Remarks by FIA President and CEO Walt Lukken before the US Commodity Futures Trading Commission's Market Risk Advisory Committee on 8 March 2023 in Washington, D.C. As prepared for delivery.
CFTC Commissioner Johnson, fellow members of the Commission, thank you for holding this important and timely discussion about the recent ION Markets cyber incident.
A timeline of events
In the early morning hours of Tuesday, January 31, London time, FIA became aware of an outage at ION Markets impacting the trading and clearing of exchange traded derivatives. FIA immediately began working with members to identify the scope of the outage to assess the potential impact on our markets.
ION is a software service provider that offers middle- and back-office products to a number of clearing firms that are active in futures markets, not only here in the US but also in Europe, Asia-Pacific and the rest of the Americas. Those services are embedded in the execution and clearing workflow at these firms, and any disruption makes it difficult for firms to process their trades in a timely and efficient way.
By roughly 7:30 a.m. Eastern Time, it became clear that this outage was significant and widespread. We also heard the first rumblings that this was not simply an outage, but possibly a cyber incident.
Later that morning, FIA held a call with roughly 150 industry members from the Americas, Europe and Asia. We held three additional calls with members that first day, including an evening call with members in the Asia-Pacific region – many of whom were just waking up to news about the ION outage.
Also on that initial day, once the severity of the outage had become clear, FIA contacted CFTC division staff to share what we had learned from our members and to highlight some potential regulatory challenges for the industry. We also reached out to the National Futures Association and key non-US regulators to inform them of the same.
Over the course of that week, we continued holding regular calls to coordinate with our global membership. Our calls were scheduled during global trading hours and grew from 150 invited participants to more than 700 individuals from around the world by week’s end. They included staff at clearing firms, exchanges, CCPs, service providers and some regulators.
These calls were critical for the sharing of important information amongst market participants to keep the markets open and functioning. The calls also served to identify regulatory and reporting challenges for affected firms allowing FIA to expedite requests and dialogue with the CFTC, NFA and other global regulators around necessary regulatory relief.
On Monday, February 6, after ION accelerated the recovery and rebuild of their systems over the weekend, our industry began the “reconnection” phase of the incident. To assist firms during this stage of the recovery process, FIA shared industry protocols and best practices for reconnecting systems, such as the guidance developed by the Securities Industry and Financial Markets Association in coordination with the US Treasury Department.
It is our understanding that firms utilizing ION’s software suite are now back to business-as-usual operations.
The importance of flexibility and communication during a crisis
With this timeline as background, I’d like to share some initial observations. First, the importance of flexibility and communication during a crisis cannot be overstated. We were quickly able to centralize information, dispel rumors and urge calm, and share practical advice and experience. Many of the tools that helped maintain a sense of community during the onset of the COVID pandemic – like Microsoft Teams and Zoom – made it easier for our members to connect and share information throughout the crisis.
Exchanges and clearinghouses from around the globe, from Australia to North America, deserve a lot of credit for their response to this incident. They were flexible in extending deadlines, giving firms more time to recover data, keeping clearing windows open and providing confidence that the markets would continue to function.
The Commission and National Futures Association also deserve credit for their direct engagement with market participants throughout this crisis, and the flexibility afforded to some of the reporting requirements for registered entities. These actions reduced stress when the markets were most vulnerable without adding risk to the markets.
Strengthening our resilience against future cyber incidents
Looking ahead, today FIA is announcing the formation of a global Cyber Risk Taskforce to look at the ION event and to develop recommendations for improvements to our markets. This taskforce will focus on several areas including existing cyber protections and protocols, the effectiveness of the industry’s initial response, best practices around reconnection, and safeguards around third-party service providers. We aim to release an initial report by the second quarter of the year.
Many CFTC registrants are already subject to cyber requirement rules through NFA and through prudential and other regulatory regimes. Our task force will catalogue these existing requirements and determine whether additional measures are needed to strengthen our industry’s resilience.
Our goal is to avoid redundancy and ensure that if a similar incident occurs in the future, the industry will be better prepared and clearly coordinated in how to respond.
Business continuity testing is crucial to helping derivatives firms prepare for unplanned market disruptions of any kind. Since 2004, FIA has hosted an annual disaster recovery exercise for market participants from around the globe including exchanges, regulators, clearinghouses, clearing firms, service providers, executing brokers and software vendors. With a new lens toward the events that occurred at ION, FIA is reviewing this annual exercise to determine whether it needs to be modified.
FIA also recommends simulated exercises aimed at improving responses to a range of cyber-threat scenarios within the US financial sector, including members of both the public and private sectors.
FIA is committed to working with the CFTC, NFA, and the broader derivatives industry to ensure our markets are resilient against cyber threats. We also plan to engage in a similar way with the CFTC's counterparts in other parts of the world. Thank you for the invitation to discuss these important topics today.