Public companies and investors will also be greatly impacted.
Cybersecurity has become an important topic in both the private and public sectors, and for good reason.
Law enforcement and financial regulators have stated publicly that cyber-attacks are becoming both more frequent and more sophisticated.
There are reports indicating that cyber-attacks have become increasingly costly to companies that are attacked. Available evidence suggests that cyber risk has become more prevalent and may become more so in the foreseeable future. For securities markets, this growth in cyber risk poses an increasing threat for market efficiency, investor protection, and ultimately confidence in financial markets.
Beyond the loss of consumers data at the expense and unwillingness of the individuals, the threat to the capital markets and their critical participants including companies listed on Bursa Malaysia cannot be ignored. The widespread and severe impact that cyber-attacks could have either on any of the critical participants including companies listed on Bursa Malaysia have an impact on the integrity of the capital markets infrastructure and investors.
Given the known risks posed by cyber-attacks, one would expect that corporate boards and senior management universally in every organisation let alone those companies which are listed on Bursa Malaysia to be proactively taking steps to confront these cyber-risks.
Yet, evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks. Some have noted that boards are not spending enough time or devoting sufficient corporate resources to addressing cybersecurity issues.
The role of the regulators in preserving market integrity has never been as important as it is today. Market integrity is closely related to the management of systemic risk. When systemic risks materialize, markets may suffer from pro-cyclical stress, become disorderly, and/or cease to effectively match buyers and sellers. Conversely, an absence of transparency or a lack of confidence in the integrity of markets may produce systemic stress.
Cyber attacks could cause important market disruption by preventing business transactions or by deleting, modifying or corrupting books and records of the capital market industry. Damages from cyberattacks and cyber theft may spill over from the initial target to economically linked firms, thereby magnifying the damage to the economy. A cyber attack could produce important ripple effects affecting entire capital market systems and the broader economy. Over time the trust on which capital markets are built could be eroded.
Majority of the companies share common cyber vulnerabilities, causing cyber threats to be correlated across various organisations. Corporate computer systems and networks are vulnerable to compromise at multiple layers, including software, firmware, and hardware. When a vulnerability in one of these layers is discovered and subsequently exploited by cybercriminals or other malicious actors, it is highly probable that other firms that use the same technology may be similarly vulnerable. Malicious actors often target a vulnerability wherever it exists, not necessarily focusing on a single firm or industry.
Scarce data and insufficient information sharing are impeding cybersecurity efforts locally. The lack of a representative data set for cybersecurity incidents poses a number of challenges to the organisations and potentially the regulators. For regulators, it makes it next to impossible to accurately measure the cost of cybersecurity incidents for the Malaysian economy and to determine whether more active government involvement is needed to limit cybersecurity risk to the public and private sectors.
Unlike organisations in more established countries, organisations locally have yet to reveal any cyber breaches to the public even though we believe, in reality, the situation is different.
Thus, we call on the regulators and the government to implement an information sharing network amongst the capital market participants. Information sharing provides numerous benefits by notably allowing organizations to tap into a broader community’s intelligence, capabilities, knowledge and experience related to cybersecurity.
Securities regulators can also benefit from information sharing. Such information can provide regulators with more information on the types of threats faced by market participants, on their cybersecurity practices, and on their general level of preparedness. Ultimately, this information can potentially be helpful in ensuring that rules, regulations, and supervisory activities are effective and appropriate.
As part of their regulatory framework, securities regulators may want to require or encourage some or all market participants to participate in information sharing networks or initiatives, taking into consideration the participants’ capacity or technological sophistication to process and act on the information received.