Raising The Standard For Cybersecurity


Michael Cooper, CTO BT Radianz, Lisa Toth, Global Head of Regulation and Risk, Hatstand, a Synechron Company, Chris Bok, Consultant, Jordan & Jordan examine ongoing changes to the cyber security landscape, and how the industry can work together to combat the risk.
Michael: The Cybersecurity landscape remains complex and problematic. Barriers to entry for those wishing to disrupt, attack and exploit vulnerabilities are being almost constantly lowered. This is compounded through effective use of collaboration in the exchange of information and with rapid dissemination and innovation of exploits. Further, the volume of criminally incentivised, as opposed to disruptive/ opportunist-oriented attacks seems on the increase. So the challenge of sustaining security has become more difficult, more complicated but increasingly important.
Alongside this is an increased awareness and recognition of that risk, coupled with an expectation that firms must address this. One consequence is that obligations and responsibilities have become broader and more onerous to execute. Legislators and regulators are continuing to raise both expectations and mandates.
Lisa: In light of the high profile cyber events that have been in the news recently, all across the globe we are seeing central banks reminding their members that they must have robust cyber security, governance, policies and procedures in place. We are also seeing countries examining the regulations they already have in place and looking to set up further rules. The Hong Kong monetary authority announced earlier this month that this year it will be publishing a cyber security assessment framework, a similar step to the FFIEC. The regulators are definitely taking note and are looking at their member firms to ensure that cyber security is embedded within their culture, policies and procedures.
SEC and FINRA have put cyber security preparedness as a high priority for their 2016 exam review, and in the UK, the FCA announced that its member firms are not doing enough to protect themselves from cyber breaches. It is therefore likely that we will see many more fines being levied against firms with insufficient policies and procedures and as well as against those firms who have experienced cyber breaches and subsequently failed to remediate the issues.
There have been three cyber security-related fines imposed by the SEC recently. Last year, $75,000 was applied to a regional broker/dealer, in January 2016 there was a fine of $100,000 against a fin tech firm and more recently, a large investment bank was fined $1 million. The scale of the fines is increasing rapidly.
Michael: Clearly the regulatory position is evolving and becoming more stringent as regulators seek to incentivise markets and market participants to respond. Alongside of this, there is clearly more regulatory content to consume, and this is not entirely aligned globally. So while the intentions are right, there is additional complexity in different timescales, expectations and specification – additional complexity in an already complex area.
Lisa: In April, IOSCO released a report highlighting some of the key global regulatory initiatives that are underway and continually use NIST as an example of a robust framework. While IOSCO doesn’t actually come out and recommend that everybody base their cyber security framework on NIST, they are publishing them as examples.
Michael: There are also a number of forums being set up within different sectors and parts of the market which are regulatory-inspired. In addition, there are entities like IOSCO seeking to do something at the macro level and there are others trying work at a more micro level. So there is more activity overall, not just in terms of regulation, but in terms of the industry’s response to it.
Identifying solutions
Michael: I believe that most people will have a decent awareness of the issues and risk presented by cyber security – particularly following some of the recent bigger, more publicised events. The challenge for firms is to identify what they can do given the resources, knowledge and assets they have.
Lisa: To look further at this, it comes down to how sophisticated firms are in terms of their cyber practice. Some firms view cyber risks as purely a technical or IT solution, so they put in place firewalls and anti-malware and think that they are protected – but there is so much more to it than that. Firms do need to have IT solutions in place, but they also need clear governance, policies and procedures, and in addition they must have suitable response plans in place.
These should be embedded as part of their business continuity and disaster recovery planning. Firms should have a risk register, and be able to identify the types of cyber security risk that they face. Then they should create threat scenarios and test against them. Firms should be doing penetration testing, vulnerability assessments and then testing their response plans. If they go through these preparatory steps they will find that the amount of time it takes to identify and resolve a breach will significantly reduce. Investment up front will reduce potential exposure to a cyber breach at the back end.
Michael: The market has made considerable progress but obviously there is still a long way to go. Some of this is around security practice; how firms need to operate and the decisions they must consider and ultimately make. There is a big step up required before this practice becomes industrialised. Firms are doing it more than perhaps they were before, but there’s still much more to be done.

Role of the working group
Michael: We have a responsibility and a role to play here. We recognise that this is a complex multidimensional problem. In addressing this, we facilitate knowledge-sharing by enabling people to ask questions to which we try to supply answers that are community-centred in nature and around best practice.
Chris: Last year, the working group focused on updating the 2008 Security White Paper. It found that many of the answers to the outstanding questions were still relevant but needed to account for changes in technology and more sophisticated malicious 3rd parties.
