Derivatives traders tend to watch the US Commodity Futures Trading Commission closely on a Friday. This is the day the CFTC normally releases its weekly “commitments of traders” report showing overall positioning in derivatives markets, such as oil futures.
This month, however, the data has been missing in action because a small, publicity-shy data group called Ion Markets — headquartered in Dublin but used by dozens of American and European players — suffered a ransomware attack on January 31.
Todd Conklin, US Treasury deputy assistant secretary, scrambled to reassure investors by stressing that “the issue is currently isolated to a small number of smaller and midsize firms and does not pose a systemic risk to the financial sector”. Phew.
However, the attack forced Ion’s customers to use old-fashioned paper ledgers for a period, making it impossible for the CFTC to collate the sequential positioning data. Some traders tell me this might have had ripple effects on prices.
And since the report seems unlikely to reappear soon, this incident is a wake-up call that investors cannot afford to ignore. For what it shows is that the financial sector has quietly slid in recent years into a state of high dependence on third-party tech vendors, both big and small.
This “creates a major source of [new] risk”, as Rostin Behnam, CFTC chair notes. That is partly because these entities are only lightly supervised (at best), since they fall outside the remit of financial regulators. The vendors’ own customers also have patchy visibility of their operations. (One shocking twist in the Ion saga is that the company has offered no public updates on events, aside from a terse initial statement).
The other issue is that malicious attacks on western financial and business infrastructure are accelerating, both from hostile governments such as Russia and criminal gangs. “A 2022 survey of 130 global financial institutions found that 74 per cent experienced at least one ransomware attack over the past year,” says Christy Goldsmith Romero, a CFTC commissioner.
Moreover, these attacks have become so sophisticated that the Department of Justice now talks about the emergence of Ransomware as a Service (RaaS), she notes, (a wry pun on the well-known investment term Software as a Service, or SaaS).
Is there any solution? Regulators and financiers are furtively tossing ideas around. The CFTC says it plans to create a “cyber-resilience framework for brokers and dealers”, with rules requiring them to monitor their tech vendors. This echoes the Digital Operational Resilience Act recently adopted by the European parliament, which also makes financial groups accountable for the security of tech vendors they use.
But these reforms still seem far too modest to resolve the problem. One reason is that the border-hopping antics of tech vendors such as Ion can easily slip between the cracks of national regulators, without better co-ordination. In any case, it does not seem either feasible, or fair, to expect financial companies to police these tech vendors themselves.
So some observers are now considering more radical ideas. One, floated last year by Brett Goldstein, a former cyber security expert at the Pentagon, is that the government should restrict companies’ choices around vendors to a preapproved list. After all, he notes, a hack to core financial infrastructure would be a national security issue.
However, this heavy-handed state control would be wildly controversial in a country such as America, since it seems to contradict corporate governance principles and the cult of market innovation. So another, more realistic, route would be to expand the regulatory perimeter — and ask financial regulators to scrutinise tech vendors and other digital companies themselves.
As it happens, some central bankers are already pushing for this because big tech groups such as Apple are starting to offer financial services. Another impetus is that banks, brokers and asset managers are becoming heavily reliant on a tiny collection of Big Tech entities, such as Microsoft and Amazon, for cloud computing.
As Michael Hsu, acting Comptroller of the Currency, notes, there are “single points of failure” (Spof) risks in which the loss of one node hits the entire system, similar to the type of supply-chain problems that erupted during the Covid-19 pandemic.
And what is so alarming about the Ion saga is that it shows that the Spof problem is not limited to Big Tech alone. “Without a doubt, a regulatory rethink is warranted,” as Agustín Carstens, head of the Bank for International Settlements, argues.
I strongly agree. But even if you think that Carstens’ plea is correct, the unpalatable reality is that this is unlikely to be implemented soon. For one thing, tech companies are likely to fiercely resist new oversight; for another, it is unclear whether financial regulators could even build the proper capabilities to monitor software groups — if politicians let them. There is a vast skills and culture gap.
So the unnerving reality is that there will not be a quick fix for the problems. Or not unless politicians, financiers, investors and regulators both strengthen their defences and push for reform. Without this, the next attack could do far more lasting damage than Ion. That is a scary thought.