Distributed denial of service (DDoS) cyber attacks pose a looming threat to the U.S. stock exchange, its registrants and the entire financial community if companies don’t improve their cyber hygiene, Jay Clayton, Security and Exchange Commission chairman, told CNBC in a recent interview.
It’s not only DDoS barrages that could roil the U.S. stock exchange but ransomware and other types of cyber attacks, such as credential stuffing, that imperil broker-dealers, investment advisers, investment companies and service providers, the SEC has previously said. As a cautionary example, New Zealand’s stock exchange was hit in late August by a series of DDoS attacks that caused repeated outages over five days.
In two pre-emptive warnings, last July the SEC’s Office of Compliance Inspections and Examinations issued an alert to financial services companies of an increase in ransomware attacks targeting the industry, following it two months later with a bulletin cautioning companies to be aware of a rise in data breaches aimed at stealing sensitive information.
While DDoS incidents have yet to become “systemic” in the financial industry, “good information sharing across firms and across the government” has helped keep events at bay so far, Clayton said. If hit by a DDoS attack, “ should “reach out...to the SEC, reach out to the banking regulators” for help, he said, urging companies to regularly patch system software to bolster their security profile. “Many, many, many common software systems require constant patching. People need to continue to patch. I can’t emphasize enough that cyber hygiene helps us all.”
The concern is well-founded. DDoS attacks skyrocketed 278 percent in Q1 2020 and bolted upward by 570 percent in Q2, as compared to the same periods last year, according to Nexusguard’s quarterly Threat Report. The spike was fueled by hackers’ changing tactics to smaller and blended “bit-and-piece” attacks, the Q2 report said. The COVID-19 pandemic and the heavy reliance on online services by remote workers has given rise to a spate of DDoS attacks meant to overwhelm ISPs.
In general, corporations must improve their cyber practices, such as strong passwords, two-factor authentication and secure backups, to successfully face off against spiking security threats. “Cybersecurity incidents are on the rise, and it’s something we all need to continue to pay attention to,” he said. “I know companies are burdened in many ways. Our registrants are burdened in many ways right now, but this is one of those things we just can’t lose sight of.”
COVID-19 and the election season have not put a damper on cybersecurity incidents, Clayton said. “Cyber risks have not gone away with the unfortunate, unforeseen risks we’ve faced with COVID and other uncertainties in our economy. “They’re still there, and they’re there more than ever.”