Market watchdog warns on danger of cyberattack

Sam Fleming in London
Greg Medcraft, chairman of the International Organization of Securities Commissions (IOSCO).
Victor J. Blue | Bloomberg | Getty Images

A global watchdog has sounded the alarm about the growing danger of cyber attacks, on financial markets, warning that firms and regulators around the world need to address the "uneven" response to the threat of online assaults.

Greg Medcraft, chairman of the board of the International Organisation of Securities Commissions (Iosco), predicted that the next major financial shock – or "black swan event" – will come from cyber space, following a succession of attacks on financial players.

He warned that there needed to be a more concerted effort to tackle cyber threats around the world as current approaches varied widely. "The feedback we have had from industry in discussions is that there is not a consistency in approach," he said.

Read More

Recent big hacking attacks against US retailer Target, which had the credit card data of up to 40 million shoppers stolen, and eBay – as well as the "Heartbleed" bug discovered in software used to secure two-thirds of the web – have exposed the vulnerability of websites to attack.

Regulators are looking at producing a global "toolbox" next year to assess whether firms are sufficiently robust and managing their risks adequately. The idea is to identify risk management standards for detecting and responding to cyber-incursions, Mr Medcraft said, building on work pioneered in the US.

"The issue of cyber resilience is a bit of a sleeper issue, and one that we have to be proactive [about] in terms of making sure the risk management approach is robust," Mr Medcraft said in an interview with the Financial Times. "Cyber crime has a huge potential impact on markets."

Read More

The US Securities and Exchange Commission in April said it would examine the cyber resilience of more than 50 broker-dealers and investment advisers. SEC chairman Mary Jo White has said cyber threats were of"extraordinary and long-term seriousness" and called for the public and private sectors to be "riveted, in lockstep, in addressing these threats".

Mr Medcraft, who is also chairman of the Australian Securities & Investments Commission, said: "The starting point is to look at what the Americans have done . . . and look at those risk-management principles and see how they could translate globally."

The focus is on firms including broker dealers, fund managers,companies listed on stock markets and the stock markets themselves. He added:"The next black swan event will come from cyber space. It is important that we pay attention."

More from the Financial Times:

US journalist freed by al-Qaeda-linked group
MBKin deal to sell Taiwan TV broadcaster
Earthquakeshakes San Francisco

Richard Horne, cyber security partner at PwC, the accountants,said: "Financial markets are globally interconnected and dependent and the financial system is only as strong as its weakest link.

"As things stand the regulatory approach around the world is very patchy, so we need more co-ordination and consistency. Iosco's move on this is a welcome step forward."

Iosco, an umbrella body whose members include more than 120 securities regulators, has been highlighting cyber risks after last year releasing a report showing that more than half of securities exchanges had been on the receiving end of an attack.

Read MoreUS nuclear agency hacked three times: Report

Some 89 per cent of the exchanges it surveyed said they viewed cyber crime as a potential systemic risk, citing the danger of major financial or reputational damage and the threat of a catastrophic loss of confidence. Forty-six securities exchanges responded to the survey, which was conducted with the World Federation of Exchanges.

Concern about a possible state-sponsored attack on financial systems has been heightened after last year's hacking of computer systems at South Korean banks and broadcasters, which originated from a Chinese internet address and was blamed by Seoul on North Korea.

In Britain, the Bank of England has been overseeing a program of"ethical hacking" aimed at assessing the ability of leading players including banks and insurers to fend off cyber assaults. That follows the country's so-called Waking Shark II process, when City institutions conducted a simulated war game to check where vulnerabilities lay.