Cyber threats one of top risks to financial markets, study shows

Most financial institutions cite cyber threats as a top five risk, the latest Systemic Risk Barometer Study shows

Most financial institutions cite cyber threats as a top five risk, the latest Systemic Risk Barometer Study shows.

But almost half of participating firms said cyber threats are their top concern, up from 24% a year ago, according to the annual study by financial market clearing and settlement services firm Depository Trust and Clearing Corporation (DTCC).

Respondents cited the continuing increase in frequency and sophistication of cyber attacks on financial markets and other key industry sectors.

The study found that, as a result, many market participants have increased their investment in technology to detect and prevent cyber threats, with the goal of ensuring “uninterrupted access to [threat] data.”

Firms are also hiring more cyber security staff and providing greater training and educational opportunities across their organisations. 

“Cyber security threats continue to grow each and every day, as attackers become more sophisticated,” said Mark Clancy, managing director and corporate information security officer at the DTCC.

“With cyber security identified as the industry’s top risk, it is critical that we develop and implement solutions that enable the timely sharing of data to prevent incidents, as well as to promote faster incident detection and response,” he said.

According to the DTCC, the call for cyber threat data sharing has been echoed by market participants, regulators and infrastructure providers alike, as firms seek to share information to prevent and respond to attacks more quickly.

In April, Jeh Johnson, the head of the US Department of Homeland Security (DHS), told RSA Conference 2015 that cyber security needed to be a partnership between government and the private sector.

He said the US National Cybersecurity and Communications Integration Center (NCCIC), made up of representatives of many government departments and the private sector, is central to his department’s cyber security efforts.

“In 2014 alone, the NCCIC received more than 97,000 cyber incident reports from the private and government sectors, and issued nearly 12,000 cyber alerts or warnings,” he said.

An NCCIC team is almost continually working with companies to assess and fix significant cyber incidents and identify numerous vulnerabilities.

In an initiative similar to the UK’s Cyber Security Information Sharing Partnership (CISP), Johnson said the DHS is enabling the NCCIC to provide near real-time automated information sharing to the private sector.

As part of this initiative, the NCCIC recently introduced the capability to automate publication of cyber threat indicators in a machine-readable format.

This enables the NCCIC to share threat indicators with an initial set of companies, with plans to add others in future and to enable the NCCIC to accept cyber threat indicators from the private sector later in 2015.

Like the UK’s CISP, the US NCCIC has been set up to be the main way for US companies to provide cyber threat indicators to the US government.

Read more about cyber threats and financial services

To encourage this flow of threat information, in January 2015 president Barack Obama announced plans for legislation that will provide protection from civil and criminal liability for contributing organisations.

In February 2015, Obama he signed an executive order that laid out new ways for companies to share information on cyber threats and promised oversight to ensure privacy is protected.

In addition to cyber security, respondents to the DTCC study cited geo-political risk, local market policies, the impact of new regulations and a global economic slowdown as additional areas of systemic risk.

Mike Leibrock, managing director and chief systemic risk officer at the DTCC, said the financial services industry remains committed to continuing to identify and respond to all types of risk that could create firm-level or systemic incidents.

“Market participants are not only concerned with the reputational damage that could be caused to their organisations, but also the reputational impact to the industry as a whole,” he said.

Read more on Hackers and cybercrime prevention