Under siege by hackers, global financial exchanges announced plans on Thursday to team up by forming the industry’s first cyber security commission aimed at protecting global capital markets.
Financial exchanges have giant cyber bull’s eyes on them as they represent an opportunity for financially-motivated hackers and ideologically-driven hacktivists alike.
Disrupting trading on a major exchange like the New York Stock Exchange would mark a major coup for cyber actors. In a recent exercise, “white hat” hackers looking to expose cyber vulnerabilities of the U.S. equity markets were able to directly impact market performance.
Cyber security professionals said the committee announced on Thursday is long overdue.
“It’s late 2013 and I’m surprised they haven’t done this already,” said Skylar Rampersaud, senior security researcher at cyber security firm Immunity. “If someone can really attack one of these exchanges, that’s news. It would be an easy way for a group to get their name out there and show they have an impact.”
The World Federation of Exchanges said the new cyber security committee will identify and communicate global information security best practices in an effort to protect market infrastructures.
Mark Graff, chief information security officer at Nasdaq OMX Group (NDAQ) will serve as the committee’s inaugural chair, while the vice chair will be Jerry Perullo, vice president of information security at IntercontinentalExchange (ICE), which recently completed a buyout of NYSE.
WFE said the founding committee members feature a slew of major exchanges, including the CME Group (CME), NYSE Euronext, the Toronto Stock Exchange, the Australian Securities Exchange, the Depository Trust & Clearing Corp. and the Saudi Stock Exchange.
"I'm proud to be working with an array of some of the brightest information security officers who in the exchange industry around the world," Graff said in a statement. "We are tasked with a significant goal: to build universal best practices and partner with third-parties to combat systemic cyber abuse to ensure the resiliency and strength of our capital markets."
WFE said the committee is also tasked with establishing a communication framework “based on mutual trust,” facilitating information sharing and enhancing dialogue with policy makers and regulators.
“People get touchy about sharing their data outside of the enterprise. It’s helpful to have a formal way to do that so that people who are having more success defending against attacks can help others doing the same job in different places,” said Rampersaud.
Earlier this year, the International Organization of Securities Commissions issued a report with WFE that revealed 53% of exchanges have suffered a cyber attack in the last year. Attacks have focused on non-trading related online services and websites and “have not come close to knocking out critical systems or trading platforms,” the report found.
Still, some 89% of respondents in the survey agreed that cyber crime in securities markets should be considered a “system risk.”
The Quantum Dawn 2 operation released in October took place over six hours and simulated multiple trading days. The exercise, which involved more than 50 entities and 500 people in the financial services sector, highlighted recent progress in the industry but also underscored lingering vulnerabilities.