Ion Markets Hack Calls for Scrutiny of Fintech Providers’ Cyber ​​Risk Management

The Jan. 31 cyberattack on Ion Markets, a middle- and back-office software provider serving futures execution and clearing firms, prompted calls at a March 8 CFTC hearing for greater emphasis on cooperative responses to future attacks and for greater scrutiny of fintech companies ‘ cyber risk management. The attack disrupted some activity in the listed derivatives markets for over a month.

While I applaud the emphasis on cybersecurity, I think fintech companies need to follow all regulatory initiatives closely and weigh in on the debate if we feel it could lead to misguided new rules.

The outcome of investigations into the cause of the attack and the industry and vendor responses could have a significant impact on fintech companies’ regulatory costs and their relationships with their customers.

The CFTC does not currently have the authority to regulate third-party fintech providers like Ion. However, CFTC Chairman Rostin Behnam called for an oversight role for the Senate Agriculture Committee in his comments at a separate congressional hearing on CFTC oversight, also held on March 8.

The attack, allegedly the work of Russian ransomware group LockBit, affected 42 of Dublin-based Ion’s clients, requiring these futures market participants to resort to manual trade processing and spreadsheet-based margin calculation, and causing delays in reconciliation and reporting.

Ion said the system should be up and running again by March 9.

Systemic, Not Enterprise, Risks

Speaking at the CFTC’s first Market Risk Advisory Committee (MRAC) meeting of the year, Commissioner Kristin N. Johnson said the group should first ensure that cybersecurity is not seen as a business-only problem, but as a systemic problem that requires cooperation across potentially affected parties. market players.

FIA chief Walt Lukken said the market players actually cooperated effectively in response to the Ion attack. “We were quickly able to centralize information, dispel rumors and encourage calm, and share practical advice and experiences,” he said.

Nevertheless, the FIA ​​has formed a Cyber ​​Risk Taskforce to review the industry’s response to the Ion attack, and to evaluate existing rules and develop recommendations. It will provide a first report within the second quarter, Lukken said.

Fintech Vendor Oversight

Johnson also urged the MRAC to consider whether third-party providers such as Ion should be subject to greater oversight. “What are the contours of our regulation for third party service providers offering integrated operational services to registered market participants?” she asked. “Who determines whether these services comply with our system security regulations?”

Currently, the NFA compliance rules require regulated market participants to evaluate their suppliers’ cyber risk management policies as part of their due diligence. However, the NFA recognizes the obvious limit to this approach: “The NFA recognizes that a member’s ability to manage the security risks posed by third-party service providers may be limited by the information those service providers choose to provide to the member.”

Exchanges and their members are not keen to see regulation extended to fintech providers. CME Group Chief Operating Officer Julie Holzrichter said: “We believe risks introduced through third parties can be managed.” Less than 20 percent of CME clearing members were affected, she said, and the problems they faced were manageable with CME’s help.

Despite this, fintech companies selling into this space should keep a close eye on developments at MRAC and the Senate Ag Committee, and ensure that their cyber risk management is both robust and transparent to their customers.

NFA compliance rules are subject to change, so my advice to fintech firms selling into this space is to keep a close eye on developments at MRAC and the Senate Ag Committee, and ensure their cyber risk management is both robust and transparent to their customers.