Ion in the fire: three banks call in lawyers after hack
Banks are examining service-level agreements for possible breaches
At least three banks are weighing their legal options over a cyber attack that has disrupted derivatives trading since the end of January, and drawn the scrutiny of regulators and law enforcement agencies around the world.
Ion Group, which supplies software used to process cleared derivatives trades, shut down access to some of its services on January 31 after hackers seized control of its servers. The outage affected 42 clients, forcing some to process trades manually and delay regulatory reporting.
Three banks are now looking into whether Ion breached its service-level agreement (SLA), which outlines performance expectations as well as remedies for falling short. One of those is taking legal advice around whether it can seek compensation from Ion, or even sever their contracts with the vendor altogether.
Anything longer than four days for databases to restore really is jaw-dropping
Consultant who has worked with Ion in the past
“This is a highly sensitive matter right now with armies of lawyers involved,” a risk manager at one global clearing bank tells Risk.net.
It’s not a uniform response. A risk manager at a fourth bank says their employer is not currently taking legal advice.
“There is nothing to indicate from our side that SLAs weren’t adhered to at this point in time, but we haven’t concluded either way,” they say.
Ion declined to comment.
The validity of any legal action would hinge on the specific terms that banks negotiated with Ion. “Each firm will have their own SLAs with Ion, including some who have additional security measures in place,” says the risk manager. While these can vary between clients, the contracts banks negotiate with critical vendors often spell out expectations for cyber security, data backups and disaster recovery.
“Regulators are increasingly expecting that degree of specificity and oversight over vendors,” says Michael Bahar, co-lead of the global cyber security and data privacy practice at law firm Eversheds Sutherland. “It’s not enough to just leave it to a negligence or reasonableness standard.”
Ion’s problems could invite more regulatory scrutiny of banks’ dealings with vendors. “This incident confirms why we require all regulated firms to have appropriate operational resilience plans in place, including for when third party providers are subject to outages or issues,” says a spokesperson for the UK Financial Conduct Authority, which is investigating the cyber attack.
As part of their response, banks are seeking to establish whether Ion practiced at least basic cyber security hygiene—such as insisting on multi-factor authentication (MFA) for employees and users—and had an appropriate data back-up strategy to recover from a cyber attack.
“There’s a clear line in the sand beginning to emerge as to what practices you’re expected to have, [and] one is having MFA,” says Oliver Tavakoli, chief technology officer at cyber security firm Vectra.
MFA makes it harder for unauthorized users to access systems and accounts using stolen credentials.
Another minimum expectation is adhering to the so-called 3-2-1 backup strategy of maintaining three copies of data, with two stored locally on different systems, and one off-site.
A consultant who has worked with Ion in the past says the extended service outage raises questions about the company’s data backup policy: “Anything longer than four days for databases to restore really is jaw-dropping.”
Simply establishing that Ion breached its SLA may not be enough to recover meaningful damages, however. A source at a US clearing firm is skeptical the legal maneuvers will yield much in the way of compensation. SLAs generally cap the amount of damages that can be claimed for breaches, except in the case of gross negligence or wilful misconduct, and Ion has “air-tight contracts”, this person says.
SLAs with large technology vendors typically limit compensation to fees paid during the course of the outage, or at most the value of the contract. “Any damages would usually be capped, for example, at 12 months of fees previously paid,” says Nathaniel Lalone, a partner at law firm Katten Muchin Rosenman.
Compensation may not be the only remedy banks have in mind. If there was a significant violation of the SLA, then Bahar at Eversheds says banks could claim breach of contract and escape their agreements with Ion, or use it as leverage to renegotiate existing terms.
“If you have a very specific list of appropriate technical and organizational measures [in the SLA], and if one of those wasn’t actually in place—if the vendor said they have multi-factor authentication and they didn’t—it would actually be a violation of the contract,” Bahar says.
Banks have long complained about Ion’s multi-year contracts and its use of punitive break fees and hardball negotiating tactics to prevent them switching suppliers.
“Trying to cancel your contract is almost impossible,” says the source at the third bank, which intends to sever its ties with Ion in the wake of the cyber attack.
Katten’s Lalone says Ion may still have the whip hand even if banks can establish breach of contract. “Normally, you wouldn’t necessarily go directly to breach because, frankly, the financial firm needs the service provider. They’re not always easily replaceable,” he says. “I would think the banks would be looking for financial compensation rather than simply exiting the agreement, because Ion is too important to too many banks.”
Additional reporting by Philip Alexander and Anthony Malakian
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Data Management
The IMD Wrap: Talkin’ ’bout my generation
As a Gen-Xer, Max tells GenAI to get off his lawn—after it's mowed it, watered it and trimmed the shrubs so he can sit back and enjoy it.
Waters Wavelength Podcast: The issue with corporate actions
Yogita Mehta from SIX joins to discuss the biggest challenges firms face when dealing with corporate actions.
Data catalog competition heats up as spending cools
Data catalogs represent a big step toward a shopping experience in the style of Amazon.com or iTunes for market data management and procurement. Here, we take a look at the key players in this space, old and new.
This Week: JP Morgan, Broadridge, Lloyds, JSE, Schroders, and more
A summary of the latest financial technology news.
What firms should know ahead of the DSB’s UPI launch
Six jurisdictions have set deadlines for firms to implement the derivatives identifier, with more expected to follow.
Has cloud cracked the multicast ‘holy grail’ for exchanges?
An examination of how exchanges—already migrating to the cloud—are working to solve the problem of multicasting in a new environment.
Waters Wrap: Market data spend and nice-to-have vs. need-to-have decisions
Cost is not the top factor driving the decision to switch data providers. Anthony looks at what’s behind the evolution of spending priorities.
The consolidated tapes are taking shape—but what shape exactly?
With political appetite established on both sides of the Channel, attention is turning to the technical details.