ‘black swan’ event.”
To access the full report, which includes the results of a cyber-crime survey of world exchanges (conducted jointly with the WFE), click here. Other resources that may be of interest:
- “Cybersecurity: Crime Prevention or Warfare?” in CFA Institute Conference Proceedings Quarterly
- Future of Finance homepage
- Market Integrity Insights blog
- Systemic Risk Council
Please note that the content of this site should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute.
Photo credit: ©iStockphoto.com/blackred