The International Organisation of Securities Commissions (Iosco) has warned about the growing threats of cyber attacks to financial institutions. The Chairman, Greg Medcraft, has warned that there needs to be a much more concerted effort to tackle such threats. For example disruption of a stock exchange for any length of time could have serious consequences. Securities regulators who are members of Iosco are seeing increased attacks with more than half of securities exchanges being the subject of one or more.
The closure of a market might actually have less impact than one imagines. After all markets have been suspended in the past for lengthy periods of time. As we are commemorating the outbreak of the First World War, it’s worth noting that both the London Stock Exchange and the New York Exchange (NYSE) were suspended on July 31st 1914 and the latter remained closed until December. The latter fostered the creation of an “alternative exchange” called the New Street market so that people could continue to trade (the urge to do so is overpowering of course) but as an article by William L. Sieber on this topic reports: “New Street’s success implies that, from a public policy perspective, expensive back-up trading facilities are not required to preserve liquidity during a trading suspension in established markets. Back-up records of share ownership and transfer facilities, however, are crucial to maintaining liquidity.”
But let us consider for one moment the biggest risk to private investors who trade on an “execution only” basis using electronic platforms. This is that your broker’s electronic trading platform is disabled by a cyber attack. For example, digital denial of service (DDOS) attacks against financial web sites are now very common. The attackers, often based in Eastern Europe, bombard the site with transactions thus overwhelming the system and blocking other normal users from accessing it. They then present a ransom demand for ceasing the attack. There is complex and expensive software that can be installed to thwart such attacks, but not everyone might be using it.
There are other ways to attack and bring down a web site so you might imagine that one obvious back up approach would be to revert to telephone dealing. But that’s easier said than done. It is unlikely that most brokers have the resources in terms of staff or telephone lines to fall back on in such circumstances.
Indeed it is quite remarkable how little information is available to clients of stockbrokers about their security measures, back-up systems and disaster recovery procedures. Perhaps they could argue that publishing such information might of itself be a security risk, but otherwise how does one pick out those who are likely to be at risk more than others?
Those companies whose web sites are poorly designed, or are not 100% reliable might be seen as most likely to be at risk. And one failure can be symptomatic of underlying problems. For example, when Royal Bank of Scotland (RBS) had outages that affected their bank clients (customers unable to withdraw their cash was one obvious symptom), it transpired that the technology platform in use was archaic with multiple overlapping systems (i.e. a “legacy” system as software professionals would call it). This meant that maintenance of the system was more difficult and it was even alleged that RBS had lost much of the expertise to do so by outsourcing the work.
So one aspect to look at is whether your broker’s web site is regularly “maintained” with minor improvements – but not continually changed whereby instability and insecurity might be introduced. Smaller stockbrokers might be more at risk than bigger ones because it now requires more investment to install and maintain IT security (that’s why lots of publicly listed companies providing IT security and services are doing so well).
If you are not only a client of the broker, but a shareholder in them when they are a listed company, you might get more information on some of these matters by reading their Annual Report or attending their AGM and asking a few questions.
One particular danger is of course where your shares are held in a nominee account (as is commonly the case), as there is no independent record of your holdings. If the brokers systems fail, or the data therein corrupted, you might have no other evidence of your holdings. For this reason ShareSoc has consistently opposed nominee accounts and recommended the use of Personal Crest Accounts where possible. Your holdings in that case are recorded in the Crest system and on the register of the companies so there is no doubt as to ownership. But it is of course always worth ensuring that you have your own record of all your holdings, and don’t simply rely on the brokers web site to tell you what you are holding. Likewise keep copies of statements of holdings issued by the broker in electronic form on your own PC, or in paper form.
The other aspect to be aware of is how to protect your account from being accessed and fraudulently used – for example by the withdrawal of cash. Broker systems are now generally more sophisticated in this area than they used to be – which is why logging in gets ever more complex (Charles Stanley were going to tighten up even more by checking IP locations and devices logged in from but further news on this failed to appear – perhaps they had second thoughts, after this writer gave them some comments). Whether brokers’ IT systems hosting the data are as secure as they should be though is impossible to tell.
But the biggest weakness and risk to your account is the failure of users to keep their own PC and software secure and follow some simple steps. These are:
- Install and maintain a good quality anti-virus and firewall system, e.g. from companies such as Symantec (Norton) or McAfee.
- Choose passwords that are long and complex and differ from site to site (use an “autofill” software product to save you remembering them all – so you only have to remember one).
- Do not use third party public PCs or networks to access your account (key logging software can identify what you type in) and these systems are likely to be relatively insecure.
You also need to be very wary of “phishing” attacks, where people send you emails pretending to be from one of your banks or brokers. Do not respond to them or open any links in them. Go direct to the web site of the company (which should be stored as an address in your “favourites” to make sure it is the right address) to see if there is any message if in doubt.
In general if your stockbroking account was defrauded as a result of the brokers defective security measures, they would be liable. But if your own lapses caused the loss, the position might be very different.