Stock exchanges of the world form central cyber security working group

Filed Under: Featured, Law & order, Security threats

The World Federation of Exchanges (WFE), the trade association for the world's stock exchanges, has formed a central committee on cyber security, to work on how exchanges should go about protecting themselves from cyber attacks.

Stock market. Image courtesy of Shutterstock.The WFE counts most of the world's stock, option and futures exchanges among its members, and initial committee inductees include the operators behind NASDAQ and the New York Stock Exchange (NYSE), as well as exchange firms from Australia, Canada, Germany, Saudi Arabia and Switzerland.

The chair of the group will be Mark Graff, CISO of NASDAQ parent company NASDAQ OMX, who described his mission as "to combat systemic cyber abuse".

Exchanges are a clear target for both financially-driven and politically-motivated attacks.

Terrorists and activists see exchanges as prime examples of rapacious capitalism, and consider damaging them a blow against the rich and powerful, or even against capitalist societies in general.

The world's financial systems are a popular target for fictional supervillains too.

In terms of financially-motivated attacks, exchanges are ripe with information that could be hugely valuable, and could also be open to malicious manipulation if penetrated.

In the past, the main stock-related security issue we've seen has been pump-and-dump scams. These mainly targeted people dealing in stocks rather than the exchanges themselves, but some operated by hacking into trader accounts too.

This sort of scam was pretty common a few years ago, and continues to crop up from time to time.

A report commissioned by the WFE earlier this year found that 53% of exchanges had been hit by attacks in the previous 12 months, which may seem a surprisingly low figure given other attack rates reported elsewhere.

Back in 2006, a malware infection took out the Russian stock exchange for a time, while in 2009 the NYSE left potentially crucial information on its networks exposed on a public server.

In 2011, NASDAQ was hit by a possible hacking attack on one of its web applications serving data to company directors.

Later the same year, the Hong Kong exchange was downed for a while after hacking and DDoS attacks targeted its website on consecutive days.

Earlier this year, attack simulations found plenty of vulnerabilities in the US equities markets.

With all this going on, many commentators agree that it seems like well past time for the exchange community to start working together to develop countermeasures and best practices for securing their systems and networks.

Committee chair Graff claims to have been surprised by the lack of communication between security staff at different exchanges, and stressed the importance of collaboration and information-sharing.

Indeed three of the WFE committee's four guiding principles relate directly to cooperation and sharing of ideas and data:

  • Establishing a communication framework among participants based on mutual trust
  • Facilitating information sharing, including threat intelligence, attack trends, and useful policies, standards and technologies
  • Enhancing dialogue with policy makers, regulators and government organizations on cyber threats for fair, transparent and efficient markets
  • Supporting improved defenses from both external and internal cyber-based threats against the markets.

The committee will have its work cut out setting down best practices for exchanges and getting them implemented in diverse environments around the world, especially if the first step is something as basic as getting people to talk to each other.

Let's hope they can get things organised before any more serious breaches can be perpetrated.


Image of stock exchange courtesy of Shutterstock.

, , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.