Role of the working group
Michael: We have a responsibility and a role to play here. We recognise that this is a complex multidimensional problem. In addressing this, we facilitate knowledge-sharing by enabling people to ask questions to which we try to supply answers that are community-centred in nature and around best practice.
Chris: Last year, the working group focused on updating the 2008 Security White Paper. It found that many of the answers to the outstanding questions were still relevant but needed to account for changes in technology and more sophisticated malicious 3rd parties.
So we developed a number of threats scenarios which we believed adversaries could employ to attempt to penetrate a FIX network. We outlined why we believe that FIX has mitigations in place and that it is essentially self-correcting from the functional point of view. It included diagrams and architectural illustrations showing how we believe that FIX is self-protecting.
In addition, we also wanted to educate the community regarding the cyber security landscape. To do this, we developed a cyber security regulatory subgroup led by Lisa which has done a great job of updating the community with regulatory initiatives that will affect various member firms.
Lisa: Part of that emphasis is the focus on individual responsibility. We wanted to get the message across to our FIX members that if they “see something – say something”. If there’s an issue relating to FIX, then we want that to work its way straight back up through the cyber security working group.
Michael: We want to educate through sharing. We want to enable people to share appropriate experiences so that as a community and as an organisation, we are operating at a higher level because we are taking advantage of that shared knowledge to distil best practice.
In this context, collaboration and sharing is probably one of the few ways in which we can obtain something like parity with those seeking to attack our infrastructure and exploit vulnerabilities in the services we use.
Another point is that this type of forum takes place behind closed doors and firms are sharing with their peers.
The third point is that we are seeing very large and advanced organisations being successfully attacked and exploits being run against them. This is not a reflection on them as organisations but it emphasises that the problem we face is very severe.
Lisa: All firms need to sit up, take notice and ensure that their houses are in order and that they are protecting their key assets – especially their clients’ data.
Michael: There’s a good underlying point here that raising the bottom line to ensure a higher standard consistently across the industry is absolutely the best thing to do. Organisations have got to operate beyond the boundary that these protocols are referring to, so hardening systems, being responsive to fixes, to code, etc.
Lisa: It really is a matter of when, not if, a firm will be breached. The implications are not only financial, they are also reputational and can ultimately have a detrimental impact on a firm’s client base.
Building security
Chris: The regulators have made it clear that established security is not a ‘one size fits all’ solution. They do a good job of allowing firms to build security around their own particular needs. For example, a high frequency trader will have different security requirements than those of a retail broker and so on.
What firms need to do is to develop internal security procedures. These could be as straightforward as educating employees not to expose sensitive information, by not leaving passwords on their desks so that non-secured staff can see them etc. It really is the case that people rather than technology are the weak link in many firms’ cyber security infrastructures.
Lisa: A good place for a firm to start so that they can identify gaps in their defences is by doing a risk assessment. They can then put in place a road map or a project plan to close those gaps based on where they want to be as regards their level of cyber defence.
Michael: That risk assessment is key to understanding what the commercial and reputational etc risks are. Once the risks are understood, then a firm can make intelligent decisions about addressing them.
Lisa: Also, the costs associated with addressing those risks must be considered: does it make sense economically? If not, the decision must be made to either accept the risk or put in place some form of mitigation. But at least a firm is going in with its eyes open.
Michael: Another point to make is that this isn’t a ‘do it once and it’s fixed forever’ solution. Firms need to recognise that they are in a very rapidly evolving industry. They need to think about how to make risk assessment an integral part of their organisation so that it has consistency and is continuously maintained.
From a FIX perspective, our view is that if we can help to raise the standards, then that will help contribute to firms’ understanding of the problem. And in order to do this, we need more people to get involved, we want to get more experiences and knowledge disseminated. As an industry we then have increased intelligence with which to address the problem.
Chris: As an example, we have members from the buy-side, sell-side and vendors who are all working together to create a standardised encryption capability that buy-side and sell-side can use to communicate with each other. I think that if we are successful in this endeavour then it will be a huge contribution to the community.
Creating a community
Michael: One key development that is occurring is the shift in onus and responsibility across the community. There’s an expectation of activity, and almost a mandatory requirement for a community response. Market participants have more of an obligation and responsibility to directly take charge of the security landscape and to foster that collective response.
Part of this is the “See Something, Say Something” principal Lisa mentioned earlier, as we need to share information, and build that community. Therefore we expect a material change in the manner in which the industry responds. It is very important at a community level to be able to identify new exploits and disseminate that knowledge.
We also need to work collectively as a community to establish the standards to which and in which we wish to operate.
Chris: The regulators have provided the industry with excellent guidance regarding methods firms should consider when developing internal cybersecurity controls. Firms for the most part now understand that if they don’t take positive steps they will lose clients and put themselves at risk at exposing themselves to malicious 3rd parties. Because cyber security poses such a systemic risk to the financial industry, firms must share information, and it is important to note that firms should not be afraid to share as then firms can incorporate that wider information into their own cybersecurity controls. Firms can and should learn from each others’ events. This is the community we should be striving to create.
We’d love to hear your feedback on this article. Please click here
Raising The Standard For Cybersecurity
