Managing Director, Technology Risk Management, DTCC
"...hacktivists, espionage, or war-like actors may decide that targeting an automated trading venue or trader might be the way to further their objective."
Disruptive attacks on financial market infrastructures are on the up as hacktivists target large organisations such as stock exchanges and banks, or activities such as firms' credit card processing abilities.
So far such disruptions have not had dramatic effect, said Mark Clancy, DTCC's managing director of technology risk management, partially because the vast majority of the global trading interconnections between traders, exchanges and clearing houses happen on private networks rather than the internet itself.
"In many cases there are (back-ups) that don't have internet dependency," Clancy said. "Projecting forward, you see a lot of economic pressures for people to use the internet as a transport mechanism."
This would open up the financial system to greater levels of risk. In 2012, "Shamoon" targeted Saudi Aramco, shutting down thousands of the oil firm's work stations. A group named "Cutting Sword of Justice" claimed responsibility. In 2013, South Korea was hit by "Operation Troy", which wiped the hard drive of thousands of computers in the banking and media industries.
"Those are the types of attacks that can affect market infrastructures, exchanges, trading venues and traders and could have significant impact on the operational risks of those institutions today," Clancy said.
Cyber security risk market place
The Index of Cyber Security provides an ongoing, methodologically transparent measure of the state of cybersecurity. It will directly assess the level of risk as perceived by practicing security professionals, communicate their combined opinion to the larger community and provide a baseline status against which other individual practitioners can compare their own views. The challenge being tackled is how the index can be calculated in a credible way, and, second, the specification for the securities that could be based on such an index and the design of the markets where these could be traded.
Going forward, the index will deliver consistent time series data useful to researchers, industry professionals, the media, security product vendors, and financial markets. The specification for securities that could be based on such an index and the design of the markets where these could be traded could become a future project.
Insider threats are numerically far less prominent than external attacks but can be far more harmful, according to Index of Cyber Security's July report. However, media attention to cybersecurity failure has never been more dangerous to organisations that have such failures. For those and other reasons, it is unlikely that there isn't under some sort of pressure or directive to change how organisations deter and/or contain insider threats.
Applying security updates to hosts in a timely way, restricting local administrative privileges on user machines, keeping malware definition files up-to-date, blocking ports that are not required, segmenting the network to keep sensitive data away from the DMZ (demilitarised zone) and user networks, blocking web surfing from servers or non-user devices, keeping users educated, hardening and monitoring domain controllers, and using inexpensive or open-source vulnerability scans can foil all but the most determined attackers. If application whitelisting is practical, that makes the task of the attackers even more difficult. In short, practitioners should take the message of keeping good hygiene to management, and stress that defense is far from a lost cause as many pundits would have people believe.
Source: Index of Cyber Security
The motivations in play can be difficult to disentangle, but do tend to fall into four distinct groups - criminal, hacktivist, espionage and war-like. The financial system has been mostly concerned with protecting against the criminal activity such as theft, but protecting against other hazards is only just beginning.
"Hedge funds doing automated trading…have to be recognising that hacktivists, espionage, or war-like actors may decide that targeting an automated trading venue or trader might be the way to further their objective even if their motivation isn't to steal and that is something that the US financial infrastructure became very aware of in the last few years," he said.
Initiatives are being pushed at the highest levels. SIFMA, which represents hundreds of securities firms, banks and asset managers, and the Bank of England are running a variety of drills aimed at crisis preparedness.
James Lam, founder and president of consulting firm James Lam & Associates, as well as a member of E*TRADE's risk committee and the former chief risk officer at Fidelity, said that whether it is a pandemic, or natural flood, or even a major malfunction in a software conversion such as Knight Capital, firms need to be prepared for things to go wrong. At the moment, there is an optimistic view of expected outcomes and far more focus on prevention than on taking action in the face of a crisis.
In the case of high speed automated trading, that reality is further complicated by the fact that things can go wrong so rapidly, he added.
Index of Cyber Security Value, August 2014 = 2265 (Base = 1000, March 2011)
The Index of Cyber Security is a measure of perceived risk. A higher index value indicates a perception of increasing risk, while a lower index value indicates the opposite.
"It is not enough to understand it from a risk identification and assessment perspective, it is really important to quantify the risk profile," said Lam. "Being able to have early warning systems and take action, otherwise once you find out after the fact or on a delayed basis it might be too late."
That means understanding the total cost of risk, which includes expected loss, unexpected loss, and risk transfer and management. Meanwhile, many firms are allocating a huge portion of resources to prevention when they should be making more calculated decisions for detection and risk mitigation.
