As an integral part of the securities industry, CSDs have so far escaped systemic or devastating cyber-attacks, but their good fortune cannot last, precisely because they are systemically important institutions. Protection requires money, talent and especially perseverance. For CSDs daunted by the resources required, SWIFT offers a useful guide to action, and a forum for sharing information about cyber-threats and cyber-attacks. But the biggest threat may lay inside rather than outside the CSDs. These and other thoughts are prompted by a conversation with Alain Raes, chief executive of SWIFT in EMEA and Asia Pacific, about cyber-risks and the securities industry.
A discomfiting mystery of the ever-evolving universe of cyber-crime is that the securities industry has so far escaped relatively unscathed. Alain Raes, chief executive, EMEA and Asia Pacific, at SWIFT, believes this owes more to the fact that cyber-attackers are busy elsewhere. After all, counterparties in the securities industry transact in and safekeep financial assets of high value. They deliver large sums of cash against deliveries of securities. They are, or are likely to become, tempting targets for cyber-attackers.
Raes says that the securities industry enjoys the protection of being intrinsically more difficult to attack than the cash payments industry. “Taking money out of the channels of the payments industry is easier to do than attacking the securities industry,” he says. “You can steal securities, but it is much harder to turn them into cash quickly.” It follows that any cyber-attacker seeking immediate financial gain wil find it easier to attempt a fraudulent payment than a fraudulent delivery of securities.
The securities industry cannot expect to escape cyber-attacks indefinitely
However, Raes believes that, given the value of the securities business, it is likely that cyber-criminals will at some point turn their attention to the sector. This is especially true given the progress the payments industry has made in strengthening its defences, and the experience cyber-attackers have gleaned from the payments industry will be relevant. This is because the obvious vulnerability in the securities industry, explains Raes, lies at the point where securities are delivered against payment, and especially in instances where they are delivered free of payment.
Raes adds that the complexity of the securities industry multiplies the points of vulnerability as well providing protection against attack. The extended value chain of a typical securities transaction – identification of an investment opportunity in a stream of prices from a data vendor, instruction by an asset manager to an executing broker, execution on a trading venue, clearance through a central counterparty clearing house (CCP) intermediated by a clearing broker, settlement by delivery of securities to an account at a central securities depository (CSD) against cash movement between accounts at central bank, followed by delivery of trade details to a trade repository (TR) – has multiple break points a cyber-attacker can exploit.
In fact, the complexity of securities markets and the value exchanged between participants is already attracting cyber-attackers, using techniques peculiar to the securities industry. In January this year, for example, the United States Securities and Exchange Commission (SEC) brought charges against individuals who had made $4.1 million trading on non-public information hacked from its EDGAR system and a number of newswire services. Similarly, there is evidence that so-called “fake news” is already being disseminated to manipulate the price of securities.
Not every CSD can afford the technology or find the talent to protect itself
Raes says that there is no evidence that some types of market or institution are more vulnerable than others. However, there are some markets where the level of awareness of cyber-threats is lower, funding for technology projects may not be available, and where access to cyber-security talent and expertise is more difficult.
In these circumstances, it makes sense for CSDs, like other market infrastructures and financial institutions, to work with their counterparties to protect the entire eco-system. “This is why SWIFT launched its Customer Security Programme (CSP) in 2017 after fraudulent SWIFT instructions were used in the cyber-attack on the Bangladesh Bank in February 2016,” says Raes. “It provides the tools to help the community protect itself.”
The three pillars of the CSP aim to help SWIFT users secure their own systems (“Secure and protect”), deflect threats originating from counterparts (“Prevent and detect”) and encourage the sharing of information about cyber-threats and attacks (“Share and prepare”). More importantly, the CSP obliges every financial institution linked to the SWIFT network to attest annually to their compliance with a set of security controls. The security controls – 19 of which are mandatory and 10 of which are advisory – are set out in the latest version of the Customer Security Controls Framework (CSCF v2019).
CSDs did of course face a set of cyber-security principles already. In 2016 the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO) had published Guidance on cyber resilience for financial market infrastructures. The document identified five categories of risk (governance, identification, protection, detection and response and recovery) and listed three risk mitigants (testing, situational awareness and learning and evolving). But its advice was general rather than specific.
