Industry participants must develop crisis communication systems to avoid repeating the kind of fallout that came from the devastating cyber attack on Ion Group on January 31, which downed communication channels between banks and vendors, senior technology executives warned at an event on June 20.
Keith Todd, chief executive officer, Trading Technologies, said there was a need for a “crisis management email system to get out to critical contacts” for when cyber teams close off email domains and freeze normal communications between firms following a hack.
Tito Shirley, head of cleared derivatives FIS, said that, given that the first response to a cyber event typically for all parties involved was to “disconnect”, mechanisms were needed so vendors could continue to process, “perhaps in a non-connected way”, to get information to clients as quickly as possible.
We don’t expect perfect information. But we do expect communication
Christy Goldsmith Romero, CFTC
Todd and Shirley were speaking at the Futures Industry Association’s (FIA) IDX conference in London.
Banks including ABN Amro, Macquarie and RBC were among those affected by the Ion attack, which took key services offline. Market participants and infrastructures immediately cut off Ion from their networks, isolated emails and checked servers that communicated with the firm.
Todd said his firm had proactively contacted its 700 cyber counterparty customers to ensure that not only the CEOs know each other, but also the cyber people: “Because when something happens, we need to know who to go to in the moment.”
Speaking on the same panel, Justin Llewellyn-Jones, global head of product management and strategy, Broadridge, echoed the need to identify key players in advance of any attack: “[It’s] superimportant to have a really strong relationship with the chief information security officers, and the people running risk and audit and cyber security [at futures commission merchants (FCMs)].”
Nick Solinger, president and CEO of derivatives market infrastructure FIA Tech, said observations across the client base during the Ion incident suggested that “those who had really effective crisis management programmes stood up really well”: “There were impacted firms that managed to get backup plans to continue to clear, continue to execute, [although] it might have taken them a couple of days to get those together.”
After confirming the outage, Ion told banks that it was working to fix the issue and that the estimated recovery time was three days, with more updates to follow. But several days later, the software was still not back up and running.
Ion’s initial response to the incident drew sharp criticism from clients. Regulators were said to be “gobsmacked” by a “gaping black hole of information” as clients were left to face the music and the technology company remained silent.
Speaking at the June 20 event, Christy Goldsmith Romero, commissioner at the US Commodity Futures Trading Commission (CFTC), said: “We don’t expect perfect information. But we do expect communication.”
She urged banks to do something as simple as keeping an up-to-date inventory of all their service providers, rather than “scramble to try to figure out who’s involved” when a cyber attack occurred.
Per Haga, global head of prime derivatives services product, Barclays, characterised operational resilience partly as making sure that “regulators get the information they need”.
Goldsmith Romero told the audience that the CFTC “didn’t wait for the Ion attack” to start working on cyber issues. Since November 2022, the commission has been working on its first cyber rule for swap dealers and FCMs, which could be released in the next few months.
FIA Tech’s Solinger said that when a bank lost access to a vendor, the timescale used to be two hours to enact a disaster recovery plan. But what had been learned in the “catastrophic” Ion cyber incident was that timescale was “out the window” – industrywide backup plans or other provisions were needed in future, he said.
FIA Tech has enhanced its Trade Data Network to support the operational resilience needs of clearing firms, which can now store all trading activity at any exchange connected to the platform, in support of a quicker recovery in the event of a systemic outage such as a cyber attack. And the FIA formed a task force in March to bring together the industry as a whole to learn some lessons from the Ion incident, which it hopes to publish in the next month or so.
Kirston Winters, chief risk officer, Osttra, said: “Ultimately, the whole network is only as strong as the weakest link. When one vendor goes down, that creates problems not just for their customers, but actually for other vendors.”