Cybersecurity is in the spotlight this year for the derivatives industry after recent cyber events that impacted the market participants. Lynn Strongin Dodds assesses the status quo of cybersecurity in the derivatives industry including emerging regulation (DORA, SEC, CFTC) and the potential implications for third-party providers and vendors.
Cyber security is not a new issue, but the ION Trading UK cyber event earlier this year was a harsh reminder of the damage that can be done. The big question now is whether the regulatory spotlight will be turned-on third-party providers and vendors.
In late January, the cleared derivatives subsidiary of ION Markets, ION Cleared Derivatives was hacked into, sending shock waves across the global futures market – a market that as of 2022 involved 29.32 billion futures contracts trades globally.
The latest figures from the International Swaps and Derivatives Association (ISDA) showed that in the first quarter, the combined US, European Union and UK traded notional interest rate derivatives was $194.0 ton. The US accounted for more than half at 54.7% followed by the EU and UK at 12.6% and 32.7%, respectively.
Traders have increasingly relied on automated software produced by companies such as ION Trading UK to process trades.
The ION cyber event earlier this year created a number of operational challenges for those clients affected – many firms had to process derivatives manually, for instance, and regulatory reporting was also impacted.
Shaper focus on cyber security in derivatives now
Given the depth and breadth of the market, it is no surprise that Acuiti’s latest Clearing Insight Management report, showed that fixing the ION outage was not easy. The study, which polled over 100 clearing executives, found that the majority of those stricken took two weeks or more for their systems to return to normal.
Although cyber security is always on the radar, the ION event only sharpened the focus. As Virginie O’Shea, founder and chief executive of Firebrand Research, points out, “ION was a wake-up call to regulators and the industry that systemic operational risk isn’t limited to large market infrastructures and mega vendors. There are many technology dependencies in the market where a small range of providers are present servicing particular areas of the lifecycle or certain asset classes.”
“ION was a wake-up call to regulators and the industry that systemic operational risk isn’t limited to large market infrastructures and mega vendors. There are many technology dependencies in the market where a small range of providers are present servicing particular areas of the lifecycle or certain asset classes.” – Virginie O’Shea, Firebrand Research
This reliance explains perhaps why 80% of Acuiti’s respondents would like to see vendors subject to greater legislation. The report highlighted clearing executives concerns of being on the regulatory frontline. The report shares that survey respondents argue that if their burden increases for any cyber faults, their cost base would increase significantly. This is because they would need to allocate an even larger proportion of their budgets to compliance, either through employing more consultants or strengthening their staff and operations to increase vendor oversight.
Typically, as O’Shea notes, market infrastructures are a much easier group to directly regulate, and they continue to be a big focus of Digital Operational Resilience Act (DORA) and its various finreg relatives across the various jurisdictions. She says technology vendors, on the other hand, are much harder to address from an oversight perspective.
Game changing DORA
The European Union’s DORA, which is expected to come into force in early January 2025, is designed to strengthen the security of the bloc’s financial firms, such as banks, insurance companies and investment firms by imposing resilience requirements and regulating the supply chain. This includes any enterprise such as cloud platforms, data analytics and audit services inside or outside the EU offering information and communications technology (ICT) services.
“Part of the intent of DORA is to map out the interdependencies on providers across the market to understand these risks at the industry level,” says O’Shea. “The initial focus of DORA seemed to be the large cloud providers who pose concentration risk across all segments of the market. However, the ION incident and its ongoing repercussions have focused many regulatory minds on your common or garden variety vendors.”
O’Shea believes that DORA will compel vendors to further strengthen their cybersecurity governance and oversight to meet reporting requirements. “In the longer term, it is likely to push them into a more multi-cloud set-up to reduce systemic dependencies,” she adds.
As with all regulation, though, there are problems. “One area of uncertainty for enterprises is that DORA does not directly specify what remedial measures will be enforced for breaches of the requirements of the regulation, rather it states that member states should ensure they implement appropriate sanctions and remedies,” says Tom Egglestone, global head claims at cyber insurer Resilience. “Therefore, while it is an EU-wide regulation, enterprises operating across multiple jurisdictions could face uncertainty and significant differences in the level of sanction they could be subjected in the event of a breach of DORA.”
He adds that more broadly, there is an implementation period of two years, which means that firms will need to work quickly to assess the impact of DORA on their operations, given the complexity and scale of some ICT systems.
O’Shea also notes “It is a relatively onerous regulation that impacts everyone in the capital markets – it imposes new regular reporting requirements and asks firms to detail all of the relationships they have with vendors and the dependencies their vendors have on other technology and service providers. This will be particularly challenging for outsourced firms that have a large number of dependencies and will require them putting pressure on service providers to give them the information they need.”
The US response
US regulators would also like to see vendors be more accountable for cyber risks. Speaking at the annual Futures Industry Association (FIA) Boca conference In March, the Commodity Futures Trading Commission (CFTC) chairman Rostin Benham spoke about the importance of strong cybersecurity regulations that ensure risk management practices adequately account for the growing cybersecurity risk.
This mirrors a separate keynote address he gave in February at the Business Law Section Derivatives & Futures Law Committee Winter Meeting. “The industry’s necessary and increasing reliance on third-party service providers creates a major source of risk…,” he said. “The growth of cybersecurity threats to financial institutions is well-documented and widely recognized as an important and increasingly urgent problem.”
The CFTC will begin work on regulations that could require futures and swaps dealers to exercise more due diligence and oversight of the third-party service providers they work with. The rule would be designed “to preserve the integrity, availability, and confidentiality of critical systems and information,” he added.
The U.S. Securities and Exchange Commission (SEC) also crafted its own set of recommendations enshrined in the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022. It would, among other things, require cybersecurity incident reporting, and periodic reporting by public companies of their cybersecurity risk management, strategy and governance.
“We strongly encourage that enterprises should consider the potential impact of an incident within their own environment as well as elsewhere in their supply chain when conducting incident response, business continuity and crisis communication planning” – Tom Egglestone, Resilience.
In the meantime, derivatives traders as well as other financial service firms need to remain vigilant about their counterparties and bolster their defences. Enterprises should be looking not just at their own borders, but to those companies they contract with and to, according to Egglestone. “We strongly encourage that enterprises should consider the potential impact of an incident within their own environment as well as elsewhere in their supply chain when conducting incident response, business continuity and crisis communication planning,” he adds.
On the technology side, O’Shea believes there are a number of things firms can do to better address these threats such as investing further in vulnerability scanning. “These attacks are constantly evolving, so firms need to proactively review any new threats within their IT stacks,” she adds. “Multi-factor authentication for access to systems is table stakes but firms may need to think more about network segmentation and air gapping, rather than having everything on one single system that is more vulnerable to attack.
She also notes that climate risk and cyber-risk have combined to push firms to think about having very different locations for their business continuity planning centres – rather than two in nearby cities.
“Another key assist to better dealing with attacks is to realise that some will be successful and therefore developing a proper incident response playbook – so when you get taken down by an attack, you know exactly who is responsible for what in the organisation,” she says. “That also should not just be limited to CISOs – every individual in the firm should know how to communicate and address things like client questions or support etc.”
Related Reading:
Cybersecurity articles from Derivsource