Cyber-threats are top risk for financial institutions, says DTCC survey

Operational Risk
27 Mar, 2014

Cyber-security and the impact of new regulations present the biggest challenges for capital markets in 2014, although the likelihood of a systemic risk event occurring has reduced markedly, according to a survey by the Depository Trust & Clearing Corporation (DTCC).

Twenty-four per-cent of respondents, which comprised of broker-dealers, banks, mutual funds, insurers and hedge funds, said cyber-threats were the biggest risk for the broader economy, while 23% said it was the largest risk to their firm.

A previous report - “Beyond the Horizon: A White Paper to the Industry on Systemic Risk” – also published by the DTCC, said cyber-crime was the most significant threat to market stability, even putting it ahead of counterparty risk and concentration risk at central counterparty clearing houses (CCPs). High profile financial institutions including CME Group, J.P. Morgan, CitiGroup and the New York Stock Exchange have all fallen victim to cyber-crime.

A report –“Cyber-crime, Securities Markets and Systemic Risk” – produced jointly in 2013 by CPSS-IOSCO and the World Federation of Exchanges (WFE) found 53 per-cent or 46 exchanges surveyed had been subject to a cyber-attack over the preceding 12 months. The threat is such that the WFE opted to launch the exchange industry’s first cyber security committee with the stated ambition of protecting global capital markets against cyber-criminals.

While large financial institutions tend to have systems in place to mitigate the risk of cyber-threats, asset managers have been found wanting.  A survey by COOConnect of 44 hedge funds found that just 27% of managers running in excess of $1 billion had systems in place to mitigate the risk of a cyber-attack. Not one single hedge fund manager with less than $100 million in assets said they were “well prepared” to deal with such a threat. Cyber-threats are something technology vendors are increasingly speaking to their clients about. “Hactivism has been on the rise for a while now, from both the single interest groups and the wider hacker community. The threat from organised crime is also increasing - the days of robbing a bank with a gun are over, but trying to rob financial institutions, including hedge funds, via some form of cyber-attack is increasing,” said Ashley Jelleyman, head of information assurance at BT Security.

The Securities and Exchange Commission (SEC) has said it will be reviewing asset managers’ policies on cyber-threats as part of its investment manager examination process. Asset managers were also urged by the SEC to conduct thorough operational due diligence on technology vendors, which host their proprietary data.  “Firms need to show regulators that they have controls in place to handle cyber-breaches. Firms need to manage this at a senior level just as they would market risk or counterparty risk,” said Mark Clancy, managing director and corporate information security officer at the DTCC.  

Nineteen per-cent of respondents told the DTCC survey that new regulations presented the biggest risk to the broader economy, although 37% said it would be the largest risk to their actual businesses. Financial institutions are grappling with countless regulatory initiatives such as Dodd-Frank and the European Market Infrastructure Regulation (EMIR), which is forcing them to report and clear their over-the-counter (OTC) derivatives transactions to trade repositories and clearing houses respectively.

Interestingly, just 9% of firms said a high-impact market event within the next year was likely, compared with 37% in 2013. Despite this, no firm said they had reduced their budgets for systemic risk mitigation. “Even though concerns about a near-term destabilising market event appear to be abating, it is gratifying to see that this has apparently not translated into complacency and that the industry is becoming more diligent about protecting itself from such occurrences.  Of the individuals we polled, 70% reported that their firms had committed more resources into systemic risk management activities over the past 12 months. This trend might indicate that systemic risk protection is becoming firmly embedded in corporate culture and standard business practices,” said Michael Leibrock, chief systemic risk officer at the DTCC.