One-fifth of CME clearing members hit by Ion hack
Advisory committee heard CFTC believed it could “play a more direct role” in cyber security practices
Around 20% of all CME Group clearing members were affected by the Ion ransomware event, an executive at the clearing house has told a public hearing.
Ion Group, which supplies software used to process cleared derivatives trades, had to shut down access to some of its services on January 31 after hackers seized control of its servers.
The outage affected 42 Ion clients, forcing some to process trades manually and delay regulatory reporting. CME has 67 clearing members.
Julie Holzrichter, CME chief operating officer, said a subset of the affected members saw a “material impact” as a result of the hack. She was speaking on March 8 at a meeting of the Market Risk Advisory Committee (MRAC) of the Commodity Futures Trading Commission (CFTC).
At the forefront of everyone’s minds is cyber risk, including both how to mitigate it, and how to recover from a direct cyber attack or one on a third-party service provider
Amanda Olear, CFTC
Banks are weighing their legal options over the cyber attack that has disrupted derivatives trading and drawn the scrutiny of regulators and law enforcement agencies around the world.
As events unfolded, Holzrichter said that CME “observed an unusual build-up of message queuing”. It then quickly took steps to ensure environments were protected, including blocking network connections with Ion, evaluating its environment for the published indicators of compromise, and reviewing its own systems that it believed could be exposed to contagion risk for any potential vulnerabilities.
Shortly after becoming aware of the Ion incident, CME engaged with firms to help them retrieve necessary files and perform functions within its systems. The financial market infrastructure firm extended its end-of-day processing timelines to allow clients extra time to complete their tasks, and told clearing firms that reporting might be delayed. It also put in place enhanced risk monitoring for the affected firms.
“Some of the impacted clearing members were not able to submit customer gross margin files, so we leveraged our own records and knowledge of relationships between the gross and net margin requirements to track Ion’s customers’ gross margin requirements, making adjustments to the impacted firms’ requirements as appropriate,” said Holzrichter.
What role for CFTC?
Speaking in the same meeting, Amanda Olear, director of the CFTC’s market participants division, said the agency was embarking on an effort to revisit its risk management requirements for futures commission merchants (FCMs) and swap dealers to determine whether there was space to adapt the rules to meet the evolving challenges posed by an incident such as that at Ion.
The CFTC will be issuing an advanced notice of proposed rulemaking, posing specific questions soliciting feedback from the public to inform its work in the area. Additionally, the CFTC plans to begin engaging directly with its registrants to get their perspectives on its risk management regime and to “identify opportunities to enhance its effectiveness for identifying, monitoring and managing all of the attendant risks to their FCM or swap dealer activities”.
A core focus of those discussions will be identifying key risk areas that should be monitored and managed, amendments to periodic risk reporting, and risk management governance more broadly.
“A key risk area that I’m sure is at the forefront of everyone’s minds is cyber risk, including both how to mitigate it, and how to recover from a direct cyber-attack or one on a third-party service provider,” says Olear.
At present, CFTC registrants are subject to cyber security requirements from the self-regulatory National Futures Association or through prudential or other regulatory regimes, rather than directly from the CFTC itself. But Olear said the CFTC believed it could “play a more direct role in fostering strong operational resilience practices amongst our registrants”.
The CFTC has accordingly begun work to develop policy recommendations addressing FCMs and swap dealers with respect to their cyber security practices.
Ion Group’s cleared derivatives subsidiary is a third-party service provider of order management, order execution, trading and trade processing software.
Walt Lukken, president and chief executive of the Futures Industry Association, told the MRAC hearing that on the day of the Ion incident, the FIA held a call with 150 industry members from across the globe. Over the course of the first week, its calls with the industry grew to include more than 700 individuals.
Lukken said on February 6, after Ion accelerated the recovery and rebuilding of its systems over the preceding weekend, that the industry began to reconnect to Ion, and that it was now the FIA’s understanding that firms utilizing the vendor’s software suite were “back to business-as-usual operations”.
As a result of the incident, the FIA has formed a global cyber risk task force to develop recommendations for improvements to cyber protections and protocols, examine the effectiveness of the industry’s initial response, and look at safeguards around third-party service providers. The FIA aims to release an initial report by the second quarter of this year.
The task force will determine whether additional cyber security regulations are needed to strengthen the industry’s resilience. The FIA will also review its annual disaster-recovery exercise for exchanges, regulators, clearing houses, clearing firms, service providers, executing brokers and software vendors, in light of the events that occurred at Ion.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
In ‘unusual’ move, Virtu fights $25m SEC fine for data safeguarding breach
Virtu disputes the regulator’s claim that employees had ‘unfettered’ access to consumer data.
What firms should know ahead of the DSB’s UPI launch
Six jurisdictions have set deadlines for firms to implement the derivatives identifier, with more expected to follow.
Europe’s AI Act is taking shape. How will the UK respond?
As the EU pushes through a historic AI Act, its neighbor is left wondering how to keep up.
The consolidated tapes are taking shape—but what shape exactly?
With political appetite established on both sides of the Channel, attention is turning to the technical details.
SEC squares off with broker-dealers over data analytics usage
The Gensler administration has ruffled feathers in the broker-dealer community with a new proposal seeking to limit their use of predictive data analytics. But at the heart of this deal is something far more seismic: one of the first attempts by the SEC to regulate AI.
The Cusip lawsuit: A love story
With possibly three years before the semblance of a verdict is reached in the ongoing class action lawsuit against Cusip Global Services and its affiliates, Reb wonders what exactly is so captivating about the ordeal.
Vendors under new scrutiny in CFTC due diligence push
The planned cyber resilience regime will force dealers to subject “critical” tech vendors to stricter audits.
Industry divided on whether Europe should delay FRTB
Most bankers prefer to keep to earlier start date, even though it puts continent out of sync with US.