Bill Hodash, DTCC Managing Director, Enterprise Data Management.
Cyberattacks on the financial services industry are nothing new. In fact, according to one report, financial services firms are attacked 300 times more frequently than businesses in other industries.
To put that into numbers: The typical American business is attacked 4 million times per year; the typical American financial services firm is attacked 1 billion times per year. And all those attacks tally up a big cost to firms. The total cost of cyberattacks on companies in the financial services industry total an average annual cost of $18 million per firm.
The level of sophistication and the impact of cyberattacks is rising and the risk is that the securities market may be one of the next sectors targeted for actual cyber theft. It’s high concentration of high value assets, its complexity with many entry points and its reliance on centralized critical functions make the custody and securities value chain particularly susceptible to disruption / ransom, asset theft, information theft and/or market manipulation.
Cyber risk and the securities market was the topic of a panel discussion at Sibos 2018 in Sydney. During the panel, moderated by Bill Hodash, DTCC Managing Director, Enterprise Data Management, experts discussed the major findings from the recent International Securities Services Association (ISSA) Cyber Working Group white paper, Cyber Security Risk Management in Securities Services, including the major cyber security risks this industry faces general cyber security frameworks that should be leveraged and best practices specifically tailored for the securities market. The ISSA brings together securities services leaders, regulators, and other industry stakeholders to foster international coordination and collaboration to develop and promote forward-thinking solutions that create efficiencies and mitigate risk within the global securities services industry.
Panelists included Andy Smith, Chief Risk Officer, BNY Mellon, who chairs the ISSA Cyber Working Group, Brett Lancaster, Managing Director, Global Head of Customer Security, SWIFT, and David Leach, Managing Director, Cybersecurity, JP Morgan.
The ISSA paper, Cyber Security Risk Management in Securities Services, maps out four risk clusters and evaluates them for our business. What aspects of securities servicing make it susceptible to attacks.
- Cluster A - Utility Disruption / Ransom: The risk of systemic market disruption, destruction or ransom targeted at market infrastructure with resultant market liquidity issues due to an APT and/or DDoS attack. If targeting a central utility, that typically would have stronger defenses than an average market participant, the attack may be more difficult to undertake, but the reach could be wide and impact could be very high to the market. This could include internal sabotage from an insider.
- Cluster B - Asset Theft: The risk of asset theft and financial loss from manipulated records for a specific organization from a coordinated APT attack. Depending on the targeted organization, the impact would be localized.
- Cluster C - Information Theft: The risk of information theft of sensitive intellectual property that could give competitive advantage from a coordinated APT attack and could cause reputational damage, rather than direct financial loss. Depending on the targeted organization, the impact would be localized.
- Cluster D - Market Manipulation: The risk of manipulation of pricing and/or news feeds from a coordinated APT attack. Stock prices would adjust automatically and buy/sell orders would be fulfilled automatically, resulting in potential financial gain if the attackers were stock holders.
Cyber Attack and Securities
To set the stage for the panel conversation, audience members were asked how likely it will be in the next 3 to 5 years that successful cyber fraud attacks will become commonplace in the securities markets. The poll revealed that the audience members felt the probability was a “7” on a 1 to 10 scale ranging from highly unlikely to highly likely.
The audience poll results align with the findings of the World Economic Forum’s Global Risk Report 2018, which ranked cyberattack risk as the third most likely of all global risks. “When you are talking about cyber defense, the conversation is about how fast you can move,” Leach said. “It’s not dictated by how much you can afford but how quickly you can keep up with the pace of attacks because they change quickly.”
Adapting to ever changing threat vectors means applying lessons learned from previous attacks. But that can prove tricky, said Lancaster, because threat actors change their attacks and, in some cases, move around so their physical location cannot be detected.
Lancaster noted that in terms of the recent attacks on the payments industry via infiltrating SWIFT customers, the motivation is not around disruption or destruction; it’s all around trying to steal assets – hard cash. And some have been successful. He added that studying the forensics of both successful and unsuccessful attacks provides valuable information to increasing the payments industry’s resilience.
Leach noted that there has been a significant uptick in the amount of emerging cyber policy and regulations across the globe. In fact, according to the Financial Stability Board, roughly three-quarters of agencies surveyed said they plan to issue or change cyber security policy in the next year.
But taking a purely compliance approach with a prescriptive set of measures is going to fall short, Leach said, because it will slow the speed of execution. Instead, Leach recommends, regulators and the industry must work towards harmonization of standards. He noted the Financial Services Sector Coordinating Council in the U.S. is leading work on a financial services cyber framework which takes best of NIST and others and builds a consistent framework large and small to access selves in consistent way.
Cyber Best Practices for Securities Servicers
When it comes to cyber security guidelines for securities servicers, following proven and best practices is the best approach to achieving a robust cyber security program.
Smith discussed some of the recommendations from the ISSA white paper, including threat intelligence and information sharing, patch management, vulnerability management, penetration testing, identity and access management, intrusion protection management and security awareness, training and education, among others.
Smith noted that the actions detailed under each recommendation in the ISSA paper are specific to securities servicers.
After an engaging conversation on the threat environment, lessons learned from the attacks on the payments industry and the susceptibility of the securities business to potential future attacks and best practices to mitigate the risks, the audience was polled again on the same question. This time, after taking account of the points made in the panel discussion, the audience rated the likelihood that successful cyber fraud attacks become commonplace in the securities servicing industry in the next 3 to 5 years as a 8 on a 1 to 10 scale.