BE ON YOUR GUARD.
Dan Barnes explains why trading firms must brace for cyber-attacks on counterparties.
What if the next ‘Lehman Brothers’ was not a credit but a cyber event? How well would capital market firms manage their exposure to a counterparty crippled by a technology attack? This scenario has been brought into clear focus by recent events, most notably the catastrophic impact of the ‘NotPetya’ virus*, which callously destroyed technology in major firms in 2017.
“Maersk losing all of its IT irrecoverably in a ‘NotPetya’ attack, and only recovering from back-ups, along with DLA Piper, WPP and a few others, has shocked financial services out of the assumption that a business can recover in a matter of time, to a realisation that in some kinds of attack you may not be able to recover,” says Nick Seaver, partner and lead for the EMEA Cyber Risk practice at Deloitte. “So, then what do you do?”
Cybercriminals have long targeted wholesale financial institutions. In 2004, the Sumitomo Mitsui Bank in London was attacked by criminals who used a USB stick with keylogging software to try and bypass security on the SWIFT interbank payment network in its London office, in an effort to transfer $220m to overseas accounts.
The threat has grown in the intervening period. In a white paper by SWIFT and security specialists BAE Systems, they warned: “There has been a significant evolution in the cyber threat facing the global financial industry over the last 18 months as adversaries have advanced their knowledge. They have deployed increasingly sophisticated means of circumventing individual controls within users’ local environments, and probed further into their systems to execute well-planned and finely orchestrated attacks.”
In recent years the SWIFT network itself has been targeted as a mechanism by hackers to remove funds from major banks in Eastern Europe, Asia and Latin America. The criminals or state actors responsible have been able to steal six-to-seven-figure sums in a single action, due to the wholesale nature of payments that SWIFT enables.
Awareness of the mechanisms used within corporate and investment banking to transfer assets is a serious threat for firms in major financial centres, as bad actors become increasingly sophisticated. In the 2004 Sumitomo heist, only errors in the format of their SWIFT messages stopped the success of the transfer. When the Bank of Bangladesh lost $81m to hackers in February 2016 its losses were contained due to typographical errors in several messages for other illegal transfers. However, the method – stolen security data to access the system – was effectively the same, using phishing attacks to remotely capture passwords and security information, rather than a USB with keylogging software.
However, while the attack in 2004 was linked to a range of criminal gangs in the UK, Israel and elsewhere, the SWIFT as well as NotPetya attacks have been linked by legal and intelligence agencies to state actors. The former was to a North Korean group by the US’s Federal Bureau of Investigation (FBI), while the latter was to Russia by the UK and US agencies. The Russian incident was crucially designed to sabotage, not to steal funds, and much of the harm was to firms who were not the intended target.
“The assumption until 2017 was that if someone big and bad comes after you, you have a problem, where actually with NotPetya, the firms that got whacked were collateral damage in a nation state attack,” Seaver says.
Given the risks facing the industry, capital markets firms are reviewing their defences against attacks, both internal and external, and resilience in the event of an episode. The key weakness in the SWIFT attacks have been individuals who have been subject to ‘spear-phishing’ attacks; targeted efforts to get them to reveal security information. However, banks have also been targeted by ‘sleepers’, employees who are seeking to gain access to control functions with either a criminal or disruptive agenda.
“The prizes are so big; if a bank is clearing $1tn overnight and that goes down, markets are out the following day,” says James Stickland CEO of authentication platform Veridium. “If people are trying to create disruptive activity that is exactly what they want. They are willing to wait five years for that to get someone into the position of database administrator, for example.”
Another risk is the complexity of technology infrastructure. As new technology models are adopted this can potentially increase the risks that a firm is exposed to, by opening up or multiplying points of weakness.
Under MiFID II in Europe, the level of data being captured and stored in the front office has increased in volume and in importance, with individual traders identified in order to assess their execution choices. To manage the significantly greater levels of data firms are often using cloud-based platforms, while tools such as artificial intelligence are being tried in many areas of trading.
“One thing that materially changes proliferation [of risk] is multi-cloud, where typically a firm has multiple cloud providers along with some of its business running on proprietary systems,” says Alasdair Anderson, independent consultant and formerly head of big data at HSBC. “That can mean the ways you identify and manage users of the systems increase in number, and the more points of control for management and security, the greater the risk.”
Getting the right framework
For capital markets firms it is less likely to be the first line of defence which poses a risk, Anderson observes, as they do not see that much information. The second line of defence, risk and audit, sees more and is therefore a potentially greater weakness.
“Cyber risk wasn’t [historically] viewed as something that should have a heightened focus, but that has totally changed in the last six months,” says Stickland. “A lot of institutions are now focused on insider threat. There is a big swing towards people taking individual accountability as opposed to institutional accountability.”
To actually counter the risk is challenging. Technology plays a vital role in this and the risks posed by new trading technologies. Prevention efforts must try to eliminate weak points in the security framework, however they cannot be eliminated entirely.
“You can put controls and measures in place but inevitably you have to have some management of the individual, with implicit and explicit trust for that,” Anderson observes.
He notes that the three functions of risk, compliance and legal have to be well-aligned in order to make processes and systems designed to protect the bank function effectively.
“The real challenge is getting the risk, compliance and legal people to agree on a common framework of management that matches the business that you’re in. For all the tech controls in the world, if you cannot agree what should be done by a certain person in a certain job role, typically for a specific jurisdiction, then there is no way of applying a technology solution or control,” he says.
Furthermore, banks and asset managers have to assume that both they or a counterparty might be seriously hit by a cyber event and set up mechanisms to cope.
“Contagion is a big issue in a cyber event because, one, it is hard to measure what your counterparty’s cyber risk exposure is and two, in certain forms of cyberattack, it hits lots of people at the same time,” says Seaver.
This is leading firms to rethink how they approach business recovery, and in some cases looking at the model of passing on positions that central counterparties currently undertake in a credit event.
“What you deem critical in a business-as-usual disaster recovery scenario isn’t what you deem critical in an existential position; so for example your FX trading is business critical but if you are in an extinction scenario, you might give that to another bank to wind up your positions,” he says.
They are also looking at ways to get past such extinction events in order to mitigate the risk posed by a repeat of the NotPetya attack.
“In retail and capital markets, businesses are creating a third copy of critical data such as trading positions, liquidity positions and counterparties, so in the event of a catastrophic cyber incident they have the ability to know where they were,” says Seaver. “Building an immutable, asynchronous offline snapshot of really critical data has gone from being a theoretical idea to being investigated today.”
*Note: NotPetya refers to a malware cyber-attack unleashed in June 2017. It took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. Unlike ransomware, the NotPetya attack could not be reversed by paying a ransom and was entirely destructive in its purpose. It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, and manufacturer Reckitt Benckiser. The result was more than $10bn in total damages, according to a White House assessment.
©Best Execution 2019