The Boston Financial Futures Exchange (BOFFEX) is a publicly traded derivatives exchange, trading tens of millions of contracts each day across multiple asset classes in electronic markets across 23.5 hours, six days a week. It is one of the preeminent names in global financial markets, with over 2,500 employees across eight offices worldwide and its stock listed in the S&P 500 index.
And right now, hackers are holding its operations for ransom.
The cyberattack started innocently enough, with a BOFFEX employee opening an innocent-looking email from someone purporting to work at the U.S. Commodity Futures Trading Commission. But hidden in that message was a "worm," a malicious program that burrows deep into the internal network of an organization to infect all manner of computers, servers and systems.
Over a roughly five-hour period, more than 2,500 machines—almost every single workstation and mobile platform at the organization—was compromised by the worm, causing the devices to lock up and fail to function properly. In fact, just about the only thing these computers can do is display a red skull and crossbones along with a message that unless someone delivers $1,000 in the next 72 hours—payable in untraceable Bitcoin cryptocurrency—the data on these computers will be lost forever.
It's a nightmare for BOFFEX executives. Should they fight their way through the hacking, or pay roughly $2.5 million in ransom? And what happens if their plans fail to bring systems back online promptly?
How do they break the news that the malicious program has infiltrated their global address book and now mailed itself to some 30,000 contacts— including key service providers, regulators, exchanges and a host of other crucial partners in derivatives markets?
If this were you, what would you do?
Thankfully, BOFFEX is a fictional exchange and all of these events are mere fabrications. They are simply instructive examples, created as part of the FIA Market Technology Division's annual cybersecurity workshop that took place on Oct. 29 in Chicago to help the industry prepare in the event of a real cybersecurity attack.
Preparing a coordinated response
FIA's cybersecurity workshop, now in its third year, was developed by FIA in conjunction with consulting firm Tellefsen and Company. The workshop involves a "table-top" war room scenario where participants arrive without foreknowledge of the problem they will face, and must marshal their collective expertise to resolve the crisis.
"About five years ago, we started noticing that there were some high-profile cybersecurity attacks and pressures from governments and regulators to make the system more resilient. I started to get my hackles raised and helped develop the idea of this exercise," said John Rapa, managing partner and CEO at Tellefsen and Company.
Other trade groups conduct similar exercises, including the Securities Industry and Financial Markets Association, which hosted its fifth "Quantum Dawn" cybersecurity exercise on Nov. 7. Regulators also are focused on cybersecurity preparedness, including programs offered by the U.S. Department of Homeland Security and the European Union Agency for Cybersecurity designed to help financial markets participants prepare for the worst. However, Rapa notes that many of these organizations tend to focus on the most visible parts of the financial system and overlook the specific problems associated with cleared derivatives markets.
"Organizations conduct workshops like this for the broader financial system, but sometimes the last thing they consider are those people in Chicago and London who trade derivatives," Rapa said. "Those in the industry know that it's really the tail wagging the dog though, because derivatives markets have direct correlation to the cash markets."
"The goal of FIA's annual workshops is to simulate a significant business disruption that poses systemic risk to the futures industry and global financial markets," Rapa said. "The audience we get to come to this are the types of people that would need to collaborate if this were a real problem. It's not just technology people, it's the business side and people from client services and people from senior management, key vendors and law and compliance."
This year's workshop featured 41 participants. Firms represented at the event include a wide swath of the market, including executing and clearing brokers, key service providers, exchanges and clearinghouses.
The scenario varies each year and always carries unique quirks. For instance, the ransomware threat in 2019 was specifically crafted in a way that used Bitcoin as the payment method—and explicit guidance in the scenario that the FBI advised BOFFEX that choosing to pay up in the cryptocurrency may place it in violation of anti-money laundering regulations.
Cybersecurity scenarios in previous years had included the alteration of internal data by a disgruntled employee and a major disruption at a cloud-based back-office systems provider.
