Under MiFID II European regulators introduce new rules around algorithmic trading. Whether it’s algo IDs, enhanced audit trails or business clock synchronisation, none of these items would have been on the agenda if it were not for the rapid innovation in information technology over the past decade.

Now ESMA is extending its reach into cyberspace, discussing issues such as cyber security monitoring for unwarranted access, system or data interference, communication interception or two-factor authentication. But I wonder why they are proposing such detailed requirements? Firstly, the MiFID II mandate looks much vaguer and does not even mention cyber security explicitly. Secondly, cyber security is very much a matter of self-interest for all companies, as illustrated by the Target case.

Back in the so-called ‘good old days’, when computers were the stuff of science fiction books and the trading pits were full of screaming men, security was about choosing the right filing cabinet and installing strong door locks. Then, and today, security came at a price and guaranteed 100% safety was, and is, something of a myth. Before settling on any regulatory requirements around cyber security that could raise the fixed costs of doing business for everyone, some carefully conducted cost-benefit analysis is required. Maybe that analysis will show that for smaller or less tech-savvy firms it is still sufficient to lock their doors behind them.