Financial markets may have to adopt nuclear safety controls

A review of the risks was commissioned as part of the UK Government's Foresight Project

In a new report the Government Office for Science has suggested risks in financial computer trading are potentially as severe as those facing the nuclear industry, and that markets may have to follow the safety standards found in the nuclear sector.

There has been a major nuclear "incident" somewhere in the world about every ten years involving reactors, but worldwide stock markets have recently seen regular market meltdowns, caused by network outages or problems with ultra-fast algorithmic trading systems.

A review of the risks involved in relying on technology to run financial markets - "Computer trading and systemic risk: a nuclear perspective" - was commissioned as part of the UK Government's Foresight Project, The Future of Computer Trading in Financial Markets.

Co-authored by City University London's Professor Robin Bloomfield and Dr Anne Wetherilt from the Bank of England, the report says the financial markets have "evolved to become complex adaptive systems highly reliant on the communication speeds and processing power afforded by digital systems".

It says "their failure could cause severe disruption to the provision of financial services and possibly the wider economy".

The report says "there are a very wide range of areas where the issues and practices in the nuclear industry might resonate with those raised by the evolution of computer-based trading".

These areas include the approaches to systemic risk definition and evaluation; and the definition of protection system parameters, risk controls and architecture.

The authors say, "We consider a serious nuclear incident that has the potential for the release of radioactivity with associated plant damage as a 'systemic event' and hence make the link to a financial market crash: an event that both damages the market and also potentially impacts the wider financial system and the broader economy."

They add that the development of the nuclear industry approach to safety has been driven by the need to engineer systems that provide social and economic benefits with "tolerable risks", to evaluate and explain the nature and extent of these risks, and to provide a framework that allows for scrutiny at varying levels of independence ranging from technical experts within the industry as well as pressure groups.

Many critics of the nuclear industry however would argue that it has been very poor at explaining the risks, with one of the worst public relations records in the business.

The paper says both industries have to consider the basic concepts of hazard, risk and accident; probabilistic safety analysis and the concept of a design basis; tolerability of risk and the "as low as reasonably practicable" (ALARP) principle; and numerical risk targets.

The authors say the nuclear industry has a formalised approach to defining the classes of consequence, the categories and frequencies of initiating events. It uses theory, models and experiments to justify the risk analysis.

This means that the industry can set risk targets for classes of accident and different classes of people, and discusses tolerability and proportionality in reducing them further.

In doing so, the authors say, the nuclear industry accepts that many things are hard to quantify, but there is nonetheless an emphasis on ranking risks, setting targets for risk reduction, and debating whether both the risks and the targets are accurate and acceptable.

They say the nuclear safety analysis framework allows systematic design of protection and mitigation systems that cover not only what they have to do, but also how much they have to be trusted. These systems, the authors say, use diverse mechanisms to ensure that the overall protection works when it is needed.

The paper asks whether the rapid development of computer-based trading in financial markets requires the adoption of additional risk concepts and tools, like those used in the nuclear industry.

The authors say, "Our analysis suggests that the following questions are worth asking: 'Is it possible to have a more precise description of risk categories?, is it possible to define precise tolerability criteria?, and is it possible to define numerical targets - if not, how does one define 'acceptable' risk?"

They also question whether the financial industry should work on the notion of a "design basis", which would characterise those adverse endogenous and exogenous events that systems should withstand?

Join the CSO newsletter!

Error: Please check your email address.

Tags Bank of EnglandinfrastructuresecurityIT Business

More about Foresight

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antony Savvas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place