Having key participants practice a response to detailed threats in real time is an invaluable exercise in preparing for the disruptive and urgent event of a cybersecurity attack in the real world, Rapa said. The workshops focus on highlighting the importance of business continuance planning and coordination in a time of crisis and challenging the industry's understanding of its current systems and risks so they can be better prepared.
The "ransomware" attack outlined in this year's cybersecurity workshop was a particularly important exercise, said Rapa, noting that ransomware infections have "a low barrier to entry with a fairly high payback on investment" for hackers and have become increasingly popular. He points to the May 2019 ransomware attack on the U.S. city of Baltimore—a major urban area with more than 600,000 residents—that cost the city more than $18 million in total damages and lost tax revenues and took more than a month to resolve.
A commitment to business continuity
The cybersecurity workshop is the natural evolution of a long-term focus by FIA on business continuity management issues.
For 15 years, FIA's Market Technology Division has facilitated an industry-wide disaster recovery exercise that is a combined effort across exchanges, clearinghouses, swap execution facilities, futures commission merchants, key service providers and related entities. Developed in the wake of the Sept. 11, 2001 terrorist attacks in that caused major disruptions to financial markets, the annual business continuity exercise is designed to test transactions from backup systems to ensure market resiliency in case a disaster disables an organization's primary systems.
Such a coordinated effort by FIA helps ensure that key market participants are prepared, but also allows for an efficiency and economy of scale across the industry by offering a common date when exchanges, trading firms and service providers can all make time to send over and validate the full life-cycle of test orders in a minimally invasive way.
This year's business continuity test, conducted separately from the cybersecurity exercise, involved representatives from roughly 100 market participants and supporting entities.
Don Byron, FIA's head of global industry operations and execution, said the annual cybersecurity workshop builds on the organization's longstanding and important role in developing and implementing industry-wide solutions.
"A workshop like this is something no single firm can do effectively on its own without the help of FIA," Byron said. "Modern derivatives markets are so interconnected and complex that you have to have a variety of stakeholders at the table to fully understand cyber threats and craft an effective response."
The annual cybersecurity exercise and coordinated business continuity tests of backup systems and back up sites is only one example of the services FIA offers. Its FIA Tech arm helped develop and deploy its "Tag 1031" simplified execution source code schema to provide futures industry participants that are downstream of execution with a set of codes that indicate how trades are executed and reduce disputes over brokerage fees. FIA has also published a due diligence questionnaire for IT outsourcing and procurement to help protect market participants.
"As a trusted source of operational expertise and the central point of contact for the industry, FIA plays a vital role in ensuring that all market participants are working together to ensure the safety and resiliency of the system," Byron said.
Guarding against future threats
Jan Guido, the IT service continuity manager at ABN AMRO Clearing Chicago and one of the cybersecurity workshop's moderators, stressed that scenarios like the one explored in the October event are not just intellectual exercises. They reflect real-world threats that can happen at any time.
"We did our presentation on Tuesday, and Wednesday one of the people in my group who was a consultant showed me an email from a client asking for help because they were attacked by ransomware. The email said they had to deliver 35 bitcoins (about $30,000) per PC—or else," Guido said. "It was exactly our scenario. It was almost like they hacked the script from the workshop itself."
Preparing for such eventualities and practicing how to respond under pressure is critical for market participants, she said. That means conducting workshops and role-playing on a regular basis. For instance, Guido said she conducts quarterly tabletop cybersecurity exercises internally at her firm, and conducts regular reviews of the crisis plan at the organization.
"If you want to be resilient, you have to practice and you have to make sure you're not making decisions based on emotion in the moment," she said. It's also important for organizations to not be afraid of experiencing challenges in one of these exercises as part of the learning process, she added, noting that identifying a breakdown in a workshop is far more preferable to experiencing a failure in real time.