As with any budgeting process it's about running scenarios, said Lam. If trading processes and activities are disrupted - data is corrupted, or there is a systems failure - firms need to ask: what is the cost of risk if damage is mitigated in a shorter space of time? If the firm reacts earlier? And how should limited human, financial and technology capital be allocated optimally?
"The cost benefit of any company is going to vary, but budget allocations should definitely not be 90% prevention and 10% detection and risk mitigation," he said.
Founder and President, James Lam & Associates
"Firms are allocating a huge portion of resources to prevention when they should be making more calculated decisions for detection and risk mitigation."
There are however, risks unique to cyber threats as opposed to other disruptive events such as natural disasters, pandemics or infrastructure failures like power outages.
"The challenge of cyber attacks is you spend more time figuring out what happened, to get to a point to respond to it. The discovery of what the facts are of the event are quite difficult to unearth," Clancy said. "It is a lengthy process and it can complicate your ability to respond to a crisis."
Meanwhile, as market preparations intensify so too do expectations of a large scale disruption. As a case in point, during the 2010 Flash Crash in the US, Clancy said his phone was ringing off the hook from government agencies wondering if the event was actually a cyber attack.
The greater the anticipation, the more the need for sophisticated table-top exercises. In the UK, investment banks, financial market infrastructure, financial authorities and relevant government agencies participated in "Waking Shark", which tests the wholesale banking sector's response to a sustained and intensive cyber attack.
SIFMA's exercises are starting to make use of simulation tools to get a more accurate representation of what happens in markets as different participants make decisions. An unanticipated result was that all of the exchanges involved stopped accepting trades, effectively shutting down the entire national market system because of the individual decisions of a dozen firms.
Speaking at the SWIFT Business Forum in London, Chris Perretta, EVP and chief information officer at State Street said that threat levels are much greater and need an informed risk approach in understanding exactly what type of threats are likely, which is dependent on the kind of institution facing them.
For a non-retail bank like State Street, that means building secure applications rather than buying tools that protect, he explained. There is also a governance aspect in identifying technology and operational risk.
"We come from an audit and control structure and it takes much more networking with industry to understand what those threats are, to share information much more rapidly than we have in the past," he said.
Information sharing, however, is a tall order among competing firms. The industry is tackling this by trying to create better methods for detailed reporting of cyber incidents for useful sharing of data.
Also on SWIFT's panel, chief information security officer Vas Rajan from CLS Bank, said that the biggest lesson from his personal experiences is the importance of a safe environment to share information about what is happening freely, knowing that any damaging repercussions are limited.
Recently, the UK finance industry launched a cyber security framework, CBEST, developed by the Council of Registered Ethical Security Testers, cyber intelligence company Digital Shadows, and in collaboration with the Bank of England, the UK Treasury, and markets regulator FCA. The aim is to improve the ways in which the financial industry shares detailed threat intelligence, tests cyber security and benchmarks financial service providers.
In the US, the Treasury department chairs the Financial and Banking Information Infrastructure Committee, which helps to coordinate on critical infrastructure matters, and works with Homeland Security, law enforcement agencies and the intelligence community. Other ongoing efforts include the Cyber Intelligence Group, which coordinates closely with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
FS-ISAC was created in 1999 for public-private cooperation in addressing cyber threats to critical infrastructures, and expanded its role to include physical threats to the financial sector after the terrorist attacks of September 11.
It includes both buy and sell-side firms, though membership is denied to institutions headquartered in countries that practice economic espionage as a matter of state policy - such as Russia and China, explained DTCC's Clancy, who has been an active member of FS-ISAC's threat intelligence committee for over a decade now. The number of people joining, he added, is increasing exponentially.
Founder, Hess Legal Counsel
"Unless there is absolute certainty that there is no single point of connection to your servers other than the firm's, it will not have 100% security."
Still, the level of hacker sophistication can be overestimated as well. When news broke of BAE Systems thwarting an attack on an unidentified large systematic hedge fund, it seemed like a major wake up call for the industry.
The cyber event was described by CNBC as a very high level hack through the hedge fund's order management system, which crippled its high-speed trading strategy by sending trade information to unknown off-site computers.
The announcement became a bit of a fiasco when it turned out it was a simulation exercise that ended up being reported as fact, and BAE Systems had to issue an embarrassing correction.
Tradeworx's CTO Michael Beller was little surprised that the event was hypothetical rather than real. Interfering with the code of running programmes represents a much higher level of penetration than using up the resources of a computer system, he explained. Still, he noted that security needs to be thought of in a broad- based way rather than an afterthought.
"Security is a hard problem, not just because of technical considerations but because of business considerations," he said. "Business want to make money and have the maximum flexibility to make it. Sometimes, they don't properly assess the downside risks of certain things happening."
