Laurent Clavel, head of Macroeconomic Research at AXA Investment Managers, has noted the tripling of UK regulator the Financial Conduct Authority’s cyber security budget for 2017-18, reflecting on the level of risk to critical information infrastructure, as used by the financial services sector.
One key physical asset noted by Clavel is the undersea cables used by services providers such as Swift, the network relied on by institutions globally. Some 8,300 member institutions rely on undersea fibre optic cables to transmit data, and these cables carry some $10trn per day in transactions.
Also, IOSCO, the International Organisation of Securities Commissions has identified risks to trading venues and market participants. These threats range from manipulation of order management systems to corruption of trade surveillance systems to tampering with risk management systems leading to improper margin calculations.
The Bank for International Settlements has meanwhile suggested that a large attack on financial market infrastructure could result in significant harm. The US Securities and Exchange Commission has reported that 88% of brokerages and 74% of advisers in the US were hit and major US banks suffering an attack every 34 seconds, Clavel notes. So far, these have remained of limited impact and duration, and not been of a systemic variety. In response, information security spending has risen about 10% annually from 2009-2014, Clavel says, adding that even well publicised attacks, such as the $81m theft from the Bangladeshi Central Bank in early 2016 did not pose a systemic threat.
However, those seeking to instigate policies to limit the risks face the challenge of actually knowing relatively little about the reality of such threats. Surveys of cyber security breaches conducted by the UK government did not take place before 2017, he says, at which point they have revealed that some 46% of UK firms were hit by a cyber attack in the previous 12 months.
Changes to policies going forward may include ensuring that custodians of personal data disclose breaches to the owners of the information that was illegally accessed. Legislation may also impose additional security requirements for critical infrastructure.