Cyber risk is one of the top threats the financial industry is facing today. Large scale remote access by businesses during the pandemic has also expanded the threat landscape considerably. Around half the world's Securities Exchanges were subject to cyber security attacks last year, revealed a joint study by the International Organization of Securities Commissions (IOSCO) research department and the World Federation of Exchanges office. The cost of such events is immense as it impacts brand equity, integrity, and reputation. The damage to public trust and confidence is also irreparable.
Vikram Limaye, Managing Director & CEO – National Stock Exchange of India (NSE) said, “Since the capital market is considered a key growth driver of the national economy- it becomes imperative for the capital market ecosystem to seek ways to secure itself from cybersecurity breaches and risks. Be it commercially sensitive information, or intellectual property, or business intelligence or customer data- securing them is crucial.”
Managing cyber risks in the digital era
Managing cyber security in the digital age needs a comprehensive blueprint to meet four key mandates- 1) Increasing customer expectation to protect the data within the digital ecosystem, 2) Improving cyber resilience due to expansion of threats, 3) Meeting regulatory and compliance expectations when protecting consumer interest, and 4) Securing brand reputation by mitigating internal and external breach risks.
“Trust is the bedrock of capital markets. Regulators expect capital market firms to improve privacy protection for customers who in turn are demanding that their data and information be protected across the digital products and services. The capital markets ecosystem needs to invest in a comprehensive set of cyber risk management capabilities that covers the entire value chain and ensure that the risk is efficiently managed across the ecosystem. There is also a need to define the cyber risk appetite with well-articulated security mission statements, and well-defined threat response measures,” said Limaye.
Requires a comprehensive cybersecurity framework
While a comprehensive and next-generation cybersecurity framework is critical for capital markets firms to grow and prosper in a hyperconnected world, at the same time comprehensive monitoring for maintaining risk-free operations and business continuity is also a must as the capital market firms function in a highly regulated environment.
Without strong security governance, it is difficult to gain clarity of cyber threats and risks which might increase due to exponential growth in trade volumes and data exchange, keep track of the changing regulations, and make informed decisions.
“But enabling such governance can be challenging for organizations that leverage legacy security frameworks and siloed security approaches. This traditional approach needs to change. An integrated approach to cybersecurity can also bring in trust, enabling firms to win the business confidence of the stakeholders, investors, and customers. The approach must be an effective combination of specialized capabilities to ensure governance, mitigate risk and meet compliance,” said Limaye.
They key lies in collaboration
Over the past few years, national authorities, standard setting bodies, and private sector organizations have launched initiatives to address cyber risk and increase cyber resilience of the capital markets and the industry. Indian regulators such as SEBI and RBI, for instance, have proposed and mandated comprehensive guidelines on data security, electronic banking technology, risk management, and frauds for cyber resilience.
“Capital market players must recognize it is suboptimal to deal cyber attacks in silos and they must adopt a common set of standards to continually strengthen security, governance, security policies, processes, and systems to keep pace with changing attack vectors and risks. Industry participants must work together to standardize approaches and frameworks for security risks,” suggested Limaye.
Best practices to follow
Cyber security is arguably one of the most critical challenges facing market participants and regulators today, but it must be dealt head on with strategic focus and commitment. Following are some best practices suggested by Limaye, which can help the capital market ecosystem players manage their cyber risks more effectively:
1. Establish effective governance: Effective governance is at the heart of any cybersecurity framework. help to determine the risk appetite, and allocate the necessary resources. To ensure the effectiveness of the cybersecurity framework, it is important that the senior management and the board are closely involved in monitoring governance.
2. Adopt global best practices: Following an existing cybersecurity framework helps market participants to keep up with the fast-evolving cyber threats landscape, enables organizations to apply the principles and best practices of risk management to improve security and resilience of the critical infrastructure.
3. Partner with niche cybersecurity companies: Given the skill and expertise gap it is critical to engage with the right security partner. Aujas cybersecurity which is now part of the NSE family offers a unified approach to cyber security. Its next-generation cyber defense center is the Centre of Excellence in security and enables the alignment of people, processes, and technologies.