Cyber risk threatens remote working model where vulnerable messaging technologies are deployed. Dan Barnes reports.
Banks, asset managers and market infrastructure providers have moved vast numbers of staff to work from remote locations. At the recent Annual Morgan Stanley Financials Conference, Mark Mason, chief financial officer of Citi said 80% of its staff were working remotely, while Seth Bernstein, president and CEO of buyside firm AllianceBernstein said 97% of their staff were working from home.
While many firms began to return staff back to the office in mid-June, the process has created a new, more distributed infrastructure, which has enabled a largely seamless transition to the home working environment. However, it also carries risk at several levels.
Cybersecurity is consistently in the top quartile of exchange and CCP focus, according to the World Federation of Exchange’s regular survey of membership priorities. In a statement the WFE noted “Without care and attention relating to exceptional working procedures, there is the concern that adversaries may identify and exploit new routes into the system to either compromise operations or information systems.”
Cyber risks in the current environment have increased on many levels, as working practices have been turned on their heads. When the concept of ‘bring your own device’ (BYOD) was proposed for business in the early 2000s, many security teams were aghast. The risks inherent in devices that were exposed to consumer and home activity were perceived to be far greater than for those built or bought and directly managed by the firm. Yet when traders were forced to work from home, this required improvised trading infrastructure, including personal hardware.
“My son had a gaming computer and the graphic card allowed for three monitors to be plugged into the back, so I had three monitors, happy days,” notes one trader. “But a lot of people started by trying to use their Mac laptop and iPad.”
Where home technology is used for trading, it is incumbent on the user and front office technology teams to assess and monitor its security features. Preventing any risk of contamination from one device to wider systems is also key, which is typically handled via the remote working systems employed. However, these risks are minimised where home technology is only used to access remote systems using secure measures.
One industry expert, says, “With a typical ‘thin client’ VPN solution, as long as you have a secure VPN connection you will be able to trade securely from any device. The cyber risk is targeting the VPN connection which would be Fort Knox. Once connected your office PC takes on the anti-virus checks.”
The head of trading at a European asset manager confirms, “We have tight controls around the way we access systems; it must be via a Citrix gateway, but that’s mostly it.”
The greater risks for buy- and sell-side firms are disruptions to workflows. These might allow social engineering in order to access information, using non-standard communication.
In Accenture’s latest ‘State of Cyber Resilience for Banking & Capital Markets Report’ which used 2018 data, it warned that the number and sophistication of cyberattacks are increasing and are likely to get worse and, it is taking firms too long to find breaches.
“In 62% of firms surveyed, it required greater than 30 days to remediate the breach,” says Heather Adams, managing director for Resilience Risk & Trust at Accenture Strategy & Consulting. “The most frequent attack listed by the survey participants was an internal attack i.e. malicious insiders.”
These risks have historically stemmed from back and middle-office individuals as much as front office staff. She observes that breaking down physical supervisory structures can create motivation as well as opportunities for malicious insiders.
“In the current climate of home working, there is a risk that internal attacks could rise,” she says. “Employees are less likely to commit an internal attack when they feel a sense of belonging and commitment to their employer and are more likely to when distanced from or unconnected to their employer.”
One of the greatest challenges that trading floors have faced in recent years is from the rise of non-standard communication tools, such as chat rooms and social media apps. The risks these can create range from unmonitored communications, which may be illegal or may breach regulations, to unsecure phone applications, which have been a repeated target of hackers.
In 2019 it was revealed that 1400 users of Facebook-owned WhatsApp had been targeted by Pegasus spyware developed by NSO Group, between April and May 2019, which gained access to their devices without user involvement. The two firms are now engaged in court cases in the Northern District of California and Israel.
Getting access to controlled information may not require specifically designed software to target individuals. The finance industry is frequently the subject of targeted hacking using social engineering in order to access key systems. Several central banks have been targeted by hackers in the past, who have sought access to the SWIFT payments network; commercial banks have been attacked on multiple occasions and buyside firms report they are under threat in the current climate.
“We have seen increased phishing scams so our security team have bolstered our email to better detect internal and external threats,” notes one buyside trader.
In addition to gaining access to live systems, capital markets firms have to secure intellectual property against theft, which can be more challenging if it is required to be used off-premise in order to maintain development of new tools. One specific area that capital markets firms should seek to protect from threats are their algorithmic trading models, notes Adams.
“Malicious insiders at financial institutions have a storied history of stealing this trading algorithm code, including the use of credentials stealers and malware designed to capture encryption keys for trading models,” she says. “This tendency is likely to evolve to include the alteration of these algorithms. Influencing trading algorithms to behave abnormally or ineffectively in small increments may be difficult for organisations to identify. Eventually, these changes could begin to accumulate, causing algorithms to become unstable and prone to failure.”
Given the range of potential threats that firms need to tackle, a top-down view of security is needed. There are two major cyber security frameworks for capital markets, which can provide support for firms in delivering best practice. One is the National Institute of Standards and Technology (NIST), the US cyber security framework which was established in 2014, the other is the ISO 27001 national security management standard.
“[NIST] is not a point solution, for example it doesn’t determine ‘You can use WhatsApp and don’t use Zoom’, it’s to do with the processes and the management structures that should be put in place to be certain that you are evaluating cyber risk in the right way, and then tracking any risk that exists towards mitigation and a solution,” says Sassan Danesh, managing partner at Etrading Software.
He adds, “Both of them look at scaling the cyber security processes that are required, making it a robust process. And I personally quite like the ISO model because it allows third party support, so in other words if a counterparty or provider says it is following ISO 27001, you can get third party auditors to audit that compliance level.”
Integrating the principles and practices from frameworks like these can increase the likelihood that whether working remotely or on-premise, trading operations are kept secure from malicious actors.
“The key is making sure that you have end-to-end cyber security,” says Danesh. “Historically security has been a cottage industry, with a set of people with very specialist skills who look at trying to secure various systems, processes, etc. As an industry we need to move away from this kind of bespoke crafting to a much more robust and scaleable industrial process.”