Managing Cyber Attacks

Transcription

1 Managing Cyber Attacks Regulators and Industry Participants Discuss Ways to Strengthen Defenses By Joanne Morrison June 25, 2015 Cybersecurity risks and testing are a major concern of regulators and market participants. Experts at a Commodity Futures Trading Commission roundtable discuss the testing underway as well as practices to recover from cyber attacks. CFTC staff spend the day hearing experts discuss cybersecurity challenges THE RISK OF cybersecurity attacks is the single highest concern among financial regulators and top global exchange and clearinghouse leaders. They all agree it is not just a risk, but inevitable that there will be an attack. What lies ahead are challenges in how to best protect key market infrastructure from attacks and recover operations and data after attacks. While the listed and cleared derivatives industry has taken steps for many years to test and prepare for disaster recovery and business continuity, such as after the Sept. 11 attacks, cybersecurity poses new challenges. cyber attacks 1/8

2 First and foremost, those involved in the attacks are sophisticated and hard to detect. A system can be penetrated unnoticed through simple software updates, attachments and simple downloads. In addition, the risk is greater as markets and participants become more linked electronically. Finally, what is most concerning to industry leaders is that cyber attacks are increasingly seen as a new form of terror attack, where critical systems are penetrated for the purpose of severely disrupting or destroying them rather than just stealing information. Five, ten years ago this conversation was largely about the digital equivalent of graffiti, the defacement of websites and other things like that. But now clearly you have actors that are not only willing to steal and commit fraud, but who are actually willing to carry out destructive attacks, like what we saw with the attack on Sony Pictures Entertainment, said Michael Daniel, special assistant to the president and White House security coordinator, at a March 18 staff roundtable of the Commodity Futures Trading Commission. CFTC Chairman Tim Massad agrees. At nearly every public speaking engagement over the past several months, including appearances before Congress, Massad has identified cybersecurity as the biggest threat facing markets. These threats, as we now know today, don t just come from people motivated by profit. They come from people looking to disrupt the system, Massad warned Senate lawmakers at an appropriations hearing in May. Global exchange leaders all have put cybersecurity at the top of their list of concerns. It is not an issue that their technology departments handle alone, they said, but rather a matter for boards and top executives. Exchange leaders identified cybersecurity as a bigger concern than other issues. For example, Jeff Sprecher, the chief executive of Intercontinental Exchange, said ICE s risk committee spends more time on cybersecurity threats than it does on clearinghouse risk and market risk. It has really changed the dynamics of my company. My board has reorganized now so that our info tech team reports into the board through a dotted line, Sprecher said in March during FIA s annual International Futures Industry Conference in Boca Raton, Fla. Sprecher went on to explain that ICE has begun testing its own employees, noting that often times cyber attacks start with breakdowns within the organization. The keys to your company walk out the door every night, he said, adding that enforcing a strict use of passwords, rather than a single password, is one good approach. Information Sharing Key cyber attacks 2/8

3 What is clear in a market system that is all about competition is that combating cybersecurity risks is about sharing and cooperation. It is an issue on which exchanges, clearinghouses, regulators and industry participants are working together and exchanging information to better prepare against attacks and devise systems to recover data and operations after an attack. This is an area where the exchange community has no competitive area among themselves, said Andreas Preuss, CEO of Eurex. If we are not collectively getting this under control, we collectively can cause big systemic risks. Cooperation Network In 1999 the U.S. Treasury Department spearheaded the formation of the Financial Services Information Sharing and Analysis Center. This private sector organization has become the financial industry s go to resource for cyber threats. FS ISAC is unique because it was created by and for members and operates as a member owned nonprofit entity. Membership is comprised of global banks, dealers, finance companies, hedge funds and others. It has been a critical tool in protecting banks and financial institutions. In the central repository at FS ISAC, details about attacks are shared among participants alerting them to potential system weaknesses and potential computer viruses and malware designed to attack systems. All information provided to FS ISAC is cleansed of identifying features to protect the companies that share attack details. Greg Gist, a director in CitiGroup's office of emergency management, discusses the many facets of testing. This network of cooperation is even more critical as financial systems become more and more linked. We see a lot of firms being more interested in doing this, because protecting the system as a whole is now much more important than just protecting my system by itself because of the way risk can be transferred through, said Brian Peretti, director of the Office of Critical Infrastructure Protection and cyber attacks 3/8

