Cyber Security And FIX: A Time For Focus
A panel discussion, with Marcus Prendergast, CISO, ITG; Michael Cooper, CTO Radianz, BT; Tim Healy, Global Marketing and Communications, FIX Trading Community; Tom Jordan, President, Jordan & Jordan.
Why cyber security, why now?
Michael: I’ll just focus on three things very quickly. I think one point I’d make is that as a group, we have focused on security in the context of the FIX protocol for some time, it’s not necessarily something that is new. It is just the latest iteration with regard to considering security in a FIX protocol context. Two, I think the landscape and the attention on security makes it a prudent time to review the security of the protocol, even in the absence of any direct threat. And I think increasingly, all of us have been touched by security or have to consider it in the context to which we operate, especially as time goes on.
Marcus: Just to build on that, I’d say we’re focusing on being proactive and trying to stay ahead of any new potential major attacks on the markets.
Why embed this process within FIX and the FIX Trading Community?
Marcus: The firms themselves have been focusing on their own information security and investing in that very heavily over the past 5-7 years, and we are realising that we have a couple of points of commonality. FIX isn’t the only element but it is a major common mechanism of exchange and as such it needs to be evaluated and assessed for security. The challenge is that it doesn’t just extend to the edge of a firm, the edge of a network, it extends downstream. So now we’re having a conversation looking at how firms have invested in their information security together with how they secure what they are sending downstream, and what is being accepted coming upstream. FIX seems to be a good common point. FIX is the common core protocol used across the industry and now we’re trying to have a conversation on how we secure that as a group.
Tom: I think the reason why FIX is important is because it is the language of trading. The industry cannot run without FIX, and while it used to be principally for equities, FIX is now applicable across the entire trading process and across multiple asset classes. We do a lot of work in post-trade, we use FIX going into the clearance and settlement process and those roles are expanding all the time. FIX is so integral to the capital markets that we have to be proactive because all of us are so dependent upon the use of FIX.
Michael: As an additional point, this is absolutely not the only place to look at security. We have to examine security in a holistic manner. However, the FIX Trading Community is responsible for the protocol. It has a responsibility to look at security, and by building this working group we are taking that responsibility seriously. It’s highly appropriate and the right thing to do. If you look across the industry, this is one of a number of times to review how we operate as an industry in the context of changing environmental backgrounds.
This is a global issue and the ability of the FIX Trading Community to respond on a global basis is a strong and compelling point. There is definitely an invitation for everyone to be engaged in this initiative. It does affect everyone and we will welcome everyone’s input into it.
Tim: Within FIX we do have the entire industry represented. We’ve got vendors, brokers of all types and sizes, exchanges, the buy-side etc. We have constituents of the whole investment process involved within the membership and getting involved in a working group is the next stage to that.
Marcus: I think it shows our commitment long-term to the protocol. It’s amazing that over the past 10 years we haven’t had something private replace it. That just shows the commitment of the various members to keeping the protocol not just up to date and relevant but also to address these new concerns as they come in, and as these security concerns evolve to ensure that we’re keeping ahead of it as best as we can.
Immediate goals of the group?
Marcus: The first thing is to assess the concern as a group, prioritise what can be addressed and then we will develop a couple of items that are going to come out in the short term, including an updated white paper. We’ve had a white paper on FIX security that’s been out there since 2008, which is something I want to focus on. We need to update that for the community and look at what can be done next, over the coming six months, one year, and five year horizons to better secure FIX for the industry.
Michael: One of our goals is to collaborate and share knowledge in terms of a free and defined best practice. A key part of the general response to areas like a cyber security threat is how we share information amongst the industry.
The element of sharing is a thread that runs through pretty much all FIX working groups. One of the reasons that I think cyber security is a growing focus for the industry is that there is an ever expanding universe of hacking tools; the ability to leverage technologies like cloud and collaboration makes it easier to find and exploit vulnerabilities. One part of this group is that we’re responding to that by seeking to collaborate on our side of the issue, and FIX has the concept of the working group which has set ways and processes of sharing that vital information.
To what extent is this always going to be fire fighting?
Marcus: Much of the battle is simply about making sure that FIX isn’t a significant area of vulnerability. While we have spent money individually as firms protecting our infrastructure, now we’re working to make sure that FIX implementations are protected industry-wide.
Michael: The threat is a constant and we’ve clearly been looking at this problem, and increasing our awareness for some considerable time. I suspect we will always be conscious of it. Some of this discussion has to evolve around how we design the protocol to minimise if not totally mitigate the risk, and as Marcus says, to make sure we are not an area of vulnerabiity. But it’s almost definitely not going away and I think this awareness accounts for a lot of the activity and action across the region with regards to what the regulators are looking at. And that regulatory conversation is definitely developing.
Marcus: I’ve been involved with the SEC’s ongoing cyber security review, and they’re definitely starting to have a deep and knowledgeable focus on cyber security. They’re reaching out to their member firms to have their cyber security experts and representatives speak up. I certainly expect, as we’ve seen from comparable organisations in Canada and Europe, that more prescriptive cyber security regulation will emerge out of the various global regulators. And whether that will be specific to FIX or not, it is certainly going to touch the protocol and be applicable to it.
Michael: I think if you look at the Bank of England, which takes its prudential responsibilities very seriously, it has looked at this in a very deep manner. I have definitely noticed an uptick in regulatory interest in markets such as Hong Kong and Singapore. All the regulators have a prudential responsibility, and this a prudential concern. They’re all seeking to understand the extent of the problem, which goes back to just how do we as an industry respond. My personal view is that the regulators will respond with at least some guidance. And again, there is the collaborative element here. The regulators are consulting and engaging people across the industry.
Tom: One key area is figuring out what should be included in the regulation but it is definitely a good sign that regulators are starting to ask questions on security of their member firms. While there is clearly a responsibility to protect your client’s information, they can start asking questions about how you protect, who can access it, how is it shared etc, and we need to be able to answer those questions when the regulator asks. Europe is probably further ahead of the US in terms of the formulation of that, but the point is the process has already started within firms. The business reasons for security protection are ahead of the regulation at this point. In some areas, you’ll have the regulators driving the behaviour. In this case, it’s the business reasons that are driving the security work being undertaken that have demanded everyone’s attention.
We’d love to hear your feedback on this article. Please click here