If you are in the futures business and haven’t taken steps – or taken the right steps – to minimize the threat of cyber attacks, consider yourself warned. If you think you’re off the hook because your trading and clearing systems are not Internet facing, think again. Those systems may be less vulnerable, but they are still susceptible to targeted attacks. Even the U.S. military’s secret intranet system, called the SIPRNet, was successfully attacked with infected thumb drives.
This past March at a Commodity Futures Trading Commission (CFTC) roundtable, Chairman Timothy Massad said, “Cyber security is the most important single issue facing our markets today.” The CFTC now requires clearinghouses and exchanges to maintain system safeguards and risk management programs. Massad emphasized that the CFTC has made this a priority in examinations.
Attacks range from annoying to existential, from denial of service and theft of proprietary information to destruction of records and computers. To minimize this threat you need confidentiality, integrity and availability.
Confidentiality and availability are straightforward: Can you protect sensitive information and are your systems available to use when needed? Integrity, perhaps the most crucial, is that your systems work.
There is a saying in the U.S. intelligence community that goes, “paper is safer.” That’s why if you ever roam the halls of the CIA or any other intelligence agency, you won’t see employees carrying tablets or other fascinating Mission Impossible-like devices; cell phones aren’t even allowed in the building. They’ll have a pad of paper—easy to shred—and a pencil.
No defense is foolproof, and no one wants to return to pencil and paper. Many attacks originate with emails containing malicious links. Relentless employee training can reduce but not eliminate the risk. According to a cyber official at the Depository Trust and Clearing Corporation, 40% of employees in a financial company will click on a malicious link; if you can get it down to 20% that’s really good. But given that cyber attacks often thrive on volume—e-mails day after day, some more convincing than others—even cyber pros have accidentally clicked on these links. As a result, you must treat intrusion as inevitable while simultaneously hardening your systems to minimize break-ins.
Cyber security firms can analyze system vulnerabilities and provide penetration testing. You can also reduce access privileges that are consistent with work roles (not everyone needs access to everything), and utilize automated patching and network segmentation so that if an infection occurs it does not spread.
If firms do not enhance their defenses, regulators will compel them. In late August the National Futures Association (NFA) requested approval from the CFTC for an interpretive notice requiring firms to adopt a written cyber security plan, tailored to each member, updated annually. Among other things, it assesses security gaps, reviews the security posture of vendors and requires thorough employee training.
Other regulators have followed suit. In February, FINRA released a Report on Cybersecurity Practices for broker-dealers, and in April the Securities and Exchange Commission released a Guidance Update regarding cybersecurity. In addition, the Third Circuit Court of Appeals ruled in August that the Federal Trade Commission can regulate the adequacy of a company’s cyber defenses pursuant to a 1914 statute that prohibits “unfair or deceptive acts or practices.” The Court held that “the relevant inquiry here is a cost-benefit analysis.” In other words, what constitutes a reasonable investment to minimize cyber risks – and the liability that could arise should a breach occur – will vary with the entity. A small business need not make the same cyber investment as a Fortune 500 company.
But the challenge is clear: How do we make markets more resistant to cyber attacks while not impairing marketplace vibrancy and fair access to trade execution and clearing? Existing CFTC regulations require policies and procedures to protect customer information.
These rules and regulations, however, do not explain how to do a cost-benefit analysis. The NFA’s proposed interpretive notice provides guidance, but leaves ambiguity by granting each “member flexibility to design and implement security standards, procedures and practices that are appropriate for their circumstances.” The NFA and CFTC also have identified the National Institute of Standards and Technology Framework for Cybersecurity as another source of guidance, but some experts question the practical utility of the NIST Framework.
This ambiguity is likely to remain as the industry experiments with varying levels of cyber defenses, but it is vital they get it right.