Cyberattacks now have the potential to 'down' one or more of the world's major financial securities exchanges, a survey of the sector by industry body International Organization of Securities Commissions (IOSCO) has found.

Just over half the 46 securities exchanges surveyed by IOSCO from across the globe reported that they'd been targeted by cyberattacks in 2012, overwhelmingly “disruptive” DDoS designed to interrupt business.

Nine of of ten of these exchanges employed organised defence but a few now worried that a large-scale and co-ordinated attack might succeed at some point on the basis that no business could possibly be invulnerable.

Only 22 percent of exchanges reported having cyber-insurance in place with some of the others unable to use this mechanism because of a lack of choice and an under-developed market. Currently, most attacks cost less than $1,000,000 (£660,000) to remediate.

Their was widespread scepticism about the effectiveness of legal sanctions with 41 percent believing that the laws in their jurisdiction were not sufficient to discourage attacks.

“Cyber-attacks in our complex, leveraged and interconnected financial system could be disruptive, potentially aiming to choke essential financial services; steal/damage/manipulate information, money supply and markets; damage the capability of the private sector to and severely damage investor confidence,” said the author of Cyber-crime, securities, markets and systemic risk,
 Rohini Tendulkar.

Although often seen as part of the financial system, exchanges are a form of critical infrastructure in that their functioning underpins all commercial activity. As with critical infrastructure, they are also highly inter-connected; disrupting one would have knock-on  “cascading effects” on many others in a chain.

The danger of a major attack would be that it caused a breakdown in trust in parts of the system and a “retreat from markets.”

As to what sort of attack might pose the biggest risk, most agreed that multi-vector attacks were the main worry, that is ones employing  a range of methods to disrupt services, steal data, and sow chaos among defenders. Although DDoS attacks were the commonest method of attack in 2012, this form of assault would be unlikely to be more than a major inconvenience on its own.

As to disclosure, 72 percent of larger exchanges reported that they currently informed regulators of cyber-attack incidents, usually by telling national bodies.

“As the Bank of England has already pointed out, the risk of cyber-attack is now considered a greater threat than the Eurozone crisis,” commented Chris McIntosh, CEO of ViaSat UK. “This is because threats against financial institutions and markets can be highly lucrative to nation states and organised crime: upsetting markets and causing lasting damage.

“Only a holistic and, yes, pessimistic approach will protect against increasingly sophisticated and numerous attacks,” he said.