Andrew Gray, DTCC Group Chief Risk Officer
Cyber risk is increasing and the nature of cyber-attacks is evolving rapidly, as organized crime, cyber terrorists and nation-states launch sophisticated, well-funded and well-organized cyber-attacks around the world.
I had the opportunity to share my views in two discussions on September 25 at Sibos 2019 in London. I discussed the evolution of cyber-attacks, and the role that technology and interconnectedness play, in a fireside chat with Dr. Daniela Peterhoff, Co-Head of EMEA Corporate & Institutional Banking & Global Head of Market Infrastructure at Oliver Wyman. Then I joined a panel with Colin Parry, CEO, ISSA; Mark Gem, Chair of the Risk Committee, Clearstream; Andy Smith, CRO for Operations, BNY Mellon; and Moderator Dominic Hobson, Hobson Cardew, where we discussed the convergence of risks topics as well as ISSA’s vision for addressing cyber resilience.
Here are key takeaways from both discussions:
Nature of Attacks
DTCC has conducted nine Systemic Risk Barometer surveys since 2013, and cyber has been identified as the top overall risk in the last seven. It was cited as the top risk by about 70% of respondents in our most recent survey. We all saw the devastating impact of the Not Petya attacks on a range of institutions including large corporations, and recently we’ve heard about the attacks on municipalities and hospitals in the U.S. In financial services, the impact of cyber-attacks is even more pronounced: ZeroFOX released its annual Financial Services Digital Threat Report in August and it indicates a 56% year-over-year increase in digital threats targeting the financial space.
Business Resilience
Earlier this week, DTCC introduced an business resiliency framework in a new white paper, “Resilience First: Promoting Financial Stability by Planning for Disruption.” The paper highlights the need for a holistic, forward-looking and highly collaborative approach to business or operational resilience. The paper outlines a set of core principles and supporting guidelines that can be adopted by a wide range of entities in the industry that want to make their critical business services even more robust.
The Role of FMIs
Cyber-risk is our highest risk priority and that concern is shared by many of our clients. Given how interconnected financial markets infrastructures (FMIs) are to the rest of the financial services system, an attack could affect the whole ecosystem. As a result, FMIs are at the forefront of approaches in cyber risk management. At DTCC, we continually assess our capabilities vs. standard frameworks, such as National Institute of Standards and Technology (NIST), and we have increased our funding for cybersecurity and technology risk management. We focus on our own resiliency efforts, and we promote work with the industry to develop, implement, and support additional resilience efforts. We continually develop and streamline our business processes and technical capabilities to ensure quick recovery in the event of an attack.
The industry also has realized that resiliency and market confidence is not something that can be delivered solely through one financial institution or financial market infrastructure. We all need to work together to ensure the safety and soundness of the market. DTCC is part of that effort.
Everyone is a risk manager
DTCC is implementing a number of programs to strengthen our capabilities in identity and access management, penetration testing, and threat and vulnerability management. We are also enhancing our Insider Risk program. Finally, with the increased use of technology, including APIs and cloud, we are investing resources to ensure we have the right security and resilience controls in place. Also, I can’t emphasize enough the importance of awareness and education of everyone in our organizations. At DTCC, everyone is a risk manager.
In addition, we are working with a number of associations and organizations—FSSCC, FSB, FSARC, ISSA—to ensure that the industry is collectively testing and strengthening its capabilities.
SIFMU Attestation Program
We are implementing an attestation program for customers of our SIFMU entities. We have to view our securities counterparties as payments counterparties when insisting that we know the level of their cyber defenses and recovery capabilities. Shocks in one market segment may easily spill over to other market segments, causing liquidity and credit issues within the financial services sector. Despite all the preparedness, one of us is going to have a very bad day and will be down, perhaps for an extended period. Now the question is: “What do the rest of us do? How do we all deal with the fact that one of the institutions we are connected to or rely on is down?” It seems to me that calls for industry best practices.
Fintech and Cyber
Technology is a tool, but people decide how to use the tool, which is where the risks arise. As with any other new technology which can generate significant benefits, we need to manage those risks. RPA, AI and machine learning are tools that improve a company’s ability to identify potential threats by sorting through and interpreting threat intelligence data. The potential benefits from better pattern recognition, automation, predictive modeling and more effective decision making are powerful. But we have to pay attention to how the models we use are designed and how the results are interpreted. And as a foundation, we need a robust Enterprise Data Management program with high-quality data and strong governance, housed and accessed via an advanced data architecture.
There is a lot of ongoing discussion about what the end state will look but it’s clear that we will need a balance of oversight and operational effectiveness that can make all parties comfortable that security and resiliency requirements are being met.