Waters Wrap: On cybersecurity, regulators and ‘victim blaming’

At the tail end of January, Ion Group was hit with a cyber attack that left banks and clearing firms around the globe scrambling for workarounds and calling their lawyers. By mid-March, users were still demanding answers for what exactly went wrong.

It’s a simple fact that when it comes to cybersecurity, financial services firms will always be on the back foot. According to sources we spoke to during and after the hack, Ion wasn’t very transparent and communicative in the two months after the hack was discovered. That led to significant frustration among clients, and rightfully so.

But while I’m not surprised by end-users being pissed off, I was somewhat taken aback when I heard a senior official at a regulatory body seemingly take a shot at some of the victims of the Ion hack.

At the Commodity Futures Trading Commission’s Technology Advisory Committee (TAC) meeting on March 22, Todd Conklin, deputy assistant secretary in the US Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection, had this to say:

“Many firms that were onboarded [by] Ion didn’t use the highest level of scrutiny that they use for their most-critical third-party vendors.”

He added: “And over the course of the last few months, [Ion has] been on a bit of an acquisition spree. So, you have this potential sprawling impact zone for a firm that—we found later—many institutions didn’t even classify necessarily as a critical third-party vendor.” (Video of the full TAC meeting can be found here.)

Now, it’s taken me a while to write this column, but it’s something I’ve wanted to address, based on the responses I received from industry participants.

One market data professional told me that those comments were unfair to the users affected by the hack. “I refuse to believe that all 42 firms [affected by the hack] 100% provided sub-standard onboarding. And even if they did, this is not the reason Ion got hacked. This is effectively victim blaming,” they said. “It’s both a sweeping statement and, frankly, an explosive and loose-lipped one.”

A bank chief data officer concurred. “We meticulously vet a new dataset that we’re bringing in that costs [a few thousand] dollars. How much does the typical Ion platform cost for a big bank’s fixed-income operations? A few million? I just can’t believe that there wasn’t a strong vetting process involved in the onboarding that then led to them [the end-user] being locked out.”

And a former employee of Ion had this to say: “There’s risk in everything—the most secure system is something that doesn’t do anything at all,” adding that vendors do everything in their power to build secure systems due to the reputational risks at stake, but you’re never going to be totally safe.

Now, I’m not a cybersecurity reporter, so I have more questions than answers. I reached out to the Treasury’s media relations team on four separate occasions, sadly to no avail. Here’s what I asked:

1. How does the Treasury know that “many institutions” did not classify Ion as a critical third-party vendor?

2. How does a firm go about classifying a vendor as critical? Is there a specific form that they fill out that the Treasury (and/or other regulatory agencies) has access to? Is there a specific regulation where an end-user has to list certain third-party vendors as critical?

3. What are the requirements for an end-user to classify a third-party vendor as critical? Is it an A/B thing: meaning, you’re either deemed critical or non-critical, or is there a scale (and if so, what is that scale)?

4. If a firm is listed as critical, do they have to go through extra steps or answer extra questions during the due diligence process?

Now, there might be clear answers to those questions, but the people I spoke to didn’t have any, either. What is clear, though, is that regulators are starting to get more aggressive when it comes to cybersecurity rulemaking.

On March 15, the US Securities and Exchange Commission (SEC) proposed a new cybersecurity risk management rule (Rule 10) for a range of regulated firms, together with amendments to Regulation Systems Compliance and Integrity (Reg SCI) and to Reg S–P, which covers the protection of customer data. The New York Department of Financial Services (NYDFS) has plans to impose stricter cyber standards on the institutions it oversees. At the CFTC’s TAC meeting, the group voted to create a new cybersecurity sub-committee. And I’m sure there’s a lot more I’m missing, but, again, cybersec isn’t an area of expertise for me.

Actually, if I’m being honest, I don’t much care for writing about cybersecurity. Rarely will someone tell you something interesting on the record—even on background. You encounter a hopeless feeling, or at least a feeling of, “Please, dear God, don’t let me be the chief information security officer when a hack hits this company!” Everyone is a potential target. No one is safe.

The industry-wide shift to the cloud will only make cyber a bigger challenge. As will the increased adoption of machine learning and open-source tools. As one ML engineer at a major technology provider recently told me, cybersecurity is going to become more of a headache because “it’s a combination of a ton of new technologies, a ton of bodies being thrown at ever-more-complicated problems, a crazy amount of enthusiasm around solving a problem as quickly as possible, and getting ahead of the next guy, mixed with legacy tech that still needs to be maintained.”

We don’t have all the facts about how many defenses had to fail in order to lead to the Ion hack. What is clear, though, is that regulators will serve a significant role in helping firms defend themselves against future cyber attacks. This relationship can’t be adversarial, and communication will be important. As such, the words that regulators choose to craft their guidance and rules will also matter.

And while we’re on the topic of open communication, since I’m not a cyber expert, if you have thoughts, I’d love to hear (well, read) them: anthony.malakian@infopro-digital.com.

The image accompanying this column is “Saint Reparata Being Prepared for Execution” by Bernardo Daddi, courtesy of The Met’s open-access program.