Mar 8, 2023

The Hack That Upended Derivatives Trading Spurs Calls for Action

Katherine Doherty and Isis Almeida, Bloomberg News

BERLIN, GERMANY - JANUARY 25: In this photo illustration a young man types on an illuminated computer keyboard typically favored by computer coders on January 25, 2021 in Berlin, Germany. 2020 saw a sharp rise in global cybercrime that was in part driven by the jump in online retailing that ensued during national lockdowns as governments sought to rein in the coronavirus pandemic. (Photo by Sean Gallup/Getty Images) Photographer: Sean Gallup/Getty Images Europe , Photographer: Sean Gallup/Getty Images Europe

(Bloomberg) -- A cyberattack that disrupted derivatives trading in January is prompting calls for more oversight to combat the risk of hacks across financial markets.

The top US derivatives regulator wants to update standards and monitoring systems that will help minimize the frequency and magnitude of hacks. The Commodity Futures Trading Commission is pushing for futures and swaps dealers to exercise more due diligence and oversight of the third-party service providers they work with, and requiring that they have a plan for responding to cyber incidents from the first day.

Derivatives shops, used to clearing hundreds of billions of dollars in trades every day, were forced to process trades manually after ION Trading UK — a little known company with technology that underpins the smooth functioning of markets — succumbed to a cyberattack earlier this year. While the company has rolled out new software for its clients, the ripple effects are still being felt.

“As our financial market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats,” Kristin Johnson, a commissioner for the CFTC, which oversees the US commodity futures and options market, said in remarks prepared for a meeting of the agency’s Market Risk Advisory Committee on Wednesday.

At the meeting, the Futures Industry Association announced its own cyber-risk task force, which will draw on its participants to recommend improvements to the safety of the derivatives market. The FIA’s efforts will focus on existing cyber protections and protocols, then take industry responses to develop best practices and safeguards around third-party providers.

“The unfortunate reality is that the risk of another cyberattack is real, and the goal of this task force is to improve upon our industry’s resilience globally,” FIA President and Chief Executive Officer Walt Lukken said in prepared remarks.

ION’s hack affected 42 of the company’s clients and has been attributed to Russian ransomware gang LockBit. More than a month after the hack, the agency is still catching up with delays in producing a key weekly report that provides market participants with insight into positions held by the likes of money managers, producers and consumers.

CFTC Chairman Rostin Behnam has already called for increased regulation following the attack. He added that the threats related to information security were “an important and increasingly urgent problem.”

On Wednesday, Behnam asked Congress to consider expanding the agency’s ability to directly regulate third-party services providers that are critical to market participants, according to prepared remarks for a Senate Agriculture Committee oversight hearing. Current rules prevent the CFTC from having direct oversight of third-party service providers such as Ion, he said.

Behnam added that he’s asked agency staff to make recommendations about how to address the potential risks such companies can pose to the firms it does regulate as part of a broader cybersecurity rulemaking.

ION’s system is used for clearing derivative trades around the world, particularly in the US, UK and Europe. The technology allows banks and broker-dealer clients to trade in a semi-automated manner.

The Financial Industry Regulatory Authority, the organization that oversees the broker-dealer community, is looking to expand “capabilities to interact with threat intelligence across the US government and other entities in this space,” to allow members to be “more proactive in their ability to assess those threats,” Greg Ruppert, executive vice president, member supervision at FINRA, said at the meeting.

CME Group Inc. said fewer than 20% of its clearing members were affected, according Chief Operating Officer Julie Holzrichter. The exchange worked with firms to recover data and extend deadlines for reporting requirements.

“We believe risks introduced through third parties can be managed,” Holzrichter said at Wednesday’s meeting.

--With assistance from Lydia Beyoud.

(Updates with additional comment starting in eighth paragraph.)