4 Compliance Policy at the Treasury Department. He also heads the Financial and Banking Information Infrastructure Committee, a group comprised of 18 financial regulators including the CFTC, the Securities and Exchange Commission, and the Federal Reserve, that meets monthly to discuss cyber attacks. In addition, the race for speed and access has also added to cybersecurity risks. We went as an industry from analog to digital and there was an arms race of speed going to computers and all of us here were trying to have the fastest processor and the lowest latency network, explained ICE s Sprecher in March. ORGANIZATIONS WORKING ON CYBERSECURITY We as exchanges opened our doors and let a thousand flowers bloom so that everybody could connect to us. That attitude is going to change, said Sprecher, adding that the exchange is going to have to be more restrictive about what comes in on the network and how access is enabled. He suggested broader use of encryption for example. OCIP Office of Critical Infrastructure Protection and Compliance Policy. The U.S. Treasury Department established this office after the September 11 attacks. Its role is to coordinate the department s development and implementation of polices related to protecting critical infrastructure of the financial services sector. FBIIC Financial and Banking Information Infrastructure Committee. This group is made of 18 U.S. financial regulators including the Commodity Futures Trading Commission, the Top Concern of Regulators The CFTC has responded in a number of ways to the growing threat of cybersecurity. For example, the CFTC s core principles include provisions requiring clearinghouses and exchanges to maintain system safeguards and risk management programs, systems to notify regulators of incidents, and formal recovery procedures in place. And while the CFTC has made this a priority in its examinations, the agency is not adequately funded to test systems itself, Massad has warned lawmakers. Repeatedly, Massad has said the responsibility for cybersecurity safety rests primarily with private institutions. As a government agency, the CFTC can set standards, he said, but it is the private institutions that run critical financial infrastructure that just carry out all of the comprehensive analysis and system work that is required. What the CFTC has done, however, is made sure that exchanges and clearinghouses themselves have adequate testing and have followed best practices with independent testers, where appropriate, to do things like controls, testing, penetration testing and vulnerability testing, Massad said. cyber attacks 4/8

5 Securities and Exchange Commission, the Treasury Department, federal banking regulators and others. This group holds monthly principal level meetings in the wake of a growing number of cyber attacks. FSSCC Financial Services Sector Coordinating Council. This group was formed at the encouragement of the U.S. Treasury Department to strengthen the resiliency of the financial services sector against attacks and other threats to critical infrastructure. It is a private sector group representing financial services providers such as banks, exchanges, insurance companies, clearinghouses and electronic payment systems as well as industry associations such as FIA. FS ISAC Financial Services Information Sharing and Analysis Center. This private sector group was formed in 1999 and is the financial services industry s go to We have incorporated cyber concerns into our examinations. Typically in our examinations what we re looking for is the board of directors and top management setting the right tone with respect to these issues, Massad told a Senate panel at an appropriations hearing in May, adding that not only must policies be in place, but also top management must ensure policy is being enforced. CFTC officials have also indicated they are working on a release directed at critical market infrastructure entities that will build on the existing core principles. There are currently business continuity management best practices in the core principles in the Commodity Exchange Act and the Dodd Frank Act that govern CFTC regulated exchanges, trading systems and clearinghouses. At the March roundtable, staff discussed with participants whether expanding on the principles ordrafting new rules involving cybersecurity testing should be proposed. Staff also were focused on how the CFTC might audit for compliance and whether participants could estimate the costs associated with any new requirements. A Global Concern Massad also highlighted that combating cybersecurity must continue to be a joint effort not only with the industry but also among regulators, both in the U.S. and globally. We're never going to be able to do all this by ourselves. It's important that we work with other regulators, he said. We simply cannot address this risk with the budget that we have and these threats. In that vein, in 2013, the Bank of England began taking an active interest in state driven terror cyber attacks, moving away from cybercrime, e fraud and other long established patterns in the online cyber crime world. After consulting with the financial services industry and others, the central bank established a framework for testing called CBEST. It differs from other security testing undertaken by the financial services sector because it is threat intelligence based, meaning that it is based on actual cyber threat intelligence in addition to simulated scenarios. cyber attacks 5/8

