DerivSource reporter Lynn Strongin Dodds looks at the many challenges and solutions being implemented to combat the growing number of cyber-attacks.
Cybersecurity is far from a new issue but the Ransomware outbreak in June whereby companies’ data was held hostage and money extorted was just the latest reminder of the untold damage these attacks can wreak on individuals and organisations. While the derivatives sector was not among the roughly 2,000 global victims, clearinghouses are deemed critical infrastructure, making security an ever higher priority with regulators and participants working separately and collectively to bolster its defences.
This is underscored by the latest Depository Trust & Clearing Corporation (DTCC) Systemic Risk Barometer which showed that cyber risk remains the number one overall fear for financial service firms with 34% of respondents citing it as the single biggest threat to the global financial system and 71% rating it among the major five risks. It also significantly rose in the ranks of concerns from the prior survey, with an additional 15% including cyber risk in their top five.
“Cyberthreats have been evolving, but I would not say they are specific to derivatives,” says Stephen Scharf, Managing Director & Chief Security Officer at DTCC. “We’ve certainly seen an increasing number of cyber-attacks target the financial industry.”
John O’Hara, CEO and co-founder of financial technology firm Taskize also notes that “any company with a network connected to the Internet is impacted. This is why the derivatives industry, like any other, has to engineer systems to be more secure and protect itself against patient, persistent and increasingly advanced threats. Malware will find anyone without actively maintained systems and processes.”
Last year, Swift, the global financial messaging system firm made the news when hackers used its codes to break into and steal $81m from Bangladesh Bank.
Ransomware albeit vicious is only one of the many possible hazards facing the financial services community, according to Michael Cooper, CTO Radianz Services, BT. Others include Distributed Denial of Service (DDoS), whereby multiple systems are compromised; Trojans, a type of malware that is often disguised as legitimate software; CEO fraud or ‘whaling’; personal data breaches and espionage. “The threat is further magnified with the increasing sophistication and complexity of these exploits, combined with an increase in the number of actors capable of executing these,” he adds.
One of the biggest incidents to hit the derivatives market was in 2010 and 2011 when the European Union carbon emissions sector was subject to a spear phishing attack, whereby an email is sent that appears to be from an individual or business that is known. Although more stringent log-in security was added, the site was broken into again with over €50 million stolen before trading was suspended.
“The industry is still trying to prevent the scenario which allowed the carbon emissions trading attack from happening again,” says Stuart Campbell, Director and head of consultancy Protiviti, market infrastructure practice. “Although it was five to six years ago, the sophistication of attacks is rising and the effect is the same. Take collateral: if there is an attack and a certain amount is stolen, firms need to be able to close out the position and provide collateral to cover any losses.”
Although much of the attention has been on external dangers, IBM’s 2016 Cyber Security Intelligence Index, showed that organisations also need to be vigilant within the confines of their own walls. It revealed that 60% of all attacks were carried out by insiders and of these three-quarters involved malicious intent, while the remainder comprised unintentional actors. Healthcare and manufacturing were among the most vulnerable due to the vast amounts of personal data, intellectual property and physical inventory but financial services was also on the hit list for the same reasons as well as its vast sums of financial assets.
Regulators Push Efforts to Tackle Cyber Risk
Given the potential for damage it is not surprising that regulators such as the Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and Financial Conduct Authority (FCA) as well as industry bodies such as the International Swaps and Derivatives Association (ISDA) have issued guidance, best practice documents and recommendations. For example, last year the CFTC published a new set of rules that require frequent testing of information technology at U.S. commodities and derivatives firms, including exchanges and clearinghouses. Systems are to undergo vulnerability, penetration, controls and security incident response testing as well as enterprise technology risk assessment.
The aim is to promote flexibility as hacking methods evolve, and to help firms stay up-to-date on the most effective responses to cyber-attacks as well as help them recover quickly from incursions.
On a pan-European basis, the EU passed the new network and information security (NIS) directive, which sets minimum standards for cyber-security on critical infrastructure operators’ rules including energy, transport, financial services and digital services such as cloud services and search engines. “Regulators are using their convening capability and authority to lead the industry to greater awareness, increased collaboration between market participants, along with the development and introduction of both standards and practices,” says Cooper. “In many domains they are also facilitating intervention and insight from state authorities and similar experts to ensure higher grade knowledge and practice.”
