Search

Viewpoint - The Dark Side of Innovation

20 December 2017

By

Cyber stock image

A message from Walt Lukken, President and CEO, FIA

FIA has always been a champion of innovation. Throughout our history we have embraced new ways of doing business that deliver greater efficiency and more convenience for our customers. But innovation can be a double-edged sword. Sometimes new technologies can create new risks.

Walt Lukken

We have all seen the headlines about the attacks on major financial institutions, credit reporting bureaus, payment networks, and government agencies. But the threat is more serious than most people realize. The people in the know—the people responsible for monitoring cyber-attacks on financial market infrastructure—tell us that the number and persistence of the attacks are far beyond what we see in the papers, and the attacks are growing more sophisticated and more dangerous all the time.The most troubling example of this problem today is cybersecurity. Advances in technology have created the "network effect" in derivatives trading, as ever-increasing numbers of buyers and sellers come together in centralized markets from everywhere in the world. The benefits are obvious: increased participation leads to improved liquidity and more efficient price discovery and risk management. But the downside is also obvious. The complex electronic networks that tie us together make us more vulnerable to a new type of threat.

"Through initiatives such as Operation Blowtorch and our involvement in FSSCC's standardization projects, FIA is working to make sure that the derivatives industry can move towards leading-edge best practices and maximize the impact of our shared commitment to information security."

The good news is that our industry is well aware of this threat. The key nodes in our networks, namely the exchanges and clearinghouses, have committed significant financial resources to ramping up their cyber defenses. More importantly, board-level executives across our industry recognize that cybersecurity is not just an IT issue. It is a strategic risk that affects the entire business enterprise and needs to be managed as such.

But more needs to be done. We need to work both individually and collectively to attack this problem and make sure that we prevent market disruption and protect sensitive information. Cyber criminals know that the best way to penetrate a network is to find a weakness in one of the systems connected to that network. That makes it of paramount importance for our industry to work together. As the saying goes, we are only as safe as the weakest link in the chain.

That is why FIA is working to create a forum for FIA members to share expertise on how to strengthen their cyber-defenses. This fall, the FIA's Market Technology division conducted a cyber-exercise called "Operation Blowtorch." Held in Chicago the day before the FIA Expo, it simulated a malware attack on a clearinghouse's central database that gradually eroded data on cleared trades. The participants, who came from many different types of firms, discussed how to isolate infected data and then reconcile and resolve trades impacted by the attack. The participants also discussed their processes for crisis escalation, industry notifications and media communications, and shared their views on recovery considerations for all market participants, including other exchanges not directly impacted by the malware attack.

Exercises like this provide an opportunity for FIA member firms to work through the threat management process and assess their ability to manage the ripple effect on systems across the industry. To help share the lessons learned from Operation Blowtorch, we have posted a report on the dedicated cyber-resources page on our website. We also plan to continue holding these exercises every year, much as we have done with the annual disaster recovery exercises put in place in response to the terrorist attacks in September 2001.

FIA also is participating in a broader initiative to coordinate cybersecurity work across the entire financial sector. This initiative, which is being led by the Financial Services Sector Coordinating Council, is intended to bring all the key private sector players together to identify threats, promote protection, drive preparedness, and coordinate crisis responses. Given our industry's reliance on repo markets, payments systems and other financial services, it is critically important to have a seat at the table for these sector-wide discussions.

Infrastructure Risk

One of the key goals is to make sure that regulatory requirements do not get in the way of actual improvements to our cyber-defenses. It is certainly positive that the U.S. government has woken up to the threat of a cyber-attack on financial market infrastructure, but now we have multiple branches of the government involved in setting cybersecurity standards for the private sector, and each branch has its own process and terminology for assessing compliance with these standards. That creates a huge amount of duplicative effort for organizations such as banks and broker-dealers that are subject to the authority of more than one regulator.

The Financial Services Roundtable, through its BITS technology policy division, has been leading the way on this regulatory harmonization effort. FIA is involved in this coalition alongside other associations such as the American Bankers Association, the Investment Company Institute, the Managed Funds Association and the Securities Industry and Financial Markets Association. Under the umbrella of the FSSCC, we are engaging with a broad array of U.S. government agencies, including the Commodity Futures Trading Commission, the Securities and Exchange Commission, and the Federal Reserve System. It is estimated that roughly 80% of the cybersecurity requirements are common across these regulators. If we can agree to a standardized taxonomy and a harmonized approach to best practices, we can concentrate on strengthening our cyber-defenses. The demand for cybersecurity experts is at record levels. Let's not waste their time on redundant compliance requirements.

The good news is that in this battle, we are all on the same side. We all recognize that cybersecurity must become a core component of our day-to-day operations. Through initiatives such as Operation Blowtorch and our involvement in FSSCC's standardization projects, FIA is working to make sure that the derivatives industry can move towards leading-edge best practices and maximize the impact of our shared commitment to information security.

  • MarketVoice
  • Viewpoint