Are you ready for a cyber-attack? Read how you can be better prepared.
The data dilemma in the financial markets
Cyber specialists talk about cyber preparedness and national security
By Waynette Tubbs, Risk & Fraud Insights Editor
Nobody in the financial services industry will forget the events of May 6, 2010. The Dow Jones Industrial Average plunged nearly 1000 points, only to recover those losses within minutes. It was the second largest point swing and the biggest one-day decline in history. Automatic computerized traders on the stock market had shut down, and the resulting lack of liquidity caused shares of some prominent companies such as Procter & Gamble and Accenture to trade down as low as a penny or as high as $100,000.
“It was a very frightening day,” said Mary Schapiro, then chairman of the U.S. Securities and Exchange Commission (SEC). “I spent a lot of time on the phone with the exchanges and with companies that had seen their stock prices go from $45 to five cents, and then back up again.” Initially a cyber attack was suspected, then a fat finger trade. But the cascading meltdown was triggered by a problematic algorithm in the futures market that jumped to the equity market because of the tight linkage between those two markets.
Listen to more thoughts from Mary Schapiro, Former Chairman of the U.S. Securities and Exchange Commission, on the value of data for financial services firms and regulatory agencies.
More from Howard Schmidt, Former White House Cyber Security Coordinator for President Barack Obama and Cyber Adviser for President George W. Bush, on the state of cybersecurity today.
“One of the ironies for me was the SEC’s lack of data to unravel what was happening,” said Schapiro. “We crashed our computers repeatedly trying to analyze the data, trying to understand on a nanosecond-by-nanosecond basis what had taken place that day. Events such as this have a serious impact on investor confidence in the integrity of the financial markets.”
Could it happen again? It’s possible but less likely. The Flash Crash sparked a number of regulatory changes such as more rigorous algorithm stress testing and trading curbs, also called circuit breakers, that temporarily halt trading on stocks that rise or fall too sharply in a five-minute period. It’s a start, but there’s more work to be done, Schapiro said. “There is broad discomfort about the resiliency of our market infrastructure. It’s not as good as it should be, but it’s better than people fear.”
The regulatory pendulum swings
“Leading into the financial crisis, deregulation was the theme of the moment,” said Schapiro. “Enormous complexity and opacity grew in our financial system, from products to trading strategies to even the structure of our financial institutions. Regulators had become complacent and quite honestly had bought into theories like, ‘No one running a bank would ever take franchise-threatening risk’ or ‘We have never had a nationwide decline in housing prices, so of course we never will.’ Not surprisingly, a financial crisis did swing the pendulum back, and now there’s an enormous effort to solidify regulation to rein in risky behavior and to hold accountable those who skate close to the line or cross the line. … The pendulum is not going to swing back again for a very long time.”
Disclosure is a big theme in the regulatory community these days. Under what circumstances should companies be required to report cyber attacks and data breaches? On the one hand, investors deserve to know about data vulnerabilities and breaches, as with any business risk. On the other hand, some fear that disclosure could cause a “run on the bank” problem or provide a roadmap for the next generation of hackers.
Investors’ risk should relate to their decisions regarding the companies they choose to invest in. Their risk should never come from the failure of the market infrastructure to provide a marketplace that has integrity in the trading process.
US Securities and Exchange Commission
That’s not too far-fetched. We have the ability to hack into remote systems, get them spinning and break them, said Howard Schmidt, Former White House Cyber Security Coordinator for President Barack Obama and Cyber Adviser for President George W. Bush. “People have reverse-engineered it and modified it to work on all kinds of systems, particularly digital control systems. You have to be really careful what you’re putting out there, because it’s going to come back at you.” It can be ridiculously easy. In 2010, insurgents in Iraq and Afghanistan intercepted live video feeds from US drones by using off-the-shelf software available for less than $26.
“You will be hacked.”
According to an October 20 article in USA Today, hackers have stolen more than 500 million financial records in the past 12 months. "We're in a day when a person can commit about 15,000 bank robberies sitting in their basement," said Robert Anderson, executive assistant director of the FBI's Criminal Cyber Response and Services Branch.
“Headlines such as this notwithstanding, the system still works,” said Schmidt. “Yesterday I did a bank transfer from my mobile, downloaded my boarding pass for the airplane, booked hotel rooms for myself and family members – and it all worked.”
Many breaches result from people failing to use commonsense precautions. Don’t click on that email allegedly from the IRS; it’s a fake. Keep your Internet browser and security software up to date. Reserve one credit card for online transactions. We all know these things, but still about 10 to 15 percent of us will click on that notification from the fake IRS, said Schmidt.
There is encouraging progress from many angles though. Software companies are collaborating to share best practices to reduce vulnerabilities in their code. Private sector organizations are organizing into ISACs – information sharing analysis centers – to share insights about cyber issues they’re experiencing. Organizations with silo security operations are bringing their security experts together. Academic centers of excellence are turning out hundreds of well-qualified cyber specialists a year. Digital certification is providing more rigorous authentication than the traditional user ID and password.
New urgency in the boardroom
Regulators, government entities and consumers can only do so much. Boards and C-level executives must bear most of the responsibility for cyber security, which they often don’t understand well. “Talk to board members about cyber issues, and they’ll often say, ‘That’s an IT issue; let’s call the CIO and have him fix it,’” said Schmidt. “The board must do its due diligence in understanding the risks to the company’s ability to deliver for its customers and investors, and that means cyber has to be part of the discussion. It’s not just an IT issue, it’s part of the business process.”
“The board needs to know the company has an inventory of all its data, where it resides, how it’s being protected,” said Schapiro. “The board needs to know who is going to be accountable for monitoring and responding to cyber risks, and demand regular reporting on how problems in this area are being resolved.” Schapiro emphasized the critical need for a comprehensive incident response plan to enable rapid response to a cyber breach. “There’s really no reason now to be caught flat-footed, everybody knows a cyber attack is possible.”
Where is that attack going to come from, and what will it look like? Don’t fret too much over that until you have done all you can to build up your defenses, said Schmidt. “I don’t care whether the activity is coming from the Midwest or the Mideast – if it’s criminal hackers, nation states or just people who want to be disruptive – there are all kinds of threats out there, but these threats will be ineffective if you don’t have the vulnerabilities that allow them to execute.”