Managing Cyber Attacks

Regulators and Industry Participants Strengthen their Defenses

Cybersecurity risks and testing are a major concern of regulators and market participants. Experts at a Commodity Futures Trading Commission roundtable discuss the testing underway as well as practices to recover from cyber attacks.

THE RISK OF cybersecurity attacks is the single highest concern among financial regulators and top global exchange and clearinghouse leaders. They all agree it is not just a risk, but inevitable that there will be an attack. What lies ahead are challenges in how to best protect key market infrastructure from attacks and recover operations and data after attacks.

While the listed and cleared derivatives industry has taken steps for many years to test and prepare for disaster recovery and business continuity, such as after the Sept. 11 attacks, cybersecurity poses new challenges. 

First and foremost, those involved in the attacks are sophisticated and hard to detect. A system can be penetrated unnoticed through simple software updates, email attachments and simple downloads. In addition, the risk is greater as markets and participants become more linked electronically.

Finally, what is most concerning to industry leaders is that cyber attacks are increasingly seen as a new form of terror attack, where critical systems are penetrated for the purpose of severely disrupting or destroying them rather than just stealing information. 

“Five, ten years ago this conversation was largely about the digital equivalent of graffiti, the defacement of websites and other things like that. But now clearly you have actors that are not only willing to steal and commit fraud, but who are actually willing to carry out destructive attacks, like what we saw with the attack on Sony Pictures Entertainment,” said Michael Daniel, special assistant to the president and White House security coordinator, at a March 18 staff roundtable of the Commodity Futures Trading Commission. 

CFTC Chairman Tim Massad agrees.

At nearly every public speaking engagement over the past several months, including appearances before Congress, Massad has identified cybersecurity as the biggest threat facing markets.

“These threats, as we now know today, don’t just come from people motivated by profit. They come from people looking to disrupt the system,” Massad warned Senate lawmakers at an appropriations hearing in May.

Global exchange leaders all have put cybersecurity at the top of their list of concerns. It is not an issue that their technology departments handle alone, they said, but rather a matter for boards and top executives. Exchange leaders identified cybersecurity as a bigger concern than other issues. For example, Jeff Sprecher, the chief executive of Intercontinental Exchange, said ICE’s risk committee spends more time on cybersecurity threats than it does on clearinghouse risk and market risk. 

“It has really changed the dynamics of my company. My board has reorganized now so that our info-tech team reports into the board through a dotted line,” Sprecher said in March during FIA’s annual International Futures Industry Conference in Boca Raton, Fla.

Sprecher went on to explain that ICE has begun testing its own employees, noting that often times cyber attacks start with breakdowns within the organization. “The keys to your company walk out the door every night,” he said, adding that enforcing a strict use of passwords, rather than a single password, is one good approach.

Information Sharing Key

What is clear in a market system that is all about competition is that combating cybersecurity risks is about sharing and cooperation. It is an issue on which exchanges, clearinghouses, regulators and industry participants are working together and exchanging information to better prepare against attacks and devise systems to recover data and operations after an attack.

“This is an area where the exchange community has no competitive area among themselves,” said Andreas Preuss, CEO of Eurex. “If we are not collectively getting this under control, we collectively can cause big systemic risks.”

Cooperation Network

In 1999 the U.S. Treasury Department spearheaded the formation of the Financial Services Information Sharing and Analysis Center. This private sector organization has become the financial industry’s go-to resource for cyber threats. FS-ISAC is unique because it was created by and for members and operates as a member-owned nonprofit entity. Membership is comprised of global banks, dealers, finance companies, hedge funds and others. It has been a critical tool in protecting banks and financial institutions. 

In the central repository at FS-ISAC, details about attacks are shared among participants alerting them to potential system weaknesses and potential computer viruses and malware designed to attack systems. All information provided to FS-ISAC is cleansed of identifying features to protect the companies that share attack details.

This network of cooperation is even more critical as financial systems become more and more linked.

“We see a lot of firms being more interested in doing this, because protecting the system as a whole is now much more important than just protecting my system by itself because of the way risk can be transferred through,” said Brian Peretti, director of the Office of Critical Infrastructure Protection and Compliance Policy at the Treasury Department. He also heads the Financial and Banking Information Infrastructure Committee, a group comprised of 18 financial regulators including the CFTC, the Secu-rities and Exchange Commission, and the Federal Reserve, that meets monthly to discuss cyber attacks.

In addition, the race for speed and access has also added to cybersecurity risks.

“We went as an industry from analog to digital and there was an arms race of speed going to computers and all of us here were trying to have the fastest processor and the lowest latency network,” explained ICE’s Sprecher in March.

ORGANIZATIONS WORKING ON CYBERSECURITY OCIP Office of Critical Infrastructure Protection and Compliance Policy. The U.S. Treasury Department established this office after the September 11 attacks. Its role is to coordinate the department’s development and implementation of polices related to protecting critical infrastructure of the financial services sector. FBIIC Financial and Banking Information Infrastructure Committee. This group is made of 18 U.S. financial regulators including the Commodity Futures Trading Commission, the Securities and Exchange Commission, the Treasury Department, federal banking regulators and others. This group holds monthly principal-level meetings in the wake of a growing number of cyber attacks. FSSCC Financial Services Sector Coordinating Council. This group was formed at the encouragement of the U.S. Treasury Department to strengthen the resiliency of the financial services sector against attacks and other threats to critical infrastructure. It is a private sector group representing financial services providers such as banks, exchanges, insurance companies, clearinghouses and electronic payment systems as well as industry associations such as FIA.  FS-ISAC Financial Services Information Sharing and Analysis Center. This private sector group was formed in 1999 and is the financial services industry’s go-to resource for cyber and physical threat intelligence analysis and sharing. It was created by and for members and operates as a member-owned non-profit entity.  CBEST The cyber intelligence network and testing framework launched in 2014 by the Bank of England. The framework gathers information and threat intelligence from various sources and then uses the information for testing scenarios in the financial services sector through qualified testing firms.

“We as exchanges opened our doors and let a thousand flowers bloom so that everybody could connect to us. That attitude is going to change,” said Sprecher, adding that the exchange is going to have to be more restrictive about what comes in on the network and how access is enabled. He suggested broader use of encryption for example.

Top Concern of Regulators

The CFTC has responded in a number of ways to the growing threat of cybersecurity. For example, the CFTC’s core principles include provisions requiring clearinghouses and exchanges to maintain system safeguards and risk management programs, systems to notify regulators of incidents, and formal recovery procedures in place.

And while the CFTC has made this a priority in its examinations, the agency is not adequately funded to test systems itself, Massad has warned lawmakers. Repeatedly, Massad has said the responsibility for cybersecurity safety rests primarily with private institutions. As a government agency, the CFTC can set standards, he said, but it is the private institutions that run critical financial infrastructure that just carry out all of the comprehensive analysis and system work that is required. 

What the CFTC has done, however, is made sure that exchanges and clearinghouses themselves have adequate testing and have followed best practices with independent testers, where appropriate, to do things like controls, testing, penetration testing and vulnerability testing, Massad said.

“We have incorporated cyber concerns into our examinations. Typically in our examinations what we’re looking for is the board of directors and top management setting the right tone with respect to these issues,” Massad told a Senate panel at an appropriations hearing in May, adding that not only must policies be in place, but also top management must ensure policy is being enforced.

CFTC officials have also indicated they are working on a release directed at critical market infrastructure entities that will build on the existing core principles. There are currently business continuity management best practices in the core principles in the Commodity Exchange Act and the Dodd-Frank Act that govern CFTC-regulated exchanges, trading systems and clearinghouses. At the March roundtable, staff discussed with participants whether expanding on the principles ordrafting new rules involving cyber-security testing should be proposed. Staff also were focused on how the CFTC might audit for compliance and whether participants could estimate the costs associated with any new requirements.

A Global Concern

Massad also highlighted that combating cybersecurity must continue to be a joint effort not only with the industry but also among regulators, both in the U.S. and globally.

“We're never going to be able to do all this by ourselves. It's important that we work with other regulators,” he said. “We simply cannot address this risk with the budget that we have and these threats.”

In that vein, in 2013, the Bank of England began taking an active interest in state-driven terror cyber attacks, moving away from cybercrime, e-fraud and other long-established patterns in the on-line cyber crime world. After consulting with the financial services industry and others, the central bank established a framework for testing called CBEST. It differs from other security testing undertaken by the financial services sector because it is threat intelligence-based, meaning that it is based on actual cyber threat intelligence in addition to simulated scenarios.

A CBEST test involves three parties: a regulated entity, a private sector penetration testing company and the Bank of England. In addition, the penetration testing company must be qualified as a member of the CBEST scheme.

David Evans, senior manager for sector and supervisory cyber support at the Bank of England, warned that CBEST is not a panacea to cyber threats. “You can’t expect to do one of these tests and you will suddenly become cyber secure or cyber-resilient. It’s a component,” he told panelists at the CFTC roundtables.

“The regulator will have a view of what’s critical that that organization does. The organization will have a view of what’s critical. And perhaps the Bank of England, independently, is sort of looking at a financial stability angle, and the system as a whole might also have a slightly different perspective,” said Evans.

CBEST provides a holistic assessment of a financial service or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test.

“We wanted to come up with a repeatable testing framework that incorporated all of the sort of better practices in terms of a penetration test, but we wanted to also include threat intelligence as a key component of that part,” Evans said. 

Much of the financial services industry-led testing that was established for business continuity and disaster recovery is now focusing on cybersecurity and considering what additional tests could be beneficial.

“These threats, as we now know today, don’t just come from people motivated by profit. They come from people looking to disrupt the system.”

Tim Massad
CFTC

FIA’s Annual Test

Every fall for the past 11 years, FIA has worked with a broad cross-section of market participants, exchanges and clearinghouses to test and prepare for potential market disruptions.Over the years, the group’s work has served as a significant tool to help exchanges, clearinghouses and clearing and non- clearing firms prepare and operate during market disruptions.

For example, Superstorm Sandy, which shut down markets on the East Coast, was a true test of the work of this committee.

The 2014 test–organized by FIA’s Information Technology Division’s Business Continuity Committee–was conducted last October and focused on disaster recovery back-up connectivity and functionality between exchanges, clearinghouses and member firms. The test was successfully conducted among 24 domestic and international futures exchanges, clearinghouses and swap execution facilities as well as 62 clearing/non-clearing firms.

The test, which will include more of a focus on cybersecurity risks, will take place again in the fall of 2015 and again it will be coordinated with the Securities Industry and Financial Markets Association, as there are member firms that are joint FIA/SIFMA members. 

John Rapa, president and chief executive officer of Tellefsen and Co, helped managed the testing for FIA and spoke at the CFTC roundtable. He highlighted the importance of having a direct line to top executives and others within an organization when it comes to managing and protecting against cyber threats. He and others warned that tests have to change, as threats change, and talked about the need for tabletop “war room” scenario planning excercises with management teams.

“You can’t keep doing the same thing over and over again. You’ve got to mix it up,” he said. “When you start to plan these things, you’ve got to think deviously. We are at war here.”

“We wanted to come up with a repeatable testing framework that incorporated all of the sort of better practices in terms of a penetration test, but we wanted to also include threat intelligence as a key component of that part.”

David Evans
Bank of England

Panel participants were asked whether comprehensive end-to-end enterprise resilience testing is needed. Participants stressed the focus should be on resilience and the ability to resume business.

They were concerned about the operational impact of end-to-end testing, which most participants felt could be difficult. Greg Gist, director of industry relations at Citigroup in its office of emergency management, explained there are many different levels of requirements for testing: the threat environment, which might be tested with internal auditors; testing with a firm’s partners; and testing with third-party suppliers. He noted that the number of tests firms now experience is eating up “the green zone” of time and firms have very scarce resources.

David Garland, director of business continuity management at CME, suggested there should be smaller disaster recovery unit testing, which are more ongoing and could ultimately reduce spending on larger industry-wide testing. He too stressed the importance of tabletop tests in addition to actual fail-over tests.