20 September 2017
Nigel Farmer


Nigel Farmer - Software AG

19Posts 82,347Views 2Comments

CFTC Rules: Preventing the Rise of the Cybermen

14 September 2016  |  4092 views  |  0

The Commodities Futures Trading Commission (CFTC) recently finalized a set of cyber security rules, designed to help safeguard its systems from breaches; but worries about hacking and possible terrorism remain. 

There have long been concerns that Cyberman-like terrorists or hackers could compromise the world’s financial markets by attacking exchanges or banks. On numerous occasions, the CFTC has stated that cyber security is the single biggest threat to the stability of the global financial markets. So are its new rules for exchanges, clearing houses, trade repositories and dealing platforms enough?

The rules require testing of technology to identify vulnerabilities, internal and external security penetration and controls testing, incident response and technology risk assessment. Some have questioned that the frequency of testing is not enough. After all, is quarterly vulnerability testing enough, when hackers are adapting their techniques on a daily basis?

Earlier in the year, the Anonymous hacker group conducted a month long attack on financial institutions, amongst them many central banks and the London Stock Exchange, whilst SWIFT recently revealed more attacks on banks had taken place since the $81m theft at the Bangladesh Bank.

The question is, should regulation as that being introduced by the CFTC only apply to exchanges and venues - or to all market participants? An examination of what happened at the Bangladesh Bank revealed many shortcomings, not least the lack of firewalls and the use of second-hand networking equipment.  So how could better technology have helped reduce the scale of this loss?

Prevention is a better than a cure, especially in the case of disrupting strategically important financial markets. This means, to start with, it is imperative that firms have an understanding of their IT infrastructure and are able to identify which systems are connected to the outside world, as well as with other internal systems.

Extensive security on these systems is crucial, as is threat management, so that identified weaknesses in systems can be patched in a timely fashion. Without understanding infrastructure and where you are exposed to the outside world, it’s impossible to put in place the sort of vulnerability and penetration testing that the CFTC is proposing.

Automated monitoring, using technologies such as streaming analytics, would have helped in many stages of the Bangladesh heist. Monitoring rules could have raised alerts when out-of-hours messages were spotted, or sounded an alarm at the suspicious destination of large transfers.

The misspelling of a Philippines-based recipient, which was manually identified by chance, could have been identified automatically, in real-time.  In fact such monitoring could have prevented the message transmission entirely. Real-time monitoring could have spotted that hackers were covering their tracks by deleting received SWIFT confirmation messages, as the messages would have been monitored in real-time as they arrived.

Alerts are not effective though, if there is nobody on hand to see them. Correct scoring or prioritization of alerts, combined with mobile technology would have helped. But, more importantly, a response plan with processes, procedures and escalation policies all in place would ensure a controlled and timely response. This might even have helped to flag when the Bangladesh central bank’s SWIFT system had been compromised over a bank holiday weekend.

Clearly cybersecurity should be taken seriously, and the CFTC’s rules are a good start. But there is a long way to go before banks, central banks, exchanges, clearing houses, repositories and trading platforms are invulnerable. Preventing the rise of the Cybermen will require more than just a sonic screwdriver. 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Nigel

Are Smart Contracts getting smarter?

22 November 2016  |  4467 views  |  0 comments | recomends Recommends 2 TagsBlockchainInnovation

Data, Data Everywhere, nor any Knowledge to Gain

27 October 2016  |  5021 views  |  0 comments | recomends Recommends 0 TagsRisk & regulationInnovation

Capital Markets Firms Embrace Cloud Transformation

13 October 2016  |  9916 views  |  1 comments | recomends Recommends 0 TagsRisk & regulationInnovation

How to Manage Your IT Spaghetti

29 September 2016  |  3316 views  |  0 comments | recomends Recommends 0 TagsInnovation

CFTC Rules: Preventing the Rise of the Cybermen

14 September 2016  |  4092 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulation

Nigel's profile

job title Industry Director, Capital Markets
location London
member since 2016
Summary profile See full profile »
Nigel Farmer is the head of Capital Markets solutions at Software AG, responsible for the strategy,product management and marketing of solutions in areas such as Market Surveillance, Pre-Trade Risk, F...

Nigel's expertise

Member since 2016
19 posts2 comments
What Nigel reads
Nigel's blog archive
2016 (19)

Who's commenting on Nigel's posts

Srinivas Annamaraju