In the third of a three-part series exploring the key takeaways from the securities stream at Sibos 2019, panellists discuss the need for senior management to invest in better people, processes and technology to defend against cyber attackers.
Regulators have taken a number of steps to protect firms in the value chain from cyber-attacks and fraud. Even without the spur of enforcement actions, securities services firms need to invest in better defences against cyber-attack. An audience poll in one session at Sibos found more than half were unconfident about their own cybersecurity.
“Half of us are not confident our own firm can survive a cyber attack,” noted Colin Parry, CEO of the International Securities Services Association (ISSA). “And that, to me, is more worrying than any other thing we expected to see.”
The same audience was even less confident about the preparedness of their counterparties, clients and suppliers. It was after identifying precisely this gap that ISSA published its Financial Crime Compliance Principles for Securities Custody and Settlement, to offer firms practical advice to protect themselves against compromised third parties.
Half of us are not confident our own firm can survive a cyber attack. And that, to me, is more worrying than any other thing we expected to see.
The cybersecurity equivalent of herd immunity
Application of the principles promises the cyber equivalent of herd immunity. Extending checks on market abuse including Know Your Customer (KYC), AML, sanctions screening and countering the financing of terrorism (CFT) allows clients to pass the benefits on to their own customers. As a result, firms can raise standards of cybersecurity and resilience throughout their networks, strengthening the industry as a whole.
Useful techniques include untangling close relationships between issuers and investors; vetting the types of securities used in unlawful transactions; and especially recognising that a jurisdiction with a reputation for money laundering is also likely to harbour cyber criminals.
“Where a correspondent is located in a jurisdiction which you would classify as high risk for AML, there is also a heightened risk that they are penetrated by cyber criminals whose aim it is to steal money,” explained Mark Gem. “Very often those groups are State-sponsored actors as well.”
Self-attestation regimes, in which firms vouch for the resilience of their cybersecurity measures, such as the SWIFT Customer Security Programme (CSP) and a similar scheme now being launched by the DTCC, have a similar effect in spreading best practices.
Other vulnerabilities in the securities services industry include high-value transfers on predictable timetables; delivery of securities free of payment; the diversion of cash and securities through manipulation of standing settlement instructions; and omnibus accounts, which are operationally efficient but make it easier for bad actors to conceal their identities.
Andy Smith, CRO for operations at BNY Mellon, warned that regulators might insist on the abolition of omnibus accounts unless customer due diligence is tightened. He thought effort should also be made to use technology to “look through” omnibus accounts to the true beneficiary on the other side.
Technology can help in other ways. Artificial intelligence (AI) and machine learning (ML), for example, produce faster and better evidence of fraudulent transactions or price manipulation than rules-based techniques, which tend to generate unmanageable numbers of false positives.
“We can in fact detect unknown cases and scenarios that were previously unknown and remain undetected by the bank, and also previously unknown by the regulators,” said Cristina Solviany, CEO of AI specialist Features Analytics. “We can also reduce dramatically the cost by minimising the false alerts and by issuing only high-quality alerts.”
But new technologies, such as distributed ledger technology (DLT), can create cybersecurity risks by exposing new vulnerabilities not previously considered, as well as mitigate them. “It's also opening up the door for information security,” said Vic Arulchandran, COO at Nivaura.
A true balancing act, firms that retain liability for breaches must ensure their cybersecurity governance and controls evolve in line with changing technologies, said Tom Casteleyn, global head of custody at BNY Mellon.
This is unlikely to happen unless senior management takes direct responsibility for managing cybersecurity risk, and more is spent on defending securities operations against attack. “There is still more money being spent on small cash payments than potentially on large security movements and redemptions,” warned Colin Parry.
The industry must come together to ensure all clients, counterparties and suppliers in the value chain adhere to the highest standards of cybersecurity. By advocating for a community approach, firms can best protect themselves and the industry at large.