6 resource for cyber and A CBEST test involves three parties: a regulated entity, a private physical threat intelligence sector penetration testing company and the Bank of England. In analysis and sharing. It addition, the penetration testing company must be qualified as a was created by and for member of the CBEST scheme. members and operates as a member owned nonprofit entity. support at the Bank of England, warned that CBEST is not a David Evans, senior manager for sector and supervisory cyber panacea to cyber threats. You can t expect to do one of these CBEST tests and you will suddenly become cyber secure or cyberresilient. It s a component, he told panelists at the CFTC The cyber intelligence network and testing roundtables. framework launched in 2014 by the Bank of The regulator will have a view of what s critical that that England. The framework organization does. The organization will have a view of what s gathers information and critical. And perhaps the Bank of England, independently, is sort of threat intelligence from looking at a financial stability angle, and the system as a whole various sources and then might also have a slightly different perspective, said Evans. uses the information for CBEST provides a holistic assessment of a financial service or testing scenarios in the infrastructure provider s cyber capabilities by testing people, financial services sector processes and technology in a single test. through qualified testing firms. We wanted to come up with a repeatable testing framework that incorporated all of the sort of better practices in terms of a penetration test, but we wanted to also include threat intelligence as a key component of that part, Evans said. Much of the financial services industry led testing that was established for business continuity and disaster recovery is now focusing on cybersecurity and considering what additional tests could be beneficial. FIA s Annual Test These threats, as we now know today, don t just come from people motivated by profit. They come from people looking to disrupt the system. Every fall for the past 11 years, FIA has worked with a broad cross section of market participants, exchanges and clearinghouses to test and prepare for potential market disruptions.over the years, the group s work has served as a significant tool to help exchanges, clearinghouses and clearing and non clearing firms prepare and operate during market disruptions. cyber attacks 6/8

7 Tim Massad For example, Superstorm Sandy, which shut down markets on the East Coast, was a true test of the work of this committee. CFTC The 2014 test organized by FIA s Information Technology Division s Business Continuity Committee was conducted last October and focused on disaster recovery back up connectivity and functionality between exchanges, clearinghouses and member firms. The test was successfully conducted among 24 domestic and international futures exchanges, clearinghouses and swap execution facilities as well as 62 clearing/non clearing firms. The test, which will include more of a focus on cybersecurity risks, will take place again in the fall of 2015 and again it will be coordinated with the Securities Industry and Financial Markets Association, as there are member firms that are joint FIA/SIFMA members. David Evans discusses the work the Bank of England has done with financial firms to test for cyber threats. excercises with management teams. John Rapa, president and chief executive officer of Tellefsen CFTC Commissioner and Co, helped managed the Christopher Giancarlo and testing for FIA and spoke at the Chairman Tim Massad listen CFTC roundtable. He to expert advice on how to highlighted the importance of manage cyber threats. having a direct line to top executives and others within an organization when it comes to managing and protecting against cyber threats. He and others warned that tests have to change, as threats change, and talked about the need for tabletop war room scenario planning You can t keep doing the same thing over and over again. You ve got to mix it up, he said. When you start to plan these things, you ve got to think deviously. We are at war here. Panel participants were asked whether comprehensive end to end enterprise resilience testing is needed. Participants stressed the focus should be on resilience and the ability to resume business. They were concerned about the operational impact of end to end testing, which most participants felt could be difficult. Greg Gist, director of industry relations at Citigroup in its office of emergency management, explained there are many different levels of requirements for testing: the threat environment, which might be tested with internal auditors; testing with a firm s cyber attacks 7/8

8 We wanted to come up with a repeatable testing framework that incorporated all of the sort of better practices in terms of a penetration test, but we wanted to also include threat intelligence as a key component of that part. partners; and testing with third party suppliers. He noted that the number of tests firms now experience is eating up the green zone of time and firms have very scarce resources. David Garland, director of business continuity management at CME, suggested there should be smaller disaster recovery unit testing, which are more ongoing and could ultimately reduce spending on larger industry wide testing. He too stressed the importance of tabletop tests in addition to actual fail over tests. David Evans Bank of England cyber attacks 8/8