DTCC urges greater collaboration on cyber-crime threats
A white paper published by the Depository Trust & Clearing Corporation (DTCC) has urged regulators and financial institutions to collaborate more on the increasing threats posed by cyber-crime.
The DTCC advised regulators and financial institutions to share more information on the nature of the threats posed by cyber-criminals. It recommends the creation of a harmonised, clear and non-duplicative notification system in order to achieve this.
The white paper advocates the formation of global industry working groups, who will work with national regulators to help develop sensible cyber-security regulation, which can address these risks on a real-time basis. The UK appears to be ahead of the game. In summer 2014, the Bank of England unveiled a new cyber-security strategy for financial institutions at a summit held by the British Bankers' Association (BBA). The initiative - known as CBEST - stress-tested the security systems at financial institutions using real-threat intelligence and information gleaned from monitoring the Internet which indicated potential threats to firms.
This comes as a DTCC survey of clients found a record 84 per-cent identified cyber-risk as one of their top five concerns, an increase from 59 per-cent in March 2014. Thirty-three per-cent ranked cyber-crime as the number one systemic risk to the broader economy, up from 24 per-cent in March 2014.
Financial institutions were also urged by the DTCC to up the ante in their approaches to cyber-crime. “(Firms should) shift the focus of cyber-security programs from ‘check the box’ security to actively hunting for threats. A cyber-security program designed to only meet existing requirements or exclusively address known threats offers inadequate protection in today’s cyber landscape. Current cyber-threats evolve and move quickly and, as such, legacy methods of defending infrastructure are likely to fail,” read the DTCC’s white paper.
A number of high profile financial and non-financial institutions have suffered cyber-breaches of late including Fidelity Investments, J.P. Morgan and E*TRADE Financial. A report –“Cyber-crime, Securities Markets and Systemic Risk” – produced jointly in 2013 by CPSS-IOSCO and the World Federation of Exchanges (WFE) found 53% of 46 exchanges surveyed had been subject to a cyber-attack in 2012.
Regulators have taken note of cyber-threats. The Securities and Exchange Commission (SEC) in the United States announced in February 2014 that it would conduct a review on the policies and safeguards asset managers have in place to mitigate the risks of cyber-attacks as part of its investment adviser examination program.
The review will scrutinise whether managers are adequately protecting themselves against potential security breaches as well as the risks associated with other vendors who have access to their data and systems. The SEC also confirmed it would be looking at firms’ policies on IT training, vendor access and due diligence, while the agency also said it was considering a requirement that would force asset managers to report significant cyber events to regulators.
UK regulators are also taking an interest. Asset managers must ensure they have effective business continuity plans (BCP) and exit strategies in place with their technology vendors in the event of that service provider defaulting or running into operational difficulty if they are to avoid falling foul of the Financial Conduct Authority (FCA).