So we developed a number of threats scenarios which we believed adversaries could employ to attempt to penetrate a FIX network. We outlined why we believe that FIX has mitigations in place and that it is essentially self-correcting from the functional point of view. It included diagrams and architectural illustrations showing how we believe that FIX is self-protecting.
In addition, we also wanted to educate the community regarding the cyber security landscape. To do this, we developed a cyber security regulatory subgroup led by Lisa which has done a great job of updating the community with regulatory initiatives that will affect various member firms.
Lisa: Part of that emphasis is the focus on individual responsibility. We wanted to get the message across to our FIX members that if they “see something – say something”. If there’s an issue relating to FIX, then we want that to work its way straight back up through the cyber security working group.
Michael: We want to educate through sharing. We want to enable people to share appropriate experiences so that as a community and as an organisation, we are operating at a higher level because we are taking advantage of that shared knowledge to distil best practice.
In this context, collaboration and sharing is probably one of the few ways in which we can obtain something like parity with those seeking to attack our infrastructure and exploit vulnerabilities in the services we use.
Another point is that this type of forum takes place behind closed doors and firms are sharing with their peers.
The third point is that we are seeing very large and advanced organisations being successfully attacked and exploits being run against them. This is not a reflection on them as organisations but it emphasises that the problem we face is very severe.
Lisa: All firms need to sit up, take notice and ensure that their houses are in order and that they are protecting their key assets – especially their clients’ data.
Michael: There’s a good underlying point here that raising the bottom line to ensure a higher standard consistently across the industry is absolutely the best thing to do. Organisations have got to operate beyond the boundary that these protocols are referring to, so hardening systems, being responsive to fixes, to code, etc.
Lisa: It really is a matter of when, not if, a firm will be breached. The implications are not only financial, they are also reputational and can ultimately have a detrimental impact on a firm’s client base.
Building security
Chris: The regulators have made it clear that established security is not a ‘one size fits all’ solution. They do a good job of allowing firms to build security around their own particular needs. For example, a high frequency trader will have different security requirements than those of a retail broker and so on.
What firms need to do is to develop internal security procedures. These could be as straightforward as educating employees not to expose sensitive information, by not leaving passwords on their desks so that non-secured staff can see them etc. It really is the case that people rather than technology are the weak link in many firms’ cyber security infrastructures.
Lisa: A good place for a firm to start so that they can identify gaps in their defences is by doing a risk assessment. They can then put in place a road map or a project plan to close those gaps based on where they want to be as regards their level of cyber defence.
Michael: That risk assessment is key to understanding what the commercial and reputational etc risks are. Once the risks are understood, then a firm can make intelligent decisions about addressing them.
Lisa: Also, the costs associated with addressing those risks must be considered: does it make sense economically? If not, the decision must be made to either accept the risk or put in place some form of mitigation. But at least a firm is going in with its eyes open.
Michael: Another point to make is that this isn’t a ‘do it once and it’s fixed forever’ solution. Firms need to recognise that they are in a very rapidly evolving industry. They need to think about how to make risk assessment an integral part of their organisation so that it has consistency and is continuously maintained.
From a FIX perspective, our view is that if we can help to raise the standards, then that will help contribute to firms’ understanding of the problem. And in order to do this, we need more people to get involved, we want to get more experiences and knowledge disseminated. As an industry we then have increased intelligence with which to address the problem.
Chris: As an example, we have members from the buy-side, sell-side and vendors who are all working together to create a standardised encryption capability that buy-side and sell-side can use to communicate with each other. I think that if we are successful in this endeavour then it will be a huge contribution to the community.
Creating a community
Michael: One key development that is occurring is the shift in onus and responsibility across the community. There’s an expectation of activity, and almost a mandatory requirement for a community response. Market participants have more of an obligation and responsibility to directly take charge of the security landscape and to foster that collective response.
Part of this is the “See Something, Say Something” principal Lisa mentioned earlier, as we need to share information, and build that community. Therefore we expect a material change in the manner in which the industry responds. It is very important at a community level to be able to identify new exploits and disseminate that knowledge.
We also need to work collectively as a community to establish the standards to which and in which we wish to operate.
Chris: The regulators have provided the industry with excellent guidance regarding methods firms should consider when developing internal cybersecurity controls. Firms for the most part now understand that if they don’t take positive steps they will lose clients and put themselves at risk at exposing themselves to malicious 3rd parties. Because cyber security poses such a systemic risk to the financial industry, firms must share information, and it is important to note that firms should not be afraid to share as then firms can incorporate that wider information into their own cybersecurity controls. Firms can and should learn from each others’ events. This is the community we should be striving to create.
We’d love to hear your feedback on this article. Please click here