A cyber attack on EquiLend, the securities lending technology provider, this year which followed an attack on Ion Markets, a third-party provider of cleared derivatives services, in 2023 highlights why regulators have been focusing on operational resilience and cyber security.

EquiLend was formed by a group of 10 global financial institutions in 2001 to optimize efficiency in the securities finance industry by developing a standardized and centralized global platform for trading and post-trade services and went live in 2002. Since its founding, the company’s client base has grown to nearly 200 asset owners, agency lending banks, broker-dealers and hedge funds. On January 18 EquiLend announced that it was selling a majority stake to private equity firm Welsh, Carson, Anderson & Stowe (WCAS), and the deal is set to close in the second quarter of this year.

On 22 January EquiLend said in a statement that the firm had identified a technical issue that placed portions of its systems offline and identified a cyber security incident involving unauthorized access.

In an update on 25 January Equilend said it has continued working closely with third-party cybersecurity experts to restore its systems and that law enforcement has also been notified.

“While the investigation will take time, it has so far determined this incident was the result of ransomware,” added the statement.

EquiLend Spire components and the ECS Loan Market were not impacted by the ransomware incident and remain fully operational. However NGT,  the securities lending trading platform, post-trade solutions, data & analytics solutions and regtech solutions continue to be temporarily unavailable.

In 2023 there was also a ransomware attack on ION Markets, which resulted in delays in reporting data to the Commodity Futures Trading Commission and the regulator could not produce its weekly Commitments of Traders report.

Virginie O’Shea, founder of consultancy Firebrand Research, said in an email: “Geopolitical tensions are fuelling nation state investments into cyber-crime with a view toward maximum disruption – cybercriminals have realised that central vendor services and market infrastructures are the new big game targets to go after in this endeavour.”

Firebrand Research had said in its predictions for 2024 that geopolitical tensions dictate that cybercrime funding is likely to further increase which means more attacks, increased innovation and more risks for financial institutions.

Another prediction was that ransomware-as-a-service would continue to gain ground on the criminal mass market, combined with data theft. The report said large firms may be the focus of big game hunters but with mass availability, comes much more activity targeting firms of all sizes.

O’Shea added that cyber-attacks are on the rise across the capital markets sector. ESMA, the European Union financial regulator, said last year that financial services now accounts for 12% of all attacks, up from 4% in 2019.

“This is the reason why so many regulators are focusing on operational resilience and third party risk assessment – EU with DORA (Digital Operational Resilience Act), the CFTC and SEC both have proposed regulations and tweaks to existing regimes on the table,” she said.

New regulations

After the Ion incident, the CFTC proposed a new operational resilience framework at the end of 2023 for futures commission merchants, swap dealers, and major swap participants.

The CFTC said firms will need to establish, document, implement, and maintain an operational resilience framework reasonably designed to identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations.

The framework would include three components – an information and technology security program, a third-party relationship program, and a business continuity and disaster recovery plan – supported by broad requirements relating to governance, training, testing, and record keeping. The proposed rule would also require certain notifications to the regulator, customers or counterparties, and also includes guidance relating to the management of risks stemming from third-party relationships.

The comment period closes on 2 March 2024.

The Financial Stability Board also published a toolkit last December to help regulators and market participants assess and monitor their mission-critical system providers.

O’Shea said the sentiment behind the new proposals is to increase transparency around vendor relationships as regulators do not want to be blind-sided by concentration risks that are only revealed after an attack is successful. However, it will take time to reduce these dependencies and there is also sometimes a lack of choice in providers.

“The way to reduce dependencies is to have multiple providers, which is costly and more complex from a management perspective,” she added. “There could also be much more standardisation across the industry to reduce the pain of switching providers – where things like standardised APIs come into play.”

DORA comes into force in January 2025, but will take months of preparation.

“Buy-side firms in particular may need to build in extra time to query information received from their outsourced service providers,” added Firebrand. “Regulators are prioritising operational resilience over many other areas, which means they are likely to come down hard on noncompliance to prove a point.”

DORA was published on 16 January 2023 and the Association for Financial Markets in Europe (AFME), which represents global investment banks, said the ambitious 12-month window until implementation is a particular concern.

James Kemp, managing director at AFME, said in a statement: “In particular, AFME is concerned that without a proportionate and phased approach to enforcement, the obligations on supplier contracts will cause major disruption.  The idea that banks can renegotiate all their third-party contracts within 12 months is unrealistic, especially when many of these contracts are group-wide global arrangements with providers who are themselves not based within the EU.”

AFME suggested applying the policy for information and communication technology (ICT) suppliers on a forward-looking basis to that banks should be permitted to prioritise their material contractors, rather than seeking to capture the whole supply chain in a single year.