Go to content
News 29/12/22

Capital markets sector vulnerable to cyber attacks; AFM makes recommendations

Capital market institutions are increasingly relying on increasingly complex IT environments. This makes them vulnerable to cyber attacks that can seriously disrupt business continuity. From self-assessments by 14 capital market institutions, 80% said they would face high risks if ICT control measures were not in place. In anticipation of new European regulations (DORA), the AFM makes 7 recommendations for the sector, including having and maintaining a cyber-incident plan.

In brief

  • Self-assessments by capital market institutions highlight the importance of ICT measures to reduce vulnerabilities to cyber attacks.
  • 11 out of 14 institutions (80%) report facing high risks if ICT control measures were inadequate.
  • AFM makes seven ICT recommendations, including having and maintaining a cyber incident plan.
  • The sector is preparing for the Digital Operational Resilience Act – DORA.

The AFM regards cyber risks as one of the important operational risks for capital market institutions. Not only is the number of cyber attacks increasing, their disruptive impact is also growing. Cyber-attacks can seriously damage business continuity. Together with the capital market sector, the AFM is working to further strengthen cyber resilience. The AFM will intensify this in the coming years, including in the context of new European legislation, the Digital Operational Resilience Act – DORA.

Self-assessment survey of capital market institutions

The self-assessments of the 14 capital market institutions (pdf, 2,3 mb)contain the latest observations on IT and cyber risk. The institutions include trading platforms, Proprietary traders and Clearing and settlement firms.

Recommendations

In response to the self-assessments, the AFM makes a number of recommendations for the capital market sector, including having and maintaining a cyber incident plan. The AFM also reminds market participants that not only their own information systems should be adequately secured, but also those of the cyber supply chain.

Preparations for DORA

In line with the recommendations, the financial sector will have to make preparations for DORA in the coming years. This new set of rules oversees uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector. The aim is to increase the sector’s digital operational resilience. DORA will come into force in 2025.

Contact for this article

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.