CYBER RISKS IN SECURITIES SERVICES Jason Harrell, Business and Government Cybersecurity Partnerships November 2018
Background The evolving threat landscape, new and emerging technology, and increased reliance on third parties and supply chain providers increases the risk across the financial services sector In 2017, the International Securities Servicers Association (ISSA) released the white paper, Inherent Risks within the Global Custody Chain, where the organization highlighted different risks specific to Securities Servicers Later that year, a Cybersecurity Working Group was formed to analyze how this threat may impact Securities Servicers Several questions emerged How would cyber threats materially impact this market segment? Do the current risk frameworks address the risks of Securities Servicers? / Are there risks that are specific to Securities Servicers that may not be covered by the current cybersecurity risk frameworks? What cyber risk programs should Securities Servicers focus on? What should Securities Servers focus on, as a market segment, to be operationally resilient? Why Did ISSA Review Cyber Risks To The Securities Services Market Segment?
Motivators For Threat Actors There are several types of Threat Actors Nation States Organized Crime Hacktivist Insiders Not All Cyber Criminals Are Focused On Direct Financial Gain! Market Disruption Geopolitical Motivation Market Manipulation What Is The Motivation For Cyber Criminals?
Market Impacts What would the market impact be if a threat actor disabled the operations of a Central Counter Party or Central Securities Depositor? What would be the market impact be is a threat actor disabled the operations of a large custodian or sub-custodian? What would the market impact be if a threat actor targeted the books and records of a specific security but did not disrupt all firm operations? AND OF EQUAL IMPORTANCE……… How would the Securities Servicers market segment respond if any of these events occurred? Why Did ISSA Review Cyber Risks To The Securities Services Market Segment?
Cybersecurity Frameworks There are several frameworks that may be used to build a cybersecurity program that provides reasonable assurance. These frameworks include: National Institute Of Standards and Technology (NIST) Cybersecurity Framework CPMI-IOSCO Guidance On Cyber Resilience for Financial Market Infrastructures International Standards Organization (ISO) 27000 series Federal Financial Institutions Examination Council (FFIEC) Information Security Handbook How May My Organization Provide A Reasonable Control Structure?
Important Cyber Security Services For Securities Servicers It is important that Securities Servicers have a comprehensive cybersecurity program that is sized based on: Type, Size, and Complexity of Operations Customer and Counterparties Markets and Products Traded Access Provided to Trading Venues Market Interconnectedness Threat Intelligence Vulnerability / Patch Management Penetration Testing Third Party / Supply Chain Management What Cyber Services Should My Organization Focus On As A Securities Servicer?
Cybersecurity Risk Management Activities - International Supervisor / Regulatory Focus Bank Of England / UK Financial Conduct Authority (FCA) Financial Stability Board (FSB) Basel Committee On Banking Supervision (BCBS) European Central Bank (ECB) Committee On Payments and Market Infrastructures, International Organization Of Securities Commission (CPMI – IOSCO) SWIFT Customer Security Program Trade Associations Regulatory / Examination Harmonization Two Hour Recovery For Cyber Events Operational / Cyber Resiliency What Are The International Activities That Are Occurring Within Cyber Security?
Call To Action Where Do We Go From Here? Continuously monitor the threat landscape for emerging threats to the financial services sector Build a cybersecurity program using an industry standard and focus on those programs that provide the largest risk mitigations for your business Understand the operational resiliency that your organization has in place to resume operations in the face of a material impact Work together across the Securities Services market segment to understand how the entire market would respond to a material operational outage Where Do We Go From Here?
Jason Harrell Depository Trust And Clearing Corporation (DTCC) Technology Risk Management Email: jharrell@dtcc.com
Links To Aforementioned Documents Resources Links To Aforementioned Documents ISSA: Cybersecurity Risk Management in Securities Services https://www.issanet.org/e/pdf/2018-10_ISSA_Cyber_Risk_in_Securities_Services.pdf ISSA: Inherent Risks Within The Global Custody Chain https://www.issanet.org/e/pdf/ISSA_Report_Inherent_Risk_February-2017.pdf NIST: Framework For Improving Critical Infrastructure Security https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf CPMI-IOSCO: Guidance On Cyber Resilience For Financial Market Infrastructures https://www.bis.org/cpmi/publ/d146.pdf FFIEC: Information Security Handbook https://www.ffiec.gov/press/pdf/ffiec_it_handbook_information_security_booklet.pdf Bank Of England / UK FCA: Building The UK Financial Sectors Operational Resilience https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf SWIFT Customer Security Program https://www.swift.com/myswift/customer-security-programme-csp