Moty Yacov, Chief Information Security Officer (CISO) at Traiana, though believes that regulators need to adjust their requirements to cloud trends which change security/system architecture to handle micro-segmentation, software-defined perimeter, application program interface (API). “The old servers are dead, virtual servers are dying, long live services and microservices,” she adds.
Despite the numerous edicts, there is also a certain level of acceptance that every organisation will ultimately fall victim to some form of cyber event. “There is not a 100% guaranteed solution that works in every single case except, as the old saying goes, turning the machine off and burying it under ground,” says Scharf. “This is why there is such a strong emphasis on the importance of being prepared for an attack.”
“There is not a 100% guaranteed solution that works in every single case except, as the old saying goes, turning the machine off and burying it under ground. This is why there is such a strong emphasis on the importance of being prepared for an attack.” Stephen Scharf, DTCC.
Ryan Rubin, Managing Director in Protiviti’s EMEA Security & Privacy IT Technology Consulting practice agrees adding that the objective is “to be able respond rather than prevent. It is a cat and mouse game and you need to be one step ahead. This is because it is easier to break something than defend it. We are also seeing cybersecurity become much more a management priority. Historically it was the responsibility of technical or IT departments but now it is much more on the board’s agenda. It is not specific to derivatives but the sheer volumes and global nature of the industry makes it much more important.”
What Can Firms do to Protect Themselves?
Rubin recommends organisations regardless of the sector to take a step back and think about the disruption broadly in terms of the impact on data, systems and personnel. “It is also important to have an alternative means of communication if the internet is not working,” he says. “People tend to dismiss older technology but the phone or fax would be useful in an emergency.”
In terms of prevention, steps range from bolstering firewalls and passwords to more rigorous training for staff and conducting fire drills to not only identify any cracks in the system but also to minimise the damage once it occurs. Other solutions include working with outsourced solution providers specialising in cyber security, accessed via single managed network or moving towards a cloud environment.
“Wrapping multiple cloud environments (private, public and hybrid) into one single secure infrastructure, accessed via single managed network helps take control of applications’ performance and simultaneously manage individual cloud systems,” says Luke Beeson, vice president, security UK and global banking & financial markets, BT. “Most importantly, it reduces the number points of vulnerabilities that cyber criminals seek to expose.”
Overall, Beeson believes that “companies need to understand the way that cyber criminals work. This means using ethical hackers to imitate cyber criminals, and in doing so test systems, report and fix possible vulnerabilities. Also, employee awareness needs to be raised to help spot and stop new avenues for cyber criminals to exploit.”
Yacov also advises firms looking at solutions via a process rather than using specific tools. “The main business domains include disruptions from FinTech niche players, threat intelligence, protecting data and applications, SSDLC (systems development life cycle,) identity and access management, mobile security, Cloud migration, network, web and anti-fraud,” she adds.
Collaboration Between Firms on the Rise
Given the enormity of the task, it is no wonder that collaboration is increasingly being seen as a key defence, according to Scharf. “It is one of the biggest changes we are seeing. In the past, there would be individual efforts but today, there are industry solutions and people are working much more closely at all levels to share intelligence and improve security.”
DTCC is actively involved in numerous groups including the Financial Services Analysis and Resiliency Centre (FSARC), a not-for-profit organisation formed last year dedicated to identifying, analysing, assessing and coordinating activities to mitigate the threats and risks of cyber-attacks. The group falls under the auspices of The Financial Services Information Sharing and Analysis Centre (FS-ISAC), which is open to entities that have been classified as critical infrastructure in the Financial Services Sector by the US government.
The clearinghouse is also a member of Sheltered Harbour, an initiative also under the FS-ISAC umbrella developed to enhance resiliency and provide enhanced protections for financial institutions’ customer accounts and data, as well as prevent contagion that could be associated by a cyber-attack on a retail banking institution. Scharf notes that it enables financial institutions to securely store and quickly re-constitute account information, making it available to customers, whether through a service provider or another financial institution, if an organisation is unable to recover from a cyber incident in a timely fashion.