While some other sectors of the global economy may not be as prepared for the very real threat of a cybersecurity event, she gives the derivatives industry a a whole a "solid B" for its across-the-board cybersecurity preparedness. She said that preparedness starts at the very top, and that senior management at ABN AMRO fully understands the importance of preparing to meet cyber challenges—even if the regular workshops and training sessions she runs interrupt regular business operations.
"I have to be the friendliest person in the office to wrangle people sometimes for these exercises," she admitted. "It's a little bit like going to the dentist. There's a mental acknowledgement that this is important, but squeezing this into people's eight-hour day is always a practical concern."
"But senior leadership really doesn't want our organization's teeth to fall out, so to speak. They want us to be healthy and resilient," Guido said. "They are very supportive of these efforts, as are most leaders in our industry. They know what's at stake."
Whether it is preparing for a cybersecurity attack, rehearsing plans for a natural disaster or simply exploring best practices in operations to ensure reliable operations, John Rapa of Tellefsen agrees that it is important for all market participants to put in the time that is necessary to ensure the resilience of their operations. He said that "developing a business continuity strategy is not a one-time exercise," and that the regulatory and technological environments move so fast that organizations cannot afford to be caught standing still.
"Over 22 years in the industry I've seen a lot of changes," Rapa said. "But each new challenge is different than the last. This is such a dynamic industry that if you went into a cave for two weeks and were out of this world of cleared derivatives, when you came back out you'd be so far behind the information curve it would make your head spin."
That is why it is so important for organizations to stay committed with regular tests and training, keeping a persistent focus on operational issues.
"Markets are evolutionary, not necessarily revolutionary. On the days when you had thousands of people on the floor, you had to account for how to relocate them and how to keep doing business. Now you have technological tools to facilitate that so I can trade from the beach or my car—or if I work in IT, that I can transfer operations from production to a backup site from home in my pajamas," Rapa said. "Both come with a very unique set of risks. And it's through events like FIA's cybersecurity workshop where we throw stuff at you and try to figure out how this dynamic, constantly changing marketplace works at this moment in time, and where we can make things better."
But he is quick to point out that the goal of any exercise is not to provide a prescriptive solution to a single technological problem. Instead, Rapa said, the goal is to teach firms good behavior they can use in any crisis as they stay flexible, think critically under pressure and coordinate with the rest of the industry in the event of a market disruption.
"If there's a cyber problem that is limited to one big bank's operations, they have a whole team internally to deal with that. But those people are going to be way removed from the FCM part of that bank's business," he said. "So really the cybersecurity exercise is about looking at futures-specific disruptions that have real potential to cause a breakdown that may not be as obvious but have tremendous potential to cause harm. It's everyone's job in this industry to know those risks, and make sure we know how to work together to protect the system for everyone who uses it."
Ransomware attacks on the rise
Over the last few years, the volume and ferocity of cyberattacks has steadily risen, with ransomware a particular concern. Ransomware attacks involve a rogue agent taking advantage of malicious software that has been placed in a company's computer systems to render the devices useless—unless, of course, a ransom is paid to unlock the data. There is a low barrier to entry with a fairly high payback on the investment. If an affected party refuses to pay the ransom, they can suffer permanent loss of data via irrevocable encryption that makes files inaccessible.
- Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017 and $325 million in 2015. Many attacks go unreported to the authorities, so the cost could be even higher.
- Over 55% of small to medium businesses say they would pay the ransom. This grows to 74% in large organizations.
- The aftermath of a ransomware attack can cost business downtime 10x more than the ransom requested.
- 96% of organizations that paid the ransom received a decryption tool from the hackers. The decryption success depends on the type of ransomware.
- Ransomware infections in the cloud continue to increase, with more than half involving Microsoft Office 365 as the main target of an attack.
- Lack of cybersecurity education is a leading cause of successful ransomware attacks, and education is by far the cheapest and most effective deterrent for an organization.
Source: Tellefsen and FIA's Market Technology Division
- Industry Operations
- Operational Resilience