Cybersecurity Goes by the Boards
Wall Street is discussing putting the proper policies and procedures in place to meet the fast approaching first deadline for the New York State Department of Financial Service’s new cybersecurity mandate.
However, there are a few gaps in the conversations, Joanna Fields, co-founder and CEO of Aplomb Strategies, told Markets Media.
“Cybersecurity” is a vague term, which has a different meaning depending on who is speaking, she explained. Technologists tend to discuss breaches while general counsels discuss the setting of proper risk levels and reporting.
Fields sees the greatest disconnects between the business and its board of directors. She estimates that only 12-14% of boards have someone who has experience with technology, much less cyber security.
“If you look at the boards of the 25 SROs and 40 ATSes, they usually are comprised of industry insiders who have experience in market structure and possibly trading,” Fields explained. “Who you do not see are CISOs,” or chief information security officers.
The dearth of knowledge only complicates a firm’s development of proper cyber security policies and procedures.
“The wallet size for cybersecurity investing has never been larger,” said Fields. “But how can a company make sound, strategic investments when their boards have such little experience with cybersecurity?”
Fields also sees organizations paying far more attention to messages entering their firewalls than those messages leaving their firewalls. “In terms of order routing, a lot more client information than you may expect is embedded in an order message,” she noted.
Although broker-dealers have market access controls in place to address erroneous trades, they are not the same as cybersecurity on egress, she added.
As more firms adopt technologies like microwave-based networking, understanding a technologies limitations as well as its strengths is critical. “Due to latency concerns, there is virtually nothing to prevent access to a microwave tower,” said Fields. “And that message traffic goes right into the exchange.”
Many organizations worry that market data would be a potential point of access for hackers and cyber criminals.
The larger market data providers have strong cyber security policies and procedures in place, but some small providers do not have the same deep pockets to fund their cybersecurity initiatives.
Even if firms have their cybersecurity policies and procedures in place, they have to be able to execute against them.
Fields recalls one business that developed its procedures and kept them online. When the cyber attack happened, the business shut down the affected systems and the employees could not access the electronic documents to know whom to call and what to file by when, she said.
Remote working has increased the attack surface for cyber criminals.
DTCC prescribes a systems-based approach to recovery, intra-firm collaboration, and regulatory coordination.
Exchanges and CCPs have successfully moved to operate remotely.
Financial infrastructures, Europol and the European Union Agency for Cybersecurity will share information.
There is also a material increase in concern over cyber-risk.