Ion cyber outage continues as banks rely on workarounds

A cyber attack that forced Ion Trading to shut down a key futures trading service on January 31 could take several days to resolve, leaving dozens of dealers relying on workarounds to execute and process client trades.

It has been confirmed that ABN Amro, Macquarie and RBC are among those affected.

In a statement, Macquarie says the bank “maintains core operational capability, manually processing trades … [and has] completed processing for each day of the outage. Macquarie’s market access and trading systems remain unaffected”.

Everyone is still a bit uncertain as to how long it will take. And that’s obviously not a trivial exercise

A source working with affected banks

Others were hit harder. Market participants report at least one bank had to stop trading entirely for a period, vanishing from the market. A source at one affected firm says Ion was able to reconnect a single trading desk, so it could execute orders on behalf of other desks within the organisation.

Clearing workflows have also been disrupted. Some of the affected firms were able to fall back on existing connections to FIS, a rival to Ion. Others resorted to “painful” manual processing to accept and route trades to the relevant clearing houses.

Clients were informed on Thursday (February 2) that the affected services would remain offline until at least February 5. One source says was initially told the recovery time objective was 24 to 36 hours, but says this has since been extended to five to 10 days.

“Everyone is still a bit uncertain as to how long it will take. And that’s obviously not a trivial exercise. I think we’re in new territory here,” says a source who has been working with affected banks.

The precise impact depends on how each firm was using the compromised software. Ion’s XTP covers everything from trade execution to clearing workflows and risk analytics. It was rebranded and relaunched last November after a suite of existing products had been stitched together to provide ‘end-to-end’ functionality.

Ransom deadline

A critical question for Ion and its clients is whether the cyber-attacker was able to steal any data from XTP users. Ion has been given a Saturday deadline—February 4—to pay a ransom or see its client data published online.

The source working with affected banks says Ion has determined how the hackers got into its encrypted servers and does not believe any client data “left the building”.

“It has not been confirmed whether the threat actor exfiltrated data out of Ion. Ion believe they did prevent the threat actor from getting into customer data,” this person says.

In a note to clients, released on February 2, Ion says it identified “an issue preventing access to certain systems” in the early hours of Monday, January 31. At 8am that day, the cause was confirmed to be a cyber attack by infamous ransomware outfit LockBit, which Ion sought to isolate, investigate and contain—disconnecting the affected servers. By Thursday, Ion said its “systems are up but currently are not accessible, so we cannot establish whether data has been affected” but adds that an analysis of firewall logs shows “no evidence of exfiltration”.

The source working with affected banks says it is common in ransomware attacks for hackers to get their hands on a small amount of data and then claim they have more “to make you sweat”.

“You don’t know what cards they’re holding, unless you have really sophisticated firewalls and detection systems,” the source says. “You don’t know if they’re bluffing or not.”

Ion founder Andrea Pignataro has a reputation as a hard negotiator. It is not known how the firm intends to respond to the ransom demand.

Domhnall McCormack, the long-time chief operating officer for Ion Markets, is said to have left the firm this week, but his departure is understood to be unconnected to the cyber attack—he resigned last September, and had a six-month notice period.

Going manual

In all, the outage has affected 42 clients, with impacts ranging from severe to relatively mild.

Most executing brokers were able to minimize disruption for clients by re-routing trades directly to other brokers. The situation was more complicated for clearing brokers, which are not always set up to hand their clients’ trades to a rival and had to process trades manually in the absence of Ion’s services.

“Some banks have moved to manual clearing, whereas before they were reasonably automated because of Ion’s software,” says a clearing executive at one European bank. “We see there are backlogs for certain players who are more affected than others, in very specific markets or at specific banks.”

The full extent of the disruption is unclear. Two clearing executives say the fallout has been relatively contained and that any trade backlogs should be cleared within days. The source working with affected banks says “there was a lot of chaos” when Ion’s services were taken offline, but backlogs since then have been manageable.

A source close to ABN Amro claims the impact on the bank was at the milder end of the spectrum, with only a small proportion of trades disrupted. The bank used Ion software to automatically match trades—but only for a slice of their overall business. After Ion’s systems were shut down, ABN Amro had to manually match those trades with each exchange individually, slowing down the process.

A spokesperson for the bank says “ABN Amro Clearing does not see any relevant disruptions in the market,” and adds the bank “has taken appropriate action to keep its operations safe, including informing its clients beforehand on what might happen.”

With the exception of ABN Amro, which has a large futures broking business, none of the other known affected Ion clients are considered to be top-tier clearing providers.

There has been a wider, chilling effect on Ion clients, though. After learning about the cyber attack, some banks took steps to avoid using other services from the vendor—not just XTP. “We have reduced links and contacts with the vendor and there is now heightened surveillance,” says the first executive at a European clearing bank.

Nightmare scenario

The threat of a crippling cyber attack on a clearing house has long been a nightmare scenario for regulators and market participants, but the Ion episode highlights how complex the clearing network is—with many nodes that can propagate chaos if attacked.

Officials at the US Treasury department, the US Commodity Futures Trading Commission, the Federal Bureau of Investigations, the UK Financial Conduct Authority and Prudential Regulation Authority are all reportedly aware of the attack—and in some cases have been speaking to affected firms.

One IT consultant expects the episode to have wider implications. In Europe, he predicts software vendors could ultimately become subject to Dora—the Digital Operational Resilience Act. Text for the act was agreed and published in December last year, and will apply from January 2025. It requires firms to ensure they can detect, contain, mitigate and recover from various technology and communications outages, including cyber attacks.

“Vendors such as Ion have long argued—so far successfully—that they are mere software providers, and that the onus should be on their financial services clients, and that the regulations do not apply to them directly. I don’t believe this rather self-serving view will be defensible much longer,” the consultant says.

A rival software vendor says most large banks have compliance teams that regularly assess their IT security, and it expects “this incident will ensure continued due diligence”.

Additional reporting by Rebecca Natale