The SWIFT Customer Security Programme is a useful crash course in cyber-security
The value of the CSCF controls is that they are not only specific but harmonise and distil into a single list the various cyber-security best practices and controls which have emerged in recent years. Their goal is to bring the compliant into line with the Payment Card Industry Data Security Standard (PCI-DSS), the International Organisation for Standardisation (ISO) cyber-security standard (ISO 27002) and the cyber-security framework developed by the National Institute of Standards and Technology (NIST).
Today, the 19 mandatory controls are the minimum every institution connected to the SWIFT network – banks, brokers, payments market infrastructures (PMIs) and corporates as well as CSDs – must implement. In fact, users are expected to attest to their degree of compliance with the controls. Although SWIFT does not publish lists of users that are compliant and non-compliant, it does share this information with the supervisors in every jurisdiction where it has users.
Given this and the wider regulatory pressure for market infrastructures and financial institutions to protect themselves and their customers from cyber-crime, there is a strong impetus for SWIFT users to engage with the CSP. While some investment is required in systems and processes, Raes says that many of the CSCF controls are about implementing straightforward cyber-hygiene and security. “Obviously, they require time and attention from the right people, but they are quite easy to implement,” he says. “It is not a massive investment.”
But it is a continuing investment, as Raes also points out. “What is most important about cyber-security is that it is done for the long term, and not as a one-off,” he explains. “One of the biggest risks we face is that people think the first implementation is enough, and they can move on to something else. Cyber-defence must be a permanent effort. It is not something you do once. It is something you must work on constantly to upgrade your defences and keep investigating new threats. Cyber-criminals will keep evolving the sophistication of their attacks. Financial institutions need to be permanently vigilant to stay ahead of them. Cyber-security is not a long journey. It is an endless one.”
Information-sharing is a crucial weapon in the cyber-security arms race
One way to make the journey less onerous, argues Raes, is information-sharing. The CSP advises SWIFT customers to share information “continuously” in order to defend the “community” against “future cyber-threats.” Raes urges CSDs to do exactly that – share information about cyber-threats and cyber-attacks not just with each other but with other financial institutions as well.
Raes knows some markets have found this easier than others – not all have established formal information-sharing bodies – and that trust takes time to develop. “When you are under attack it may seem logical not to talk about it, for reputational or operational reasons,” he says. “But you should do, because there is a lot others can learn about the nature of the attack, and the way you responded to it, so the industry as a whole is better protected. Our best defence as an industry is to defend the ecosystem as a whole.”
It helps that SWIFT is willing to intermediate the information-sharing. It has since May 2017 maintained an Information Sharing and Analysis Centre (ISAC), which makes available useful information the messaging co-operative has learned about cyber-threats from its own experience and that of its users. ISAC posts information about indicators that systems are compromised, malware samples, and descriptions of the modus operandi of cyber-attackers. ISAC is also free to all members of SWIFT, and to law enforcement agencies and manufacturers of cyber-security software.
“It is where members of the industry come together to share experience and best practice, and information about what has happened to them, so others are forewarned,” says Raes. “Using ISAC is a really important thing CSDs – indeed, all market infrastructures – can do to protect themselves, and make sure they remain in line with industry standards. Standards also evolve, so that too is an iterative and ongoing process. You just have to keep doing it.”
Certainly, SWIFT certainly cannot be accused of having a Mission Accomplished mentality. In addition to the CSP (whose work is never done) and the ISAC (which evolves naturally as fresh information is shared), SWIFT is a constant presence at industry events, drawing attention to cyber-security risk. In the payments industry, it has even launched a Payment Control Service (PCS) to help financial institutions identify potentially fraudulent payments.
Nation-states are a bigger threat to CSDs than hacktivists or fraudsters
In the securities industry, SWIFT sponsored a paper published by the International Securities Services Association (ISSA). Called Cyber-security risk management in securities services, the paper reviews the full range of cyber-threats and cyber-attacks the securities industry faces, pinpoints where the industry is vulnerable, and explains how to build effective defences. “All players in the securities industry should read it,” says Raes. “It provides an excellent overview of the threats facing the securities industry and the kind of risk mitigation techniques they can implement.”
