Financial system is alarmingly vulnerable to cyberattack

A ransomware attack on an Irish-based firm has caused havoc in commodities markets

A recent cyberattack on Dublin-based Ion Markets saw some firms revert to paper ledgers for reporting purposes. Photograph: iStock
A recent cyberattack on Dublin-based Ion Markets saw some firms revert to paper ledgers for reporting purposes. Photograph: iStock

Derivatives traders tend to watch the US Commodity Futures Trading Commission closely on a Friday. This is the day the CFTC normally releases its weekly “commitments of traders” report showing overall positioning in derivatives markets, such as oil futures.

This month, however, the data has been missing in action because a small, publicity-shy data group called Ion Markets – headquartered in Dublin, but used by dozens of American and European players – suffered a ransomware attack on January 31st.

Todd Conklin, the US treasury deputy assistant secretary, scrambled to reassure investors by stressing that “the issue is currently isolated to a small number of smaller and midsize firms, and does not pose a systemic risk to the financial sector”. Phew.

However, the attack forced Ion’s customers to use old-fashioned paper ledgers for a period, making it impossible for the CFTC to collate the sequential positioning data. Some traders tell me this might have had ripple effects on prices.

READ MORE

In recent years, the financial sector has quietly slid into a state of high dependence on third-party tech vendors, both big and small

And since the report seems unlikely to reappear soon, this incident is a wake-up call that investors cannot afford to ignore. For what it shows is that, in recent years, the financial sector has quietly slid into a state of high dependence on third-party tech vendors, both big and small.

This “creates a major source of [new] risk”, as Rostin Behnam, the CFTC chairman, notes. That is partly because these entities are only lightly supervised at best, since they fall outside the remit of financial regulators. The vendors’ own customers also have patchy visibility of their operations. (One shocking twist in the Ion saga is that the company has offered no public updates on events, aside from a terse initial statement).

The other issue is that malicious attacks on western financial and business infrastructure are accelerating, both from hostile governments such as Russia and criminal gangs. “A 2022 survey of 130 global financial institutions found that 74 per cent experienced at least one ransomware attack over the past year,” says Christy Goldsmith Romero, a CFTC commissioner.

Moreover, these attacks have become so sophisticated that the US department of justice now talks about the emergence of ransomware as a service (RaaS), she notes: a wry pun on the well-known investment term “software as a service”, or SaaS.

Is there any solution? Regulators and financiers are furtively tossing ideas around. The CFTC says it plans to create a “cyberresilience framework for brokers and dealers”, with rules requiring them to monitor their tech vendors. This echoes the Digital Operational Resilience Act recently adopted by the European Parliament, which also makes financial groups accountable for the security of tech vendors they use.

But these reforms still seem far too modest to resolve the problem. One reason is that the border-hopping antics of tech vendors such as Ion can easily slip between the cracks of national regulators, without better co-ordination. In any case, it does not seem either feasible or fair to expect financial companies to police these tech vendors themselves.

Heavy-handed state control would be wildly controversial in a country such as America, since it seems to contradict corporate governance principles and the cult of market innovation

So some observers are now considering more radical ideas. One, floated last year by Brett Goldstein, a former cybersecurity expert at the Pentagon, is that the US government should restrict companies’ choices around vendors to a preapproved list. After all, he notes, a hack to core financial infrastructure would be a national security issue.

However, this heavy-handed state control would be wildly controversial in a country such as the United States, since it seems to contradict corporate governance principles and the cult of market innovation. So another, more realistic, route would be to expand the regulatory perimeter – and ask financial regulators to scrutinise tech vendors and other digital companies themselves.

As it happens, some central bankers are already pushing for this because big tech groups such as Apple are starting to offer financial services. Another impetus is that banks, brokers and asset managers are becoming heavily reliant on a tiny collection of Big Tech entities, such as Microsoft and Amazon, for cloud computing.

As Michael Hsu, acting comptroller of the Currency, notes, there are “single points of failure” (Spof) risks in which the loss of one node hits the entire system, similar to the type of supply-chain problems that erupted during the Covid-19 pandemic.

And what is so alarming about the Ion saga is that it shows that the Spof problem is not limited to Big Tech alone. “Without a doubt, a regulatory rethink is warranted,” Agustín Carstens, head of the Bank for International Settlements, argues.

I strongly agree. But even if you think that Carstens’ plea is correct, the unpalatable reality is that this is unlikely to be implemented soon. For one thing, tech companies are likely to fiercely resist new oversight. For another, it is unclear whether financial regulators could even build the proper capabilities to monitor software groups – if politicians let them. There is a vast skills and culture gap.

So the unnerving reality is that there will not be a quick fix for the problems. Or not unless politicians, financiers, investors and regulators both strengthen their defences and push for reform. Without this, the next attack could do far more lasting damage than Ion. That is a scary thought. – Copyright The Financial Times Limited 2023