While payments have been a focal point of cyber-security concerns following successful attacks in recent years, securities firms are being urged to adopt frameworks and standards amid a growing threat.
“If you’ve got these guys and they are attacking the kind of profile of a firm that works with Swift, then what is the limitatios to why they should be targeting only payments? So the fear or the hypothesis is, could they be looking at financial services within the securities market… There’s no reason why this couldn’t spill over,” said Brett Lancaster, managing director, global head of customer security, Swift, at Sibos 2018 in Sydney.
“We have currently seen no attacks within our customer base in the securities market, but it’s always a comma, yet.”
The International Securities Services Association (ISSA) released a report following its symposium in May, where it concluded that although the securities services industry has so far escaped unceasing cyber assaults of this kind, it would be complacent to assume this will continue.
Panellists at Sibos agreed that the level of sophistication and the impact of cyber attacks are rising and that there are multiple functions of the securities markets that are vulnerable.
These range from disruption or ransom attacks on central securities depositories, clearing houses and custodian banks, which have a high level of systemic reach, to aspects such as standing settlement instructions, corporate actions and data, which could be open to manipulation.
While less likely to occur, attacks on major infrastructures are a particular concern for the industry due to the potential impact. A disruption of these services can significantly impact the functioning of financial markets by, among other things, impeding credit and liquidity flows.
“These central infrastructures we rely on so much have to be incredibly resilient because of the motivation for disruption. If you were looking to disrupt, you might go for the central utilities,” said William Hodash, managing director, enterprise data management, DTCC.
As a result of the threat, the securities services industry is working on standards and adopting frameworks such as NIST.
JP Morgan’s managing director, security, David Leach, said the industry is on the right track when talking about frameworks, but admitted it is a matter of ‘if’, not ‘when’, an attack on the securities industry will occur.