KEEP YOUR GUARD UP.
Cyber-security is one of the hottest topics but it is not just one of those passing fads. Heather McKenzie looks at the threats.
High-profile hacking attacks and revelations about online surveillance by state organisations have pushed concerns about cyber security to the top of the agenda of many securities industry firms. Financial regulators and market infrastructures are also raising the alarm about the heightened risk of cyber-crime.
A survey of Depository Trust and Clearing Corporation (DTCC) clients in the first quarter of 2015 revealed cyber risk as the main concern among members. A record 46%, up from 33% in September 2014, cited it as the “single biggest risk to the broader economy” and a total of 80% saw it as a top five risk. The others included geopolitical events, impact of new regulations, disruption or failure of a market participant and a US economic slowdown.
However, there is work to be done as reflected by the June poll conducted by FIX Trading Community of its security working group. It found that only 6% of members encrypted all of their messages while 25% encrypted none, partly because encryption can slow down algorithmic trading.
Ironically, given the torrent of regulation, trade groups are calling for tighter rules. For example, last October, the US securities industry group SIFMA published its Principles for Effective Cybersecurity Regulatory Guidance, which sets out its members’ views on how to harmonise and create effective cyber security regulations. “Cybersecurity is a top priority for the financial services industry, which is dedicating significant resources to protect the integrity of the markets and the millions of Americans who use financial services every day,” said Kenneth Bensten, SIFMA president and CEO at the launch. “Effective and consistent regulatory guidance is a critical component of the broader cyber defence effort, as it promotes best practices and accountability across the financial sector.”
Cyber-attacks are increasing in frequency and sophistication, he added, and it is critical that the industry and government collaborate to mitigate these threats. SIFMA’s paper included ten principles for cyber security guidance, including the US Government’s ‘significant role and responsibility’ in protecting the business community as well as recognition of the value of public-private collaboration in the development of agency guidance. Also on the list were harmonisation of cyber security guidance for financial services across agencies and basing cyber security on risk assessments as well as threat information.
State regulators in the US are also concerned over the threats. In February, Benjamin Lawsky, superintendent of financial services at the Department of Financial Services in New York State, said as a financial regulator cyber security “is likely the most important issue we will face in 2015 – and perhaps for many years to come after that”. He expressed concern that a major cyber-attack aimed at the financial system would occur, which would represent a systemic risk to financial markets by creating a run or panic that would spill over into the broader economy.
“Indeed, we are concerned that within the next decade (or perhaps sooner) we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a ‘cyber 9/11’,” he said.
It is not only Europe and North America where concerns about cyber-crime are growing. The Securities and Exchange Board of India recently announced it was working on a cyber-security framework for the country’s stock market, covering exchanges, depositories and intermediaries. The Board is aiming to frame regulations before online trading – which accounts for 36% of all trades in India’s equity markets – becomes more widespread.
On the attack
Mark Clancy, chief information security officer at the DTCC, says while cyber-attacks such as distributed denial of service (DDOS) and hacking attacks have been around for a while, they are increasing in frequency and size. “Cybercrime is becoming more visible because the magnitude of the impact of such attacks is bigger and more pervasive,” he says.
Attacks are motivated by ideology – such as hacktivists who attacked credit card companies that stopped taking payments for Wikileaks – or by industrial espionage, whereby governments or corporates attempt to steal secrets for economic gain. Cyber attacks use malicious code to alter computer code, logic or data, disrupting systems and compromising data. The tools used for attacks are many and varied, including viruses, malware, DDOS, Trojan horses, worms and phishing.
DTCC has taken a two-pronged approach to challenge cyber-crime: raising awareness of the risks among its clients and a joint venture called Soltra which it set up with the Financial Services Information Sharing and Analysis Centre, a non-profit private sector initiative that facilitates the detection, prevention, and response to cyber-attacks and fraud activity. Soltra will deliver software automation and services that collect, distil and speed the transfer of threat intelligence from various sources in order to safeguard against cyber-attacks.
Clancy says the DTCC acknowledges that cyber-crime can never be fully wiped out, but the balance that is currently in the favour of the criminals can be changed. “There is an asymmetry when it comes to cyber-crime. Attacks are relatively inexpensive, but the cost of defence is very high,” he says.
The idea of Soltra, he says, is to increase the cost of cyber-crime for the perpetrators by standardising and automating much of the cyber defence. Soltra will enable firms to share information about what attackers are doing, which will enable other firms to be more nimble in their responses and know what to look out for.
“We are using the concept of straight through processing in fighting cyber-crime,” he says. “Of course attackers will always innovate and try to stay ahead. The idea we have is to try to tackle the underlying economics as well as the technical elements.”
There are some basic ‘hygiene’ approaches firms can take to guard against cyber-attack. Australia’s Defence Signal Directorate (an Australian Government intelligence agency) recently issued the following recommendations:
- application white listing (maintaining a simple list of applications that have been granted permission by the user or an administrator);
- patch applications (ensuring software designed to update a program or its supporting data is updated in order to fix security vulnerabilities);
- patch operating systems (as above); and
- minimising the number of users with domain local administrative privileges (in order to prevent vulnerabilities related to phishing attacks, for example).
Speaking at a Sydney conference last year, assistant secretary of cyber security at the Directorate, Joe Franzi, told delegates that between 2011 and 2013 reported cyber-attacks in Australia had risen from 1259 to 2148. Banking and finance were among the five most commonly targeted sectors.
Meanwhile in the US, Lawsky addressed the practicalities of protecting against cyber-attacks. The Department is not only looking to incentivise market participants to do more to protect themselves but is also revamping its regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cyber security preparedness. “If we grade banks and insurers directly on their defences against hackers as part of our examinations, it will incentivise those companies to prioritise and shore up their cyber security protections,” he says.
The Department is also considering steps to address the cyber security of third-party vendors, which is a “significant vulnerability”. The fact that such vendors often have access to a financial institution’s IT systems could be a weakness when it comes to guarding against attackers. Lawsky said it is considering mandating that financial institutions receive “robust” representations and warranties from third-party vendors who have critical cyber security protections in place.
Moreover, the Department is considering multi-factor authentication of system users which has requires username and password as well as a second layer of security such as a text alert additional password.
IT security specialists Kaspersky Lab points out that firms should not just pay attention to IT-based security solutions but also to the staff employed. This is because the majority of data security breaches occur due to employee actions, either intentional or unintentional. As a result firms should set out an employee’s responsibilities and accountability regarding confidential information and promote a greater understanding of working with and handling corporate information on mobile devices.