The January 31
cyberattack on Ion Markets, a middle- and back-office software vendor serving futures execution and clearing firms, prompted calls at a CFTC hearing on March 8 for a greater emphasis on collaborative responses to future attacks and for greater scrutiny
of fintech companies’ cyber risk management. The attack disrupted some activity in the listed derivatives markets for over a month.
While I applaud the emphasis on cyber security, I think fintech companies need to follow any regulatory initiatives carefully and weigh in on the debate if we feel it could lead to misguided new rules.
The outcome of investigations into the cause of the attack and the industry and vendor responses could have a material impact on financial technology firms’ regulatory costs and their relationships with their clients.
The CFTC currently does not have the authority to regulate third-party fintech vendors like Ion. However, CFTC Chairman, Rostin Behnam, asked the Senate Agriculture Committee for an oversight
role in his comments at a separate Congressional hearing on CFTC oversight, also held on March 8.
The attack, reportedly the work of Russian ransomware group LockBit, affected 42 of Dublin-based Ion’s clients, requiring these futures market participants to resort to manual
trade processing and spreadsheet-based margin calculation, and causing delays in reconciliation and reporting.
Ion said its system was slated to be back up and running by March 9.
Systemic, Not Enterprise, Risks
Speaking at the CFTC’s first Market Risk Advisory Committee (MRAC) meeting of the year, Commissioner
Kristin N. Johnson said the group should first ensure that cybersecurity is not seen as an enterprise-only issue, but as a systemic issue requiring collaboration across potentially affected market participants.
FIA CEO Walt Lukken said that market participants did in fact collaborate effectively in response to the Ion attack. "We were quickly able to centralize information,
dispel rumors and urge calm, and share practical advice and experience,” he said.
Nonetheless, the FIA has formed a Cyber Risk Taskforce to review the industry’s response to the Ion attack, and to evaluate existing rules, and develop recommendations. It will issue an initial report by the second quarter, Lukken said.
Fintech Vendor Oversight
Johnson also urged the MRAC to review whether third-party vendors like Ion should be subject to greater oversight. “What are the contours of our regulation for third-party service providers who offer integral operational services to registered market participants?”
she asked. “Who determines if these services comply with our system safeguard regulations?”
Currently,
NFA compliance rules require regulated market participants to evaluate their vendors’ cyber risk management policies as part of their due diligence. However, the NFA acknowledges the obvious limit to this approach: “NFA recognizes that a member's ability
to manage the security risks posed by third-party service providers may be limited by the information these service providers elect to provide to the Member.”
Exchanges and their members are not eager to see regulation extended to fintech vendors. CME Group Chief Operating Officer Julie Holzrichter said, “We believe risks introduced through third parties can be managed.” Less than 20 percent of CME clearing members
were affected, she said, and the issues they faced were manageable with CME’s help.
Despite this, financial technology firms selling into this space should keep a close eye on developments at the MRAC and Senate Ag Committee, and ensure that their cyber risk management is both robust and transparent to their clients.
NFA compliance rules could change, so my advice to financial technology firms selling into this space is to keep a close eye on developments at the MRAC and Senate Ag Committee, and ensure that their cyber risk management is both robust and transparent to
their clients.