The World Federation of Exchanges (WFE), the trade association for the world’s stock exchanges, has formed a central committee on cyber security, to work on how exchanges should go about protecting themselves from cyber attacks.
The WFE counts most of the world’s stock, option and futures exchanges among its members, and initial committee inductees include the operators behind NASDAQ and the New York Stock Exchange (NYSE), as well as exchange firms from Australia, Canada, Germany, Saudi Arabia and Switzerland.
The chair of the group will be Mark Graff, CISO of NASDAQ parent company NASDAQ OMX, who described his mission as “to combat systemic cyber abuse”.
Exchanges are a clear target for both financially-driven and politically-motivated attacks.
Terrorists and activists see exchanges as prime examples of rapacious capitalism, and consider damaging them a blow against the rich and powerful, or even against capitalist societies in general.
In terms of financially-motivated attacks, exchanges are ripe with information that could be hugely valuable, and could also be open to malicious manipulation if penetrated.
In the past, the main stock-related security issue we’ve seen has been pump-and-dump scams. These mainly targeted people dealing in stocks rather than the exchanges themselves, but some operated by hacking into trader accounts too.
A report commissioned by the WFE earlier this year found that 53% of exchanges had been hit by attacks in the previous 12 months, which may seem a surprisingly low figure given other attack rates reported elsewhere.
In 2011, NASDAQ was hit by a possible hacking attack on one of its web applications serving data to company directors.
With all this going on, many commentators agree that it seems like well past time for the exchange community to start working together to develop countermeasures and best practices for securing their systems and networks.
Committee chair Graff claims to have been surprised by the lack of communication between security staff at different exchanges, and stressed the importance of collaboration and information-sharing.
Indeed three of the WFE committee’s four guiding principles relate directly to cooperation and sharing of ideas and data:
- Establishing a communication framework among participants based on mutual trust
- Facilitating information sharing, including threat intelligence, attack trends, and useful policies, standards and technologies
- Enhancing dialogue with policy makers, regulators and government organizations on cyber threats for fair, transparent and efficient markets
- Supporting improved defenses from both external and internal cyber-based threats against the markets.
The committee will have its work cut out setting down best practices for exchanges and getting them implemented in diverse environments around the world, especially if the first step is something as basic as getting people to talk to each other.
Let’s hope they can get things organised before any more serious breaches can be perpetrated.