[ N E W S
H
aving been left shaken by the now
infamous breach at the Central Bank
of Bangladesh back in 2016, the securities
services industry is urgently assessing its
cyber-security policies and procedures.
While payments have been a focal point
of cyber-security concerns following suc-
cessful attacks in recent years, securities
firms are being urged to adopt frame-
works and standards amid a growing
threat.
“If people are attacking the kind of firm
that works with SWIFT, then why should
they only be targeting payments? So the
fear or the hypothesis is could they be
looking at financial services within the
securities market…There’s no reason
why this couldn’t spill over,” said Brett
Lancaster, managing director, global head
of customer security, SWIFT, speaking at
Sibos 2018 in Sydney.
“We have currently seen no attacks
within our customer base in the securities
market, but it’s always a comma, yet.”
Any disruption of clearing and settle-
ment processes would undoubtedly result
in a severe systemic event, while a theft of
assets could potentially cause a client run
on a bank. The brutal reality is that irre-
spective of how much money or resources
major banks and infrastructures invest
in their technology systems, they are not
invulnerable to external hackers, many
of whom are using increasingly cutting
edge – often government manufactured –
software tools to attack organisations.
The financial gain for a hacker target-
ting market infrastructures may be high.
Some of the ways market infrastructures,
such as CSDs and clearing houses, can be
targeted include hackers manipulating
market and reference data such as Stand-
ing Settlement Instructions (SSIs) and
pricing, along with attacking the mecha-
nisms which match trades and calculate
settlement values to fraudulently increase
the gain on trades.
“These central infrastructures we rely
on so much have to be incredibly resilient
because of the motivation for disruption.
If you were looking to disrupt, you might
go for the central utilities,” said William
Hodash, managing director, enterprise
data management, DTCC.
Earlier this year, the International
Securities Services Association (ISSA)
released a report following its symposium
in May, where it concluded that although
the securities services industry has so far
R E V I E W
escaped unceasing cyber-assaults of this
kind, it would be complacent to assume
this will continue.
“The books, records and databases held
[by securities services firms] provide
attackers with the opportunity to obtain
data which include client investments,
portfolio details, performance and
strategy, relationship information and
fee agreements. Data stolen by cyber-at-
tackers can lead to significant ransom
demands together with material reputa-
tional damage,” the ISSA report stated.
However, employees are ultimately the
biggest weakness for cyber-criminals to
take advantage of, whether it is through
an opportunistic phishing attack or a suc-
cessful impersonation of a co-worker or
client. Bank staff need to be trained and
educated to spot cyber-threats, a process
that has to be driven from the top down.
Employee education around cyber-securi-
ty is now an urgent issue for many banks.
“As cyber criminals become ever more
innovative and agile, we need to continue
to work together to build even stronger
defences. Through our Customer Security
Programme, we have been assisting the
payments, securities, trade finance and
foreign exchange sectors to better protect
their immediate surroundings, and have
facilitated better information sharing to
help equip the industry with the tools it
needs to combat cyber-crimes,” added
Lancaster.
The securities services industry is
working on standards and adopting
frameworks such as the NIST cyber-se-
curity framework and SWIFT’s Customer
Security Programme (CSP).
While these frameworks are extremely
helpful as a guide to securities services,
firms need to assess the risk to themselves
of cyber-attacks on their clients, vendors
and counterparties.
JP Morgan’s managing director of
security, David Leach, said the industry
is on the right track when talking about
frameworks, but admitted it is a matter of
‘if’, not ‘when’, an attack on the securities
industry will occur.
Due diligence over the cyber-risk man-
agement programmes and associated con-
trols of third-parties will be critical. The
ISSA paper advocated that appropriate
contractual obligation should be placed
on third-parties to meet the policy and
standards of the securities services firm.
“Securities servicer firms should estab-
|
C Y B E R - S E C U R I T Y ]
lish risk management processes that map
the status of third-parties’ compliance ob-
ligations vs the securities servicer firm’s
own risk assessment (such as AML rating
of the country the third-party resides in,
the inherent risk with the service provid-
ed and transparency afforded),” the ISSA
paper added.
The inclusion of cyber-security was
one of the major additions in the AFME
(Association for Financial Markets in
Europe) Due Diligence Questionnaire
(DDQ), which networks managers use to
select their sub-custodian.
However, with the DDQ now over 200
questions long, there is growing con-
sensus that a number of sections would
“The fear or the hypothesis
is could they be looking at
financial services within the
securities market.”
BRETT LANCASTER, GLOBAL HEAD
OF CUSTOMER SECURITY, SWIFT
be cut, and according to some network
managers speaking at The Network Fo-
rum (TNF) in Singapore, cyber-security is
likely to be less prominently featured.
One panellist at TNF, speaking under
Chatham House Rules, said cyber-secu-
rity was a constantly evolving threat, and
there was growing support in industry
circles to remove questions covering cy-
ber from the DDQ as each bank had their
own unique policies and standards on the
issue. He conceded some network manag-
ers were also uncomfortable about asking
questions on cyber-security as they felt it
was a topic beyond their expertise.
One solution is for organisations to
test cyber-security measures at their
critical vendors, instead of relying solely
on receiving answers in a questionnaire
format. This could be an area where a
standardised framework on cyber-secu-
rity could be better suited for network
managers, rather than within the DDQ.
The fact that cyber-security is becoming
a bigger part of client conversations is
promising. Securities services firms are
becoming more aware of the growing
risks of cyber-attacks and they are not
invulnerable to it. But it may take a suc-
cessful attack to prompt any real action
on a cyber-security framework.
Winter 2018
globalcustodian.com
21