The threat of cyber attacks grows ever greater, as hackers become more and more sophisticated and an increasing level of data is handled electronically. So what are financial institutions, exchanges and governments doing to combat this threat?

A single cyber security breach can cost a large firm hundreds of thousands of dollars, but a concerted cyber-attack could potentially paralyse financial markets. The nature of the secondary markets as electronic networks makes them more susceptible to an attack than many other industries, and the use of virtualised records for all assets makes the likely effects of an attack even more devastating.

Courtney McGuinn, operations director at financial messaging body the FIX Trading Community, says: “Any computer-to-computer communication comes with security risks. These risks are increased when communicating with external parties and networks. However, external electronic communication is a fundamental requirement in the financial markets. All participants must employ appropriate security measures and diligently manage security risk.”

“One of the problems with electronic trading is that it is very time dependent,” says Ashley Jellyman, head of information assurance for UK telecommunication group BT. “When you press 'Sell now' and nothing happens you have got a problem. That effect can be achieved through a distributed denial of service [DDoS] attack, without requiring any compromise of your security systems.”

Hunt for information

DDoS attacks are something of a blunt instrument, but were used by 'hacktivist' group Anonymous to shut down the websites of both the Filipino and Swedish central banks in September 2012 and October 2012, respectively. More sophisticated attacks could be used to steal from, or disrupt, financial markets in a more targeted manner.

“'Cyber' is a great marketing term but we are really talking about information and what a criminal can do if they have it,” says Ernest Hilbert, managing director for Kroll Advisory Solutions. “Very few people think like bad guys. Just as an investment manager gets exposure to different assets to model a cash flow, these attackers are looking at how they can access different pieces of information to create a cash flow. A portfolio of theft.”

US derivatives giant the Chicago Mercantile Exchange (CME) became a victim in July 2013 despite its use of what it calls “sophisticated systems, teams and processes to prevent such incidents, and [prompt] actions to address the incident”. On November 15, 2013, it admitted that “certain customer information relating to the CME ClearPort platform was compromised. To protect participants, CME Group forced a change to customer credentials impacted by the incident, and is corresponding directly with the impacted customers.” Further detail is not forthcoming as the incident is the subject of an ongoing federal criminal investigation.

Increasing intensity

The CME is not alone; a 2013 survey by the World Federation of Exchanges found that 53% of securities exchanges had been victims of an attack over the past year, while data from management consultancy Ernst & Young shows that 61% of asset managers described cybercrime as a critical focus in 2013, up from 21% in 2012.

Network provider Verizon’s ‘Data Breach Investigations Report – 2013’ found that 37% of all breaches were in financial services firms. Although the CME breach appears to have avoided having any major effect on its live trading environment, disruption of businesses that rely upon day-to-day activity can be severe.

David Patt, corporate governance analyst at buy-side firm Legal and General Investment Management, looks at the threats that businesses face and has seen the harm that attacks cause. “We know of a Dubai-based business that went bankrupt because its operations were stalled for just one day when its computers were taken over,” he says. “If that happened to an investment bank, who knows what that would mean for the market.”

Digging trenches

The threat is being taken seriously at the highest levels. In June 2013, speaking to the Financial Policy Committee (FPC) for the UK Treasury, Andy Haldane of the Bank of England said: “You could see why the financial sector would be a particularly good target for someone wanting to wreak havoc through a cyber route so I very much hope the FPC and wider government… [will] take a close look and a deep dive into the state of preparedness of the financial sector for such threats.”

He added that in a meeting with the chief risk officers of the big five UK banks in January 2013, four out of five had cyber security at the top of their lists, the fifth having omitted it entirely, until he saw the importance that his peers placed upon it.

The International Organisation of Securities Commissions (Iosco), which collectively represents 120 securities regulators and 80 other securities markets participants, has been undertaking work to assess the current state of play and to deliver some protection in the future. In the agenda for its board meeting in February 2014, Iosco will look to develop global best practice guidance to build cyber-resilience into market participants and infrastructure; it will also draft guidance for a firm-level and system-wide emergency response encompassing large-scale, potentially systemic cyber-attacks.

In the future, Iosco plans to encourage cross-jurisdictional and cross-sectoral information sharing and co-operation and the embedding of consideration of cyber-risks in other policy work, given the increasing reliance on technological infrastructure of the securities markets.

Government action

Governments are also stepping up their measures. The UK government’s National Cyber Security Programme was given a budget of £650m ($1.06bn) covering 2010 to 2014 in order to build a defence against cyber-attacks, which are classed as a ‘tier-one’ threat to the country’s security under its National Security Strategy outlined in 2010, on a par with global terrorism.

