In a panel discussion about cyber resilience at FIA's Boca conference, key stakeholders from across the derivatives industry agreed on the importance of vigilance and communication to protect global derivatives markets.
Don Byron, FIA's head of global industry operations and execution, kicked off the discussion by framing the recent ION cyber incident not so much as a wake-up call as much "as a reminder of what's at stake, and the importance of being vigilant."
Those sentiments were echoed by Keith Todd, CEO of Trading Technologies, one of the industry's leading technology providers. Todd referred to the ION disruption as an "attack on the industry" rather than just one company. That means it’s necessary to think holistically and work together to build up the resilience of the entire industry.
"We have to remember the words 'enterprise risk' and not get distracted by just cyber risk and ION," Todd said. "There is a plethora of risks that we all should be thinking about."
Tom Wagner, managing director for financial services operations at the Securities Industry and Financial Markets Association, noted that the ION incident was a reminder of this broader approach to risk-management that is incumbent upon all market participants. Regarding third-party service providers in particular, Wagner said it’s incumbent upon firms to include cyber concerns and other operational risks in their cost-benefit analysis.
"Before you sign up with a third party, conduct your due diligence," he said. "That includes financial stability, but also diligence around cyber controls, business continuity and data resilience."
Randolf Roth, a member of the executive board at Eurex, the largest futures and options exchange in Europe, noted that cyber risks are widespread and require vigilance that cannot be viewed through a single lens such as the risks of third-party providers or cloud computing.
"Cyber attacks are a constant risk, and it doesn't matter if you're on premise or in the cloud. They're not going away, and you need to deal with it," Roth said.
One way to deal with cyber risks, as learned by the ION incident, is the importance of reliable data backups as a critical part of the recovery process, he added.
Commissioner Christy Goldsmith Romero of the US Commodity Futures Trading Commission expressed agency efforts to learn more about the risks of ransomware, "zero day" viruses and attacks where there is not yet a security patch developed, and the risks associated with third-party service providers.
As the sponsor of the Technology Advisory Committee (TAC), a group created to advise the CFTC on issues at the intersection of technology and markets, Romero said she recently built the TAC membership with an eye on technology experts rather than market experts.
She also mentioned the agency is currently considering a proposed expansion of notification requirements from Derivatives Clearing Organizations (DCOs) to the CFTC. This would include cyber incidents, but more broadly contemplate "triggering events" where a DCO "can't operate in the way you're expected to operate."
There are certainly reasons when confidentiality is appropriate on technology or even on the specifics of a cyber incident, said Keith Todd. "But it's still vital for the industry to discuss their controls and procedures," he said. That will help the industry remain vigilant against future threats and build lasting standards around business continuity and recovery.
The exploration of possible standards or protocols is part of the reason that FIA announced the formation of Cyber Risk Taskforce, that aims to provide the industry with lessons learned by the ION incident sometime in the next few months.
