Ion cyber outage continues as banks rely on workarounds
ABN Amro, Macquarie, RBC among firms hit; ransom deadline tomorrow, but service may be down for days
A cyber attack that forced Ion Trading to shut down a key futures trading service on January 31 could take several days to resolve, leaving dozens of dealers relying on workarounds to execute and process client trades.
It has been confirmed that ABN Amro, Macquarie and RBC are among those affected.
In a statement, Macquarie says the bank “maintains core operational capability, manually processing trades … [and has] completed processing for each day of the outage. Macquarie’s market access and trading systems remain unaffected”.
Everyone is still a bit uncertain as to how long it will take. And that’s obviously not a trivial exercise
A source working with affected banks
Others were hit harder. Market participants report at least one bank had to stop trading entirely for a period, vanishing from the market. A source at one affected firm says Ion was able to reconnect a single trading desk, so it could execute orders on behalf of other desks within the organisation.
Clearing workflows have also been disrupted. Some of the affected firms were able to fall back on existing connections to FIS, a rival to Ion. Others resorted to “painful” manual processing to accept and route trades to the relevant clearing houses.
Clients were informed on Thursday (February 2) that the affected services would remain offline until at least February 5. One source says was initially told the recovery time objective was 24 to 36 hours, but says this has since been extended to five to 10 days.
“Everyone is still a bit uncertain as to how long it will take. And that’s obviously not a trivial exercise. I think we’re in new territory here,” says a source who has been working with affected banks.
The precise impact depends on how each firm was using the compromised software. Ion’s XTP covers everything from trade execution to clearing workflows and risk analytics. It was rebranded and relaunched last November after a suite of existing products had been stitched together to provide ‘end-to-end’ functionality.
Ransom deadline
A critical question for Ion and its clients is whether the cyber-attacker was able to steal any data from XTP users. Ion has been given a Saturday deadline—February 4—to pay a ransom or see its client data published online.
The source working with affected banks says Ion has determined how the hackers got into its encrypted servers and does not believe any client data “left the building”.
“It has not been confirmed whether the threat actor exfiltrated data out of Ion. Ion believe they did prevent the threat actor from getting into customer data,” this person says.
In a note to clients, released on February 2, Ion says it identified “an issue preventing access to certain systems” in the early hours of Monday, January 31. At 8am that day, the cause was confirmed to be a cyber attack by infamous ransomware outfit LockBit, which Ion sought to isolate, investigate and contain—disconnecting the affected servers. By Thursday, Ion said its “systems are up but currently are not accessible, so we cannot establish whether data has been affected” but adds that an analysis of firewall logs shows “no evidence of exfiltration”.
The source working with affected banks says it is common in ransomware attacks for hackers to get their hands on a small amount of data and then claim they have more “to make you sweat”.
“You don’t know what cards they’re holding, unless you have really sophisticated firewalls and detection systems,” the source says. “You don’t know if they’re bluffing or not.”
Ion founder Andrea Pignataro has a reputation as a hard negotiator. It is not known how the firm intends to respond to the ransom demand.
Domhnall McCormack, the long-time chief operating officer for Ion Markets, is said to have left the firm this week, but his departure is understood to be unconnected to the cyber attack—he resigned last September, and had a six-month notice period.
Going manual
In all, the outage has affected 42 clients, with impacts ranging from severe to relatively mild.
Most executing brokers were able to minimize disruption for clients by re-routing trades directly to other brokers. The situation was more complicated for clearing brokers, which are not always set up to hand their clients’ trades to a rival and had to process trades manually in the absence of Ion’s services.
“Some banks have moved to manual clearing, whereas before they were reasonably automated because of Ion’s software,” says a clearing executive at one European bank. “We see there are backlogs for certain players who are more affected than others, in very specific markets or at specific banks.”
The full extent of the disruption is unclear. Two clearing executives say the fallout has been relatively contained and that any trade backlogs should be cleared within days. The source working with affected banks says “there was a lot of chaos” when Ion’s services were taken offline, but backlogs since then have been manageable.
A source close to ABN Amro claims the impact on the bank was at the milder end of the spectrum, with only a small proportion of trades disrupted. The bank used Ion software to automatically match trades—but only for a slice of their overall business. After Ion’s systems were shut down, ABN Amro had to manually match those trades with each exchange individually, slowing down the process.
A spokesperson for the bank says “ABN Amro Clearing does not see any relevant disruptions in the market,” and adds the bank “has taken appropriate action to keep its operations safe, including informing its clients beforehand on what might happen.”
With the exception of ABN Amro, which has a large futures broking business, none of the other known affected Ion clients are considered to be top-tier clearing providers.
There has been a wider, chilling effect on Ion clients, though. After learning about the cyber attack, some banks took steps to avoid using other services from the vendor—not just XTP. “We have reduced links and contacts with the vendor and there is now heightened surveillance,” says the first executive at a European clearing bank.
Nightmare scenario
The threat of a crippling cyber attack on a clearing house has long been a nightmare scenario for regulators and market participants, but the Ion episode highlights how complex the clearing network is—with many nodes that can propagate chaos if attacked.
Officials at the US Treasury department, the US Commodity Futures Trading Commission, the Federal Bureau of Investigations, the UK Financial Conduct Authority and Prudential Regulation Authority are all reportedly aware of the attack—and in some cases have been speaking to affected firms.
One IT consultant expects the episode to have wider implications. In Europe, he predicts software vendors could ultimately become subject to Dora—the Digital Operational Resilience Act. Text for the act was agreed and published in December last year, and will apply from January 2025. It requires firms to ensure they can detect, contain, mitigate and recover from various technology and communications outages, including cyber attacks.
“Vendors such as Ion have long argued—so far successfully—that they are mere software providers, and that the onus should be on their financial services clients, and that the regulations do not apply to them directly. I don’t believe this rather self-serving view will be defensible much longer,” the consultant says.
A rival software vendor says most large banks have compliance teams that regularly assess their IT security, and it expects “this incident will ensure continued due diligence”.
Additional reporting by Rebecca Natale
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
For MarketAxess, portfolio trading buoys flat revenue in Q3
The vendor is betting on new platforms like X-Pro and Adaptive Auto-X, which helped forge a record quarter for platform usage.
Quants look to language models to predict market impact
Oxford-Man Institute says LLM-type engine that ‘reads’ order-book messages could help improve execution
JP Morgan pulls plug on deep learning model for FX algos
The bank has turned to less complex models that are easier to explain to clients.
Nasdaq says SaaS business now makes up 37% of revenues
The exchange operator’s Q3 earnings bring the Adenza and Verafin acquisitions center stage.
Harnessing generative AI to address security settlement challenges
A new paper from IBM researchers explores settlement challenges and looks at how generative AI can, among other things, identify the underlying cause of an issue and rectify the errors.
The causal AI wave could be the next to hit
As LLMs and generative AI grab headlines, another AI subset is gaining ground—and it might solve what generative AI can’t.
Waters Wrap: Operational efficiency and managed services—a stronger connection
As cloud, AI, open-source, APIs and other technologies evolve, Anthony says the choice to buy or build is rapidly evolving for chief operating officers, too.
BlackRock forecasts return to fixed income amid efforts to electronify market
The world's largest asset manager expects bond markets to make headway once rates settle.