The Commodities Futures Trading Commission (CFTC) recently finalized a set of cyber security rules, designed to help safeguard its systems from breaches; but worries about hacking and possible terrorism remain.
There have long been
concerns that Cyberman-like terrorists or hackers could compromise the world’s financial markets by attacking exchanges or banks. On numerous occasions, the CFTC has stated that cyber security is the
single biggest threat to the stability of the global financial markets. So are its new rules for exchanges, clearing houses, trade repositories and dealing platforms enough?
The rules require testing of technology to identify vulnerabilities, internal and external security penetration and controls testing, incident response and technology risk assessment. Some have questioned that the frequency of testing is not enough. After
all, is
quarterly vulnerability testing enough, when hackers are adapting their techniques on a daily basis?
Earlier in the year, the
Anonymous hacker group conducted a month long attack on financial institutions, amongst them many central banks and the London Stock Exchange, whilst SWIFT recently
revealed more attacks on banks had taken place since the $81m theft at the Bangladesh Bank.
The question is, should regulation as that being introduced by the CFTC only apply to exchanges and venues - or to all market participants? An
examination of what happened at the Bangladesh Bank revealed many shortcomings, not least the lack of firewalls and the use of
second-hand networking equipment. So how could better technology have helped reduce the scale of this loss?
Prevention is a better than a cure, especially in the case of disrupting strategically important financial markets. This means, to start with, it is imperative that firms have an understanding of their IT infrastructure and are able to identify which systems
are connected to the outside world, as well as with other internal systems.
Extensive security on these systems is crucial, as is threat management, so that identified weaknesses in systems can be patched in a timely fashion. Without understanding infrastructure and where you are exposed to the outside world, it’s impossible to
put in place the sort of vulnerability and penetration testing that the CFTC is proposing.
Automated monitoring, using technologies such as streaming analytics, would have helped in many stages of the Bangladesh heist. Monitoring rules could have raised alerts when out-of-hours messages were spotted, or sounded an alarm at the suspicious destination
of large transfers.
The misspelling of a Philippines-based recipient, which was manually identified by chance, could have been identified automatically, in real-time. In fact such monitoring could have prevented the message transmission entirely. Real-time monitoring could
have spotted that hackers were covering their tracks by deleting received SWIFT confirmation messages, as the messages would have been monitored in real-time as they arrived.
Alerts are not effective though, if there is nobody on hand to see them. Correct scoring or prioritization of alerts, combined with mobile technology would have helped. But, more importantly, a response plan with processes, procedures and escalation policies
all in place would ensure a controlled and timely response. This might even have helped to flag when the Bangladesh central bank’s SWIFT system had been compromised over a bank holiday weekend.
Clearly cybersecurity should be taken seriously, and the CFTC’s rules are a good start. But there is a long way to go before banks, central banks, exchanges, clearing houses, repositories and trading platforms are invulnerable. Preventing the rise of the
Cybermen will require more than just a sonic screwdriver.