IDX 2014: Exchanges warn financial institutions on cyber-threats
Market participants need to be better communicate with each other about how to mitigate the risks of cyber-attacks.
“A lot of market participants do not talk about cyber-threats because of confidentiality reasons but this needs to change,” said Jeffrey Sprecher, chairman and chief executive officer (CEO) at Intercontinental Exchange (ICE), speaking at the International Derivatives Expo (IDX) 2014 in London.
Financial institutions must ensure they are prepared for such threats. “If you are a firm formulating a cyber-security policy, you should work on the assumption that you have already got a cyber-breach. Cyber-attackers have so many entry points into our businesses and there are so many places we have to protect. We have governments pushing us on this issue,” said Sprecher.
These comments come as industry practitioners and regulators are increasingly having to confront cyber-threats. A report –“Cyber-crime, Securities Markets and Systemic Risk” – produced jointly in 2013 by CPSS-IOSCO and the World Federation of Exchanges (WFE) found 53 per-cent or 46 exchanges surveyed had been subject to a cyber-attack over the preceding 12 months. Eighty-nine per-cent of those exchanges said cyber-threats presented a potential systemic risk to capital markets.
A paper – “Beyond the Horizon: A White Paper to the Industry on Systemic risk” – published in August 2013 by the Depository Trust & Clearing Corporation (DTCC) identified cyber-crime as the biggest threat to market stability, even putting it ahead of counterparty risk and concentration risk at central counterparty clearing houses (CCPs).
A survey of broker-dealers, banks, mutual funds, insurers and hedge funds conducted in March 2014, again by the DTCC, revealed that cyber-crime was still their top concern. Twenty-four per-cent of respondents said it was the biggest risk to capital markets , while 23% acknowledged it was a threat to their firms.
Several financial institutions including The CME Group, the New York Stock Exchange, CitiGroup and J.P. Morgan Chase have all been targeted by sophisticated cyber-criminals. In the case of CME Group, its ClearPort clearing system was breached and some customer information was compromised although no transactions on its electronic trading system or clearing house were adversely affected.
Regulators are taking note. It was reported that the Bank of England had unveiled a new cyber-security strategy for financial institutions in the UK at the British Bankers’ Association (BBA). The initiative known as CBEST will stress test security systems at financial institutions using real threat intelligence, or information gleaned from monitoring the internet which indicate potential threats to certain firms.
Robert Greifield, CEO at NASDAQ OMX, said his firm had been in regular contact with the Federal Bureau of Investigation (FBI) about its cyber security policies.
Fund managers are not immune to the risk of cyber-crime either. Fuelled by the spate of high-profile hackings and data breaches, the Securities and Exchange Commission (SEC) in the United States announced in February 2014 that it would conduct a review on the policies and safeguards asset managers have in place to mitigate the risks of cyber-attacks as part of its investment adviser examination program.
The review will scrutinise whether managers are adequately protecting themselves against potential security breaches by IT vendors that have access to their data and systems. The SEC also confirmed it would be looking at firms’ policies on IT training, vendor access and due diligence, while the agency also said it was considering a requirement that would force asset managers to report significant cyber events to regulators.
Cyber-attacks have been getting more sophisticated of late. The DTCC’s 2013 white paper identified denial of service, unwanted disclose of non-public material information and corruption of books and records as being the biggest cyber-threats to financial institutions.
