How Exchanges Should Tackle Cybersecurity

Exchanges around the world may differ in size, scope and clientele, says Mark Graff of Nasdaq OMX. But they share a global concern: how to deal with cyberattacks.

House Financial Services Hearing On Cyber Threats to Capital Markets

Mark Graff, chief information security officer with Nasdaq OMX Group Inc., speaks during a House Financial Services Committee hearing in Washington, D.C., U.S., on Friday, June 1, 2012. The hearing was titled “Cyber Threats to Capital Markets and Corporate Accounts.” Photographer: Andrew Harrer/Bloomberg *** Local Caption *** Mark Graff

Andrew Harrer/Bloomberg

By all accounts, the last ten days of March were cybersecurity week in the financial exchange world. On March 21 I was in Mumbai for a World Federation of Exchanges committee meeting, where we put final touches on the new cyber–working group we had established in December. Four days later I was in Doha for the annual World Exchange Congress conference, where I met with cybersecurity leaders from several exchanges in the region and discussed cybersecurity best-practice developments. And on March 26 I was in Washington for the Securities and Exchange Commission’s financial industry cybersecurity roundtable, where I sat alongside my peers from CME Group, the Chicago Board Options Exchange and Lenexa, Kansas–based BATS Global Markets to discuss cybersecurity efforts for U.S. market systems and exchanges. In some ways, these three locales couldn’t be more disparate. Yet the cybersecurity concerns are exactly the same.

Although the personal interest in and approaches to these concerns vary, three common themes emerged: first, the need to create universal best practices for smarter cybersecurity at exchanges; second, the need to collaborate as an industry more effectively without relying so heavily on government assistance; and third, the need to assist our regulators in understanding what we do, so we can all operate in a safer environment.

The financial services sector is at the forefront of proactive cybersecurity. Crucial to the success of finance is the need to reach across competitive aisles and geographic borders to share best practices and protect customers from cyberattacks. The financial industry has plenty of practice on this front. It is a common target of attacks, given that it is the home of world’s money and an economic status symbol for individuals and countries.

Yet within the financial services industry, exchanges still lack sectorwide cybersecurity standards similar to what the world’s accounting firms have devised through boards like the International Organization of Standardization. But this soon may change.

A potential framework for financial exchange cybersecurity best practice was finished last year, as commissioned by the Obama administration. The plan, titled the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, has received applause from the cybersecurity chiefs I’ve met from various exchanges. (Disclosure: Nasdaq OMX participated in several of the industry committees that gave feedback on NIST’s development.)

Achieving consistency in cybersecurity policy may not be feasible for exchanges since regulators don’t share a lot of overlap. The creation of one stand-alone body to oversee all exchange regulators would be helpful, but the idea presents legal hurdles. For the moment, though cybersecurity issues go beyond just local threats, each exchange must rely on the regulator in its own jurisdiction — and on the public.


One way that financial exchanges can keep improving collaboration is by supporting the burgeoning, smaller exchanges around the world that may or may not have a solid cybersecurity program in place or even an understanding of cyberthreats. It is not easy putting together a multilayered defense strategy. And often these fledgling exchanges have neither the access to good threat intelligence — that is, who is attacking them — nor the means to detect these cyberattacks. The more mature exchanges can lend their support and share knowledge. Cooperation is key to strengthening defenses against security attacks.

Eventually there will be an international regulatory body that will drive the adoption of universal cybersecurity standards for exchanges. In the meantime, several industry leaders have gotten together and agreed on ways that local regulators can get more involved on the matter. First, they can host more industry testing exercises, like the July 18, 2013, Quantum Dawn 2 cyberattack simulation, by which issues can be visualized quickly and easily and get addressed by us all simultaneously. Second, they can continue to explore how exchanges should be addressing disclosure requirements regarding cyberrelated incidents. Third, regulators can develop a universal guide on how exchanges should handle trades that may have been compromised by a cyberattack.

As a whole, financial exchanges and regulators have made incredible strides in the right direction. I am very proud to work alongside various international cybersecurity experts, business leaders, regulators and market participants who are dedicated to helping exchanges to better their resiliency and secure the industry’s position at the heart of the world’s financial economies.

Mark Graff is the chief information security officer at Nasdaq OMX and former cybersecurity strategist at Lawrence Livermore National Laboratory in Livermore, California.