In a sense, reading it should be obligatory. Every CSD is part of a wider eco-system, which is ultimately only as strong as its weakest link. The operating platform of an individual CSD might be completely secure, but in the normal course of its business it is open to counterparts which are less secure.
But for CSDs in particular the paper contains an especially chilling message. It argues that the cyber-threats CSDs face are less likely to originate with hacktivists (whose agenda is usually political) or criminals (whose purpose is invariably financial gain). Instead, the paper predicts they will come from extremely patient, highly adaptable, sophisticated and well-funded organisations. They are usually acting on behalf of a nation-state, and their motive is not financial.
These organisations have the time and material to pose what cyber-security specialists call an “advanced persistent threat.” It is entirely possible that they already inhabit the systems of vulnerable CSDs undetected, where they are watching and learning, with the ambition of launching a customised attack to exploit the specific vulnerabilities of the CSD. Because they also share information with like-minded organisations, and are able to co-ordinate activities across national borders, the knowledge they gather from one CSD can be used to attack others.
The ISSA paper argues that the attention of these actors is almost bound to switch from cash markets to the securities industry, not because they want to steal money or securities but because they want to cause social and economic mayhem. In other words, the goals of State-directed cyber-attackers are strategic rather than financial. They want to make it impossible for a securities market to settle transactions, or maintain the integrity of an issue, or keep an up-to-date register of who owns what. These are effective ways to disrupt an economy and a society.
It is also much easier to effect than trying to steal cash or securities from a CSD. By preventing a CSD from settling transactions, or corrupting its data about past or impending transactions, a cyber-attacker can bring an entire securities market to a halt. The fact that CSDs make use of a relatively limited range of software packages, and maintain links with each other, means a successful attack on one CSD can also be replicated quite quickly.
Cyber-attacks can come from the inside as well as the outside
Raes says SWIFT does not comment on specific cyber-threat actors. Instead, he warns that the point of entry of any attacker is more likely to be internal than external. Experience shows that access can be obtained by means as simple as obtaining entry to a secure area under false pretences, reading a password on a Post-It note, or bribing an employee to click on a link or insert a USB stick into a server.
As the CSP states, the primary obligation of SWIFT customers is to protect their own environment, but their secondary obligation is to prevent and detect attacks originating from their counterparties. “Ultimately, cyber-security boils down to a single question, `How do you protect your point of entry to external networks?’” explains Raes. “You have to protect these connections not only from the outside world, but also the inside world. Most of the attacks financial institutions have suffered came from the inside.”
However, Raes does not share the concern in some quarters that CSDs are complacent about both internal and external cyber-threats. He thinks attitudes have changed in the last year, and that cyber-security is now a priority at the highest levels of management within the CSDs. He notes that chief information security officers (CISO) are getting the boardroom attention they need, and larger budgets to match.
Nor does Raes doubt that local regulators are reminding CSDS, as systemically important institutions, of their obligation to take the issue seriously. “I see a much higher level of awareness of cyber-security at the CSDs, and implementation of certain measures,” says Raes. “Is it perfect? No, of course not. There is a long way to go, but it is moving in the right direction. People understand that the battle is never over. It is never behind us. We can never move on. It is never a lasting success. We need to keep investing and keep exchanging information.”
CSD leaders certainly have no excuse for ignorance of the fact that they are tempting targets for strategically-minded cyber-attackers. Though commentators often allude to the fact that the Global Risks Landscape survey conducted by the World Economic Forum (WEF) has ranked cyber-attacks among the top five risks every year since 2014, an important detail is often missed. Nestling just behind cyber-attacks in the WEF list for the gravity of their impact on the world economy is the “breakdown of critical information infrastructure and networks.” CSDs undoubtedly fall into that category.
Tuesday 9 April 2019
Moderator: Mars Bayle de Jesse, Director general, market infrastructure and payments, European Central Bank (ECB)
Alain Raes, Chief executive, EMEA and Asia Pacific, SWIFT
Roi Shaposhnik, CEO, Goldnlinks
Krishna Srinivas, CTO, NSDL, India
 The paper can be found here: https://issanet.org/e/pdf/2018-10_ISSA_Cyber_Risk_in_Securities_Services.pdf