These defences include the establishment of a UK National Computer Emergency Response Team in early 2014 to improve national coordination of cyber incidents; a new cyber incident response scheme in government headquarters to help firms recover from a cyber security attack; and establishing a national cyber crime police unit and widening the role of the Centre for the Protection of National Infrastructure to work with organisations that may have a role in protecting the UK’s critical systems and intellectual property.

In the US, efforts to enhance information sharing between firms, including banks, have run into problems. The Cyber Intelligence Sharing and Protect Act was passed by the House of Representatives in April 2013 but held up by the US’s second legislative body, the Senate, in May 2013. Concerns about the unrestricted access to irrelevant information were cited as a cause for concern.

Nevertheless, lobby groups in the US have written an open letter to the Senate, the Securities Industry and Financial Markets Association (SIFMA), the Financial Services Roundtable and the American Bankers Association saying: “The need for specific and coordinated action to protect our sector and the larger business community has been recognised at the highest level in our member firms. It is critical that Congress pass threat information sharing legislation to combat today’s and stay ahead of tomorrow’s threat.”

Weak spots

That there are no 100% guaranteed defences against cyber attacks is accepted by everyone from politicians to IT technicians; the battle is to reinforce weak areas of defence before they are attacked and minimise the damage caused. Possible motivation behind attacks was characterised by a former White House defence analyst as 'criminal, hacktivist, espionage or warfare'.

As if that was not a wide enough set of enemies to come to terms with, a firm may also be attacked for no specific reason, purely by chance. “A much lower risk group are the 'script kiddie' types who have picked something up and want to play with it and by accident achieve something,” says Mr Jellyman at BT. “They are out there and there are all sorts of kits that they can buy.”

Attacks can also come via almost any channel. Social engineering to get passwords, viruses that capture data and physical devices being connected to computers in offices are all methods that have been used. The networks that link financial services may also be vulnerable, particularly where they are unencrypted, warns Mr McGuinn at the FIX Trading Community.

“Internet traffic should always be segregated from internal networks, including those networks that are used to transmit FIX [Financial Information Exchange] messages using firewall technology, with the exception of deliberate and carefully planned instances where internet FIX traffic is allowed,” she says. “Encryption is essential on open networks such as the internet, however, it is often not used on private networks, such as dedicated leased lines. It is also often not used on extranets that have been secured, such as virtual private networks or point-to-point extranet providers serving the financial community.”

Anthony Kirby, executive director for regulatory reform and risk management at Ernst & Young, adds that there are weaknesses coupled with a lack of global industry-wide standards. “Vigilance around middle-office to back-office fraud, for example, is somewhat less than vigilance against modelling electronic impersonation or the consequences of an online DDoS attack at the front-end," he says.

Passing the word around

It is the range of attackers and attacks that make the need to share information so important. This is often seen in the scenario testing that Wall Street and the City of London run each year, to test firms’ abilities to cope with a major cyber event. In the Quantum Dawn exercise held on July 18, 2013, in the US, participants in the equity markets were ‘attacked’ causing the market itself to be disrupted so that it cannot operate in an orderly fashion.

“Worst-case scenario is that market-critical infrastructures are attacked in such a way that market participants cannot perform their transactions with high confidence, pricing could be affected or timing could be affected,” says Karl Schimmeck, the vice-president of financial services operations at Sifma. “The best-case scenario is that the attacks are caught early enough or we are able to work together as an industry along with the government and law enforcement, to keep markets running and maintain system integrity even when parts are attacked.”

After the event, a report published by Sifma and consultancy Deloitte and Touche made three high-level recommendations:

  • The industry should review and update its sector-wide response playbook to promote greater integration between industry groups, market participants, and government agencies. 
  • Systemic risk assessment and decision process – the industry should augment existing guidelines and decision frameworks to determine if cyber incidents are systemic in nature and could impact the broader financial system. 
  • Communication and information sharing – the industry needs to institutionalise the procedures for determining if markets will open or close in response to a systemic cyber attack.

The London-based Waking Shark II event, held in mid-November, modelled a Bank of England DDoS attack and a worst-case scenario with a failing reliability of exchange of information between banks. It involved bringing teams of players into a room together and walking them through a day's scenario, then looking at when they began talking to each other and when they began talking to the regulator. The results of the exercise will be announced in early this year.

The UK has a system for sharing information already, called the Cyber Security Information Sharing Partnership, which facilitates the sharing of information on cyber threats; for example if two oil firms were under attack, the system would allow other petrochemical companies to examine the characteristics of the attack and see if they too were under assault.

This deals with the greatest threat, says Mr Kirby: “The worst thing about cyber-crime is the unknown unknowns. How do you know you have been attacked?”

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter