FLASH FRIDAY is a weekly content series looking at the past, present and future of capital markets trading and technology. FLASH FRIDAY is sponsored by Instinet, a Nomura company.
Concern about cybersecurity is a quintessential “evergreen” – not especially time-sensitive – topic in financial journalism. Concern is always out there, and presumably always will be, so a reporter can always run a story about that concern.
But the topic has recently moved from the newspaper equivalent of perhaps page B6, to front page, above the fold.
Cybersecurity, and its close cousin cyber resilience, were indeed headline discussion topics at the annual International Futures Industry Conference in Boca Raton, Florida this week. Cybersecurity is a perennial at FIA Boca, but on the heels of the recent ION ransomware attack and amid war in Ukraine and increased geopolitical tensions, it was decidedly front-burner this year.
Rather than just a brief mention or two toward the end of a technology panel, this year there was a dedicated “Building Industry Resilience” panel; cybersecurity seemed to be oft-discussed in sideline meetings; and the topic got prominent airtime during the always-well-attended Exchange Leaders panel.
In a recent ICE House podcast, CME Group Chairman and CEO Terry Duffy notably said “The biggest issue facing the world today is cybersecurity.”
Duffy expanded upon that at FIA Boca. “It’s very frightening,” he said on the March 14 exchange panel. “You can throw all the money you have at the problem and still not fix it. You can only do your best to harden systems.”
Coincidentally, on March 15 the U.S. Securities and Exchange Commission proposed new rules to address cybersecurity risks in securities markets. “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades,” SEC Chair Gary Gensler said in a release. “Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.”
What was the state of cybersecurity a decade ago? The specific threats have evolved, as have corporate defenses. But in a broad sense, the threat is the same.
According to a March 2014 Bloomberg article: “The Financial Stability Oversight Council, a group of regulators led by the Treasury Secretary, said in its 2013 annual report that successful cyber-attacks could pose a threat to the stability of financial markets. Among exchanges, 89 percent said cybercrime should be considered a systemic risk, according to a 2012 International Organization of Securities Commissions report.”
FIA Boca panelists noted that the issue with cybersecurity is that even if all the cyberthreats of a given moment were vanquished, a new threat will surface within the next week, or day, or even hour or minute. The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they’ve had 0 days to work on a security patch or an update to fix the issue.
Speaking on the Building Industry Resilience panel at FIA Boca, CFTC Commissioner Christy Goldsmith Romero highlighted zero-day vulnerability as one of three major threats for securities firms, along with ransomware and potential exposure via third-party service providers.
Panelists said close assessments of service providers are a necessary part of an ongoing “good cyber hygiene” regimen. “You’re only as strong as your weakest third-party service provider,” Goldsmith Romero said. “It takes everyone working together and doing their part.”
“Who has access to your critical systems and data? Do they need it?” Goldsmith Romero asked. “To the extent that they do need it, you need to do a heightened review.”
The heightened cyberthreat may prompt some exchange operators to reassess their moves into the cloud, at least for now. The dominant U.S. cloud providers, Amazon, Google and Microsoft, may offer more secure environments than “on-prem”, but migrating still represents an outsourcing of security, and there’s also some concentration risk given there’s just the trio of big tech providers.
Big-picture, financial market cybersecurity can be considered more at-risk given tenuous relations with Russia and China. “The need to harden critical infrastructure when there’s a cold war going on is very real,” SGX Head of Equities Michael Syn told Traders Magazine at FIA Boca.