Clancy said that when the BAE Systems news broke, the cyber intelligence community was somewhat cynical. "There was a complexity element to it which made it hard to believe. (Criminals) don't try to get in front of trading, they try to take over the accounts where hedge funds and others wire their money."
What doesn't surprise him is that a defence contractor is providing such services to financial clients, given that the sophistication of cyber threats faced by both the defence and financial sectors is about the same and comparable to those launched against governments.
Admittedly, one of the reasons the story captured imaginations is because it had a sexy movie factor, he added, but that doesn't mean the matter is trivial.
"The plus side for the hedge fund industry is that they are doing these war game exercises and essentially stress testing in cyber space to understand what some of their potential exposures are," he said.
It's just a matter of time before any firm experiences a breach, and one source of major vulnerabilities to be aware of exists with vendor relationships - particularly in an environment where a sizeable portion of advisers, brokers and funds deploy third-party order management systems, said Eric Hess, founder of Hess Legal Counsel.
"There can be enormous pressure to bring in vendors if it will give a competitive edge, and delaying it for another layer of security can be a big issue for many firms," he said.
As a result, vendor contracts don't always get the scrutiny they deserve. In situations where vendors have access to personally identifiable information, the due diligence involved can be quite onerous.
"If PII is involved, then you'd better have an information security program (ISP) because if there is a breach you are going to be in a difficult position justifying your measures after the fact to FINRA, the SEC, state regulators or otherwise," he said. "The ideal situation is for the vendor to incorporate critical elements of their ISPs into the contract, or at least the general framework of the ISP."
Moreover, Hess pointed out that it is unlikely that a vendor will be as well capitalised as any given brokerage and that should factor into any assessment of how well a firm is protected.
"A vendor may have the greatest tool, or be cutting edge, but their capitalisation may not be such that they can indemnify you for a cyber security breach," he said.
He is also hearing more and more concerns about cloud technology, a virtual environment that tends to be used by larger organisations. Within a provider's server farm there is always the risk that an advanced persistent threat (APT) establishes a control server.
"Unless there is absolute certainty that there is no single point of connection to your servers other than the firm's, it will not have 100% security. In that case, the firm is probably relying on a larger vendor to have more cyber security controls than they do," he said. "But a larger vendor is also more of a target."
It is not about fearing cloud technology though, it's about understanding who has access and what the controls are. One of the cloud service providers making waves since it was endorsed by NSA whistleblower Edward Snowden is SpiderOak. One of the company's safeguards is that nobody has access to a user's password.
"That is the ultimate security, but god forbid you forget your password," Hess said. "It is a great convenience to be able to call your cloud provider and have them give it to you but that convenience comes at a cost…who else has access to the database? How locked down is it?"
In the case of a breach, firms have legal obligations to attend to, and how they manage the situation will factor into any litigation.
"If they haven't implemented the right processes both internally and in particular with vendors at handling PII, they certainly have a regulatory risk there," he said.
In 2010, Hess was legal counsel for Direct Edge in the wake of a major hacking event that infiltrated Nasdaq's systems, ultimately exposing the confidential communications of public company directors. That meant the SEC demanded a major overhaul of information security programmes across the board, which he spear-headed.
He now sees the rest of the industry having to catch up to implement that level of control. "There is a real hesitancy to really take the necessary step back and approach technology risk management as a discipline in and of itself," he said. "But you have to be burying your head pretty deep not to see that poor information security controls can lead (to) serious organisational harm."
Mark Graff, chief information security officer for Nasdaq OMX, and co-founder and chair of World Federation of Exchanges cyber working group.
AT: There seems to be momentum building, any specific goals you'd like to share?
Mark G: It's a simple rule really. We're all sharing the same goal of trying to have effective communication day in and day out in terms of threats, incidents and best practices. We want the exchange industry to make this a routine habit. Then we can start working on more advanced topics, but first it's getting collaboration down pat.
AT: Information sharing within different structures in a jurisdiction and between jurisdictions has been identified as an area needing major attention - do you agree?
Mark G: Absolutely. The reason is because the threats and the threats actors do not recognise jurisdictions boundaries, and therefore threats go beyond borders to essentially everyone regardless of where your exchange is based.
AT: What is working well, what should be the priority to overcome challenges?
Mark G: There is now a wide spread recognition in the exchange industry over the importance of cyber security and the importance of the resiliency of the markets. The basics of good practice are fairly well agreed upon. Exchanges have got a good reservoir of sound technology and practices to base their programs on. We also want to continue to make sure the smallest changes are well-protected. The security at the smaller exchanges also effects the largest. The threats are increasing in sophistication, so we need tools and approaches also improving in their complexity to address this.