Mike Bodson, DTCC President & CEO.
I’m just back from speaking at the Sibos 2019 conference in London and given this year’s theme—Thriving in a Hyperconnected World— it wasn’t surprising how much of the conversation on the convention floor and during the panel discussions focused on the threat of a cyber-attack.
How could it not be top of mind when new cybersecurity events continue to fill the headlines? Recently, there was a story about the hackers who targeted Airbus' suppliers, along with an analysis of the Capital One breach and a troubling government report which concluded that the U.S. Department of Energy isn’t doing enough to protect the national electric grid from hackers. No doubt, there will be a similar list next week, the week after that and so on.
For more than a decade, the battle against cybercriminals has been fought on an ever-changing field. Cyber-attacks are growing in number and in scale, the strategies and techniques are increasingly sophisticated, and the scope is global. As the criminals have modified their approach, so has our industry. It’s like a never-ending game of cat-and-mouse, but one thing is certain: If we’re going to win this war in the long-term, we can’t do it alone.
The growing interconnectedness of financial markets and service providers means that a major attack in one area or against an individual firm could have a significant impact on the stability of the whole ecosystem. In fact, the likelihood of a significant disruptive event continues to increase as cyber-criminals become more adept at launching attacks. Client and regulators share this view and have shifted their thinking as well. In the past, we all focused on preventing attacks. Now, the main question is, “How fast can you recover?”
The issue of resilience comes up regularly at industry meetings and conferences, like Sibos 2019 and our Risk Forum in New York last week. We believe that resilience and market confidence cannot be delivered solely through one financial institution or financial market infrastructure. We must collaborate as an industry to ensure the safety and soundness of the market.
Financial market infrastructures have a responsibility to help advise and guide clients. I’m pleased to say that we’re making progress toward achieving greater consistency and coordination in this global fight. Firms and financial market infrastructures are increasingly collaborating on recovery processes and are identifying their most vulnerable areas. The network of industry representatives involved in the discussions is growing, which adds important new voices.
Cross-industry initiatives are essential to help limit disruptions and address the vulnerabilities in the financial marketplace—including within the payment, clearing and settlement ecosystem—due to a large-scale cyber-attack. As part of this, we need to create detailed response and recovery plans based on standard criteria and consider specific scenarios as well as contingent service arrangements that would enable firms to continue critical operations after a cyber-attack. We outlined these initiatives in greater detail last year in a white paper issued with Oliver Wyman, Large Scale Cyber-Attacks on the Financial System.
Because cyber-attacks may erode confidence in the financial markets, we must design strong processes to manage risk and build resiliency into our operations. To do so, we need a holistic, forward-looking and highly collaborative approach to business and operational resilience. Rather than solely focusing on individual processes, business resilience efforts now should include all relevant stakeholders and consider an end-to-end perspective across critical business services. Last month, we detailed our thinking on this topic in a white paper, Resilience First: Promoting Financial Stability by Planning for Disruption, where we also outlined a set of core principles and supporting guidelines, which can be adopted by our industry partners to protect their critical business services and design programs that are more robust. Our goal is to spark a dialogue on resilience principles that the industry can use to build resilience into all its operations.
For all the work the industry is doing on this front, one of our most important partners is the global regulatory community, which is providing new guidance or interpretations to existing rules to better guide firms in protecting their infrastructure. We’ll continue to collaborate with groups like the UK Supervisors—the Bank of England, Prudential Regulation Authority and Financial Conduct Authority—which published a discussion paper detailing steps for enhancing an organization’s resiliency and how supervisors can support the sector.
Our work with public-private partnerships and associations also is playing a critical role in strengthening cybersecurity and resilience capabilities. Together, we’re refining cybersecurity toolkits, streamlining standards, developing cyber incident best practices, identifying potential threats and working on a range of disruption scenarios with partners that include the Financial Services Sector Coordinating Council, the Financial Stability Board, Financial Systemic Analysis & Resilience Center, International Securities Services Association and the International Organization of Securities Commissions.
Again, the core of the discussion is the need for an industry-wide approach—sharing information and collaboration—to secure the global financial markets.
In the end, however, I believe our employees are at the center of all our efforts to battle cyber criminals and manage cyber risk. Employees are our first line of defense and they must be aware of the various cyber schemes, as well as the tools we use to prevent those attacks. We must be willing to challenge activities that may lead to more risk and take every opportunity to integrate resilience into all our products and services.
There is more work to do and, while we can’t prepare for every possible scenario, we know that industry-wide collaboration will provide the best opportunity to develop effective recovery strategies, balance oversight and operational effectiveness and ensure security and resiliency in the event of a disruption.
Managing cyber risk is our highest risk priority. And no one will do this alone.