The third panel at today’s SEC Roundtable talked about the various issues related to key market systems, i.e., trading, exchanges, brokerage houses, etc. The panel noted throughout the discussion that financial firms are becoming technology firms, and that continuous cyber-hygiene is increasingly important.
Topic 1: Common threats to securities market infrastructure
Primarily, the panel focused on the need to share information, and to declassify cyber attack information so that people can work together to tackle risks. Interestingly, no one really talked about what the common threats were. One panelist grouped them together—as does Richard A. Clarke, chairman of Good Harbor Security Risk Management and renowned cyber and homeland security expert—saying that the common threats are: criminal actors, whose objective is to steal money; hactivists, who have a political objective; espionage; and war-like actors, whose objective is to disrupt or degrade.
Topic 2: Tackling the cyber risk
The panel focused on structured risk assessments and the need to continually test plans and security measures. They also stressed the need to focus on the gaps to see where the weak points are. However, the panelists also noted the importance of balancing the risk with current business needs; they asserted that using both inside and outside experts would help in that endeavor. Additionally, they once again emphasized the need to bring everyone together to collaborate on cyber threats, awareness, and best practices.
The panelists then focused on insider vs. outside threats. While insider threats were once the main focus of cybersecurity, that is no longer the case. But, the panelists noted that insider threats are still an issue because the insider knows a lot more about how the systems and operations work, which allows the insider to present a higher risk. Further, if these insiders have or are given more access or vetting potential, they will have more opportunities to make a significant attack. In conclusion, there was consensus that there has to be strong internal controls in place to make sure one person can’t take down the whole system.
Topic 3: If an attack occurs, what information should be given to members?
The panelists noted this was a tricky area, stating that there is a tension between knowing a problem and its scope (which is only known at the end) versus an immediate need to know. The panelists agreed that a balance needs to be struck. You must provide notice to your clients, based on what you know, about what occurred. But, the facts are going to change as you uncover what really happened. Consequently, the initial disclosure is going to look quite different from what really happened. One panelists noted that you can’t tell completely, early.
Topic 4: How market systems approach cyber security?
The panelists mentioned a variety of tests that they perform, but they all stated that testing is a never-ending cycle. These tests include: vulnerability scans, source code testing, penetration tests, industry-wide tests, table top exercises, and standard operating procedure testing.
Topic 5: Disclosure of information on breaches
The panelists agreed that the need to share information was critical because if someone else is under a similar attack, it is important to know what is going on. Also, getting information back to the government is necessary because the same intrusion could be happening in other places. However, the panelists noted that disclosure issues raise lots of questions, and this needs to be debated further. Also, a panelist noted that the big exchanges around the world have good and common best practices, but the smaller ones don’t. There is a need to get this information to them because they have just as much risk, but not the information to help mitigate it.
At the conclusion, a question was raised by one of the panelists: What can the SEC do to help facilitate best practices? All of the panelists agreed that collaboration is key, i.e., sharing information and mutual training. Also, another panelist suggested that since everything is risk-focused, help could/should be given to help quantify these risks.
Moderator: James Burns, Deputy Director, Division of Trading and Markets
- Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation (DTCC)
- Mark Graff, Chief Information Security Officer, NASDAQ OMX
- Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange
- Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury
- Thomas Sinnott, Managing Director, Global Information Security, CME Group
- Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc.