Understandings of risk in the capital markets are being reshaped. Financial metrics are now just part of the picture. Risk is now measured in terms of cybersecurity as well. In fact, a recent Datos Insights survey of 170 financial executives responsible for software and operations decisions found that cybersecurity ranks as a top priority for their firms. Equally pressing for capital markets participants is digital transformation, which can play a keystone role in fueling cyber risk. (Figure 1).
Cybersecurity, understood in the capital markets as safeguarding access to client and enterprise communications and data, is the responsibility of all employees. However, CISOs, chief risk officers, and other top security professionals are charged with tackling cyber risk head-on. These historically back-office functions have assumed strategic importance given the brazenness of cybercriminals, the tools at their disposal, and the vast amount of money at stake.
Prominent cyber risks include the loss of sensitive data through missing or inadequate multifactor authentication, the vulnerability of API ecosystems behind digital transformation, and weaknesses exposed through Software-as-a-Service-based (cloud) deployments. Third-party and fourth-party risks are challenging for financial services firms to manage. Datos Insights sees risks across all categories becoming amplified through the use of adversarial artificial intelligence tools by organized crime.
In 2023, the number of data compromises in the financial services industry in the U.S. reached 744, up from 138 in 2020. Compromises included generalized data breaches and the exposure and leakage of private data. Losses per data breach, at an average of US$5.9 million, exceeded those for non-financial services organizations by 28%, per Statista.
Recent Incidents in the Capital Markets
Cybercriminals have increased their assaults on banking and trading operations over the past year. To date, capital markets participants have skirted disaster.
ICBC
In November 2023, an attack claimed by the Russia-linked LockBit cybercrime gang breached the extensive cyber-defenses of Industrial & Commercial Bank of China Ltd (ICBC), disrupting trading in the US$26 billion U.S. Treasury market. BNY Mellon loaned ICBC, the world’s largest lender by assets, US$9 billion to stabilize the trading ecosystem. In the days following, market participants were extremely hesitant to trade with ICBC and to reconnect their computer networks to ICBC’s U.S. unit.
ION Group
In February 2023, ION’s proprietary derivative trading software Fidessa was subject to a cyberattack that resulted in no trading losses but required major U.S. users, such as Citigroup, Bank of America, and Morgan Stanley, to scrutinize their trading and cybersecurity protocols.
EquiLend
A February 2023 cyberattack on EquiLend, the securities lending marketplace and utility, disrupted important securities funding cycles, even though no financial losses occurred. EquiLend, partly owned by some of the biggest banks, is the primary platform for traders seeking to borrow shares, a key step in short bets or trades that benefit from falling prices.
Regulatory Actions Addressing Cyber Issues Across Capital Markets
Regulators on both sides of the Atlantic demand transparency and prompt reporting of cyber-related incidents, aiming to safeguard firms and hem in systemic risk.
The U.S.: Securities and Exchange Commission Campaigns
The SEC continues to overhaul cybersecurity, cyber-incident reporting, and privacy controls for industry registrants, broker-dealers, asset managers, and hedge funds. In July 2023, the Commission adopted final rules that will require public companies to disclose cybersecurity incidents promptly and (on an annual basis) material information regarding their cybersecurity risk management, strategy, and governance policies. New Rule 10, new Form SCIR, and related cybersecurity requirements for so-called market entities (such as broker-dealers, FINRA, exchanges, and clearing agencies) are being put in place to support the fair, orderly, and efficient operations of U.S. securities operations.
EU and the U.K.: ESMA and EMIR Refit
The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, is shifting its Union Strategic Supervisory Priorities (USSPs) to focus on cyber risk and digital resilience alongside environmental, social, and corporate governance disclosures.
The new USSP will come into force in 2025, at the same time as the Digital Operational Resilience Act. This timeline is intended to give sufficient runway to supervisors and firms in Member States to comply with new regulatory requirements. With this new priority, EU supervisors will put greater emphasis on reinforcing firms’ information and communications technology around cyber risk management through close monitoring and supervision. The aim is to keep pace with market and technological developments and track any attacks or disruptions and their contagion effects across firms and markets.
Conclusion
Some of the world’s most sophisticated banking and trading entities have come under attack from cyber-criminals. Today, hackers and fraudsters are expanding efforts to breach existing defenses and identify new entry points.
Thwarting efforts in the early stages has become mission-critical for firms. As a first step, they need to reinforce the security of cloud-based applications and APIs while practicing better security hygiene in-house. In the long term, enterprises must elevate the roles of the CISO and chief risk officer in line with the strategic importance of their functions.
