The World Federation of Exchanges, a trade group representing 57 stock, futures and options exchanges around the world, has established an international committee to collaborate on cybersecurity best practices for global capital markets.
The WFE's Cyber Security Working Group, announced Thursday, expects to bring together security executives from some of the world's largest exchanges. They will collaborate on a communication framework for sharing threat intelligence and information on attack trends, attack mitigation, security best practices, standards and technologies.
Founding members of the group include Nasdaq OMX, the New York Stock Exchange, Toronto Stock Exchange, Germany's Deutsche Boerse, Saudi Stock Exchange, Singapore Exchange and BM&FBOVESPA of Brazil.
In terms of scope and goals, the working group will be similar to the Financial Services Information Sharing and Analysis Center (FS-ISAC) that serves as a clearinghouse of cyber threat information for the U.S. financial services community.
The WFE's initiative comes at a time of heightened concerns about cyberthreats against the major exchanges. In a survey report released in July by the WFE, more than half of all exchanges said they had suffered a cyberattack during the last 12 months. The most common attacks reported were Distributed Denial of Service attacks designed to disrupt services rather than to cause financial harm.
Nearly nine out of 10 respondents described cyberattacks as a systemic risk to their operations.
Nasdaq suffered a glitch earlier this year that resulted in an unprecedented trading halt for several hours. Though the issue was later traced to a connectivity problem between an exchange participant and Nasdaq's Securities Industry Processor (SIP) system, it served as a reminder of the havoc a cyberattack could wreak.
Initially, the working group will focus on establishing communication channels and building trust among the various members, said Mark Graff, Nasdaq's chief information security officer and chairman of the working group. Members will work on the mechanics of sharing threat information with each other in a way that does not trigger anti-trust issues, break confidentiality rules, or violate regulatory controls.
Over time, the group hopes to develop countermeasures for dealing with internal and external cyberthreats on an international scale. In addition, it plans to engage with regulators and policy makers in different countries and see how best to communicate industry concerns to them, he said.
"We want to exchange ideas on how to find a good way to explain to [international] regulators what we are doing," Graff said. "How do you explain threats and vulnerabilities to regulators? Has anyone found metrics that we can present to them?"
Graff, a former security executive at the Lawrence Livermore National Laboratory and before that the U.S. Department of Defense, took over as Nasdaq CISO about 18 months ago and immediately noticed how difficult it was to connect with counterparts in other countries.
"When I took the job at Nasdaq, I found it was easy to connect with people within the [U.S.] financial community," Graff said. "But I just couldn't see who my opposite numbers were in exchanges overseas."
So over the past several months, Graff, along with WFE members and Nasdaq staff, worked on compiling a list of security executives from global exchanges. In October, Nasdaq convened a meeting of security executives from 12 large exchanges around the world to study the idea of a global working group on cybersecurity. That led to the creation of the Cyber Security Working Group.
"I have found in my years in the business it is extremely effective to have established channels of communications with colleagues in other corporations," Graff said. "It's important to develop a relationship and build trust, so if a crisis develops we have effective communication channels," for sharing information, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.