FIA issues recommendations for strengthening cyber resilience

• Report draws on lessons learned from recent cyber incident
• Next steps include formation of industry resilience committee

FIA today released a report that contains lessons learned from a recent cyber incident and sets out six recommendations for improving the derivatives industry’s ability to withstand future attacks.

The recommendations are:

1. Create an “Industry Resilience Committee” to encourage the development of secure communication channels with respect to all forms of operational resilience, including but not limited to cyber resilience.
2. Integrate the exchange-traded and cleared derivatives industry with sector-wide groups that specialize in cybersecurity and operational resilience across the financial services sector.
3. Review and affirm policies and procedures for reconnection to impacted parties during and after a cyber incident.
4. Establish procedures for sharing critical data and other information with counterparties and clients in a timely manner during a cyber incident.
5. Identify ways to make the assessment of risks to operational resilience more efficient, for example by standardizing the questionnaires used in the assessment process. 
6. Participate in exercises that test preparedness for cyberattacks.

“In this industry, many market participants rely on third party service providers for certain essential functions,” said Walt Lukken, President and Chief Executive Officer, FIA. “When one of these service providers is disrupted by a cyberattack, the effects can ripple throughout the industry. Today’s report is intended to shore up our readiness for a future cyber-attack and strengthen the ability of firms to recover from such an incident.”

The report was drafted with input from a taskforce formed by FIA in March 2023 consisting of subject matter experts and business leaders of the exchange-traded and cleared derivatives industry, including members from exchanges, clearinghouses, clearing firms, vendors, and end users.

The decision to form a taskforce was taken in response to a significant disruption in the processing of trades executed on multiple exchanges around the world triggered by a ransomware attack on a single third-party service provider.

In drafting this report, FIA recognized that there are already many existing public and private groups aimed at addressing cyber risks through regulatory requirements, best practices, and preparedness exercises. Additionally, many market participants already have well-developed policies for cybersecurity, third-party risk management, and resiliency.

This report therefore focuses primarily on the operational resilience and recovery issues raised by this ransomware attack. In particular, the report focuses on steps that firms in the exchange-traded and cleared derivatives industry can take to increase coordination and information sharing in all aspects of operational resilience.

“FIA thanks the members of the Taskforce for their engagement on this important initiative and their willingness to come together to share information,” stated Don Byron, Head of Global Industry Operations & Execution, FIA. “We received terrific feedback from all areas of the industry that helped us to develop some highly targeted and relevant recommendations. We believe this report will provide a framework for collaboration that will strengthen the industry’s ability to respond to future attacks. “

For more information, please contact pr@fia.org.