DTCC Identifies Cyber-Attacks as Most Significant Risk to Financial Markets
On August 7, Depository Trust & Clearing Corporation (DTCC) released a report identifying threats to the stability of the financial markets. DTCC considers cyber-attacks that can bypass U.S. and E.U. industry security systems and laws to be the most significant danger to our markets today.
Mike Leibrock, DTCC Vice President, of Systemic Risk stated that the report is intended “to initiate robust dialogue and help market participants gain a deeper understanding of how new or evolving systemic risks might impact the safety and soundness of global financial markets, and the steps the industry needs to take”.
DTCC’s report emphasizes that the systemic risks facing the global financial services industry are growing in complexity and are more difficult to anticipate. DTCC’s report also finds that regulatory safeguards are either years from implementation or create new forms of risk that are constantly evolving.
CybersecurityDTCC’s report identified cybersecurity risks as the top systemic threat facing global financial markets and associated infrastructures, including the threat of Distributed Denial of Service attacks, attacks against systems containing transaction records, and risk of disclosure of restricted, confidential or material non-public Information via compromise of internal systems.
DTCC identified the following risk objectives of cybersecurity attacks.
The objective of a Distributed Denial of Service (DDoS) attack is to cause market disruption by preventing business transactions (e.g., affect clearance, settlement and similar core functions).
The objective of an attack against systems containing transaction records is to cause market disruption by deleting, modifying or corrupting books and records of the financial industry.
The objective of causing disclosure of restricted, confidential, material non-public Information data via compromise of internal systems is to cause loss of trust in the U.S. financial systems, insider trading and other forms of market manipulation.
DDoS AttacksDDoS attacks have increased in the past year. DDoS attacks typically attempt to flood the bandwidth and network connectivity between a financial institution and the broader Internet. These attacks are carried out by sending a large volume of requests from compromised machines to the institution’s website.
Recently, these attacks have been launched from compromised servers (up to ~6000 servers), which have significantly more capacity and outgoing bandwidth. For example, prior to 2012, the peak volumes of DDoS attacks against financial institutions were approximately one to two gigabits per second (Gbps). Recent attacks have peaked at close to 150 Gbps, or approximately 15 times the provisioned bandwidth at a typical financial institution.
At least one private research provider in the securities markets, Promotion Stock Secrets, was the subject of a DDos attack on July 31 when their website was attacked. The cyber-attack on http://www.promotionstocksecrets.com used the same technologies often found in large scale attacks against financial institutions such as banks, an indication that cyber-attacks are a growing threat in the financial services and other industries.
Advanced Persistent Threats Advanced Persistent Threats (APT) are stealthier because APT attacks are not public. Their objective is not to disrupt Internet-facing communications, but rather to infiltrate an institution’s systems and monitor or ex-filtrate data to a server outside the firm. APT attacks are very difficult to detect, unlike DDoS attacks, which are visible and often publicized prior to an attack. In an APT attack the infected malware could be sent by a variety of means including e-mail attachments or compromised websites. The attackers often use social networking tools to perform reconnaissance and identify key employees at a firm. The attackers then compromise the machines of those individuals, and propagate horizontally and vertically within the target organization.
APT attacks are launched by hactivists, nation states and paid hackers who are compensated by the amount of impact they have on the target. These actors typically are outside the jurisdictional boundaries of industrially mature nations and thus very difficult to apprehend and prosecute.
Additionally, the compromised servers are often legitimate servers that were compromised because of vulnerability in their systems (e.g., not keeping the system patched to the latest version).
Other Risks to Financial Markets IdentifiedDTCC also identified several other risks in its report which are summarized below. New RegulationsDTCC also noted that the financial industry has expressed concerns that even though new regulations are well-intentioned and necessary, there is a danger that their scope and complexity may actually be creating unintended consequences or an entirely new set of risks.
Too Big To FallDTCC expressed concern whether ongoing industry debate as to the “too-big-to fail” issue has been sufficiently resolved. Even top U.S. banks control the vast majority of total assets within the sector and just a few provide some of the most critical services.
Collateral ShortageDTCC addressed concerns globally about potential risks associated with a future shortage of high quality collateral, possible pro-cyclical impacts of collateral requirements, along with operational challenges related to collateral management.
Interconnectedness RiskInter-linkages among financial firms and infrastructures improve the effectiveness and efficiency of clearance and settlement activities and processes. Inter-linkages also create a complex network of interdependent legal, credit, liquidity, and operational risks. Because of this, there is an increased systemic risk because of the increased potential for operational and other disruptions to spread quickly and widely through the financial system.
High Frequency TradingHigh Frequency Trading (“HFT”) has come under scrutiny in recent years due to events such as the so-called “flash crash” in 2010, the difficulties encountered during the initial public offerings of BATS Global Markets, Inc. and Facebook, Inc., and the Knight Capital trading glitch. Some industry participants are at odds over the question of whether the benefits that HFT brings to the securities markets in terms of efficiency and liquidity, outweigh the technological challenges associated with this activity.
Business Continuity RiskSuperstorm Sandy served as a a reminder of unforeseen physical events. While DTCC’s business continuity practices allowed the organization to continue to provide critical clearing and settlement services to the industry, a number of near-and long-term initiatives have been identified to further enhance DTCC’s resilience against a wide range of events. DTCC is calling for closer and more continuous engagement and action among all key industry participants on this issue to reduce the systemic risks facing global markets.