A modern-day horror story
20 February 2018
As regulatory demands for data sharing begin to mount, the securities lending industry is sleepwalking into a nightmare of cyber exposures—as one agent lender has already discovered
Image: Shutterstock
How much do you actually know about the cyber security system protecting your financial assets and highly-sensitive client data? Little to none, am I right? Today’s securities lending market is chock-a-block with technology providers and innovators offering increasingly extensive solutions to turn the industry into a purely digital and, recently, automated marketplace, for general collateral at least. At the same time, market regulators are busying themselves creating new acronyms that usually represent ever more technology requirements to create vast quantities of trading data on yourself and your counterparts. For securities financing market participants, the primary consequence of modern technology age is an infinitely bigger, faster, more efficient and, most importantly, interconnected marketplace than anyone has ever known. When the Wall Street couriers hung up their bicycle helmets for the last time in the late 1990s, the industry was also waving goodbye to a time when the average trader actually understood how data and assets were transferred and stored—and that’s a problem for everyone.
Gone are the days of a good-old-fashioned bank heist. Riding into town, pistols drawn, throwing a lasso round the bank’s safe and riding off into the sunset before the sheriff knows what’s happened. When banking went digital, the criminals followed. The modern day Bonnie and Clyde need nothing more than a laptop, a good wifi connection, and bit of IT know-how to have a crack at your most valuable assets.
Today, the majority of the world’s money is nothing more than blips on a screen, capable of being sent halfway around the world at the push of a button. The advent of the internet allowed the world’s financial markets to truly interact for first time, but it also offered cyber criminals the opportunity to access more money than their outlaw predecessors could have ever dreamed of. Worst of all, today’s cybercrime challenges do not simply involve protecting the cash in people’s accounts; the real prize is often the highly sensitive personal data that firms now store on their clients. This data can be used to access accounts and siphon off assets secretly or held to ransomed back to firms eager to avoid losing the public backlash that revelations of data loss always bring.
Unfortunately, the risks that such situations pose are far from purely theoretical, as one securities lending participant discovered last year.
Aditya Sood, security expert and author of Targeted Cyber Attacks at Elastica, was able to access highly-sensitive data from cloud-based data handling servers of securities lending firms without any security systems being activated.
“There’s a lot of stories in the media about cyber attacks and threats to cybersecurity but I wanted to see if some of these firms that were compromised actually had exposed systems on the internet that were available to anyone,” Sood explains.
“I came across a few hosted web systems on the Amazon Web Services (AWS), which is a cloud infrastructure, that were running data handling services connected to the credit bureau and including credit bureau-related data.”
“It was not clear if these systems explicitly belonged to credit bureau or some other third-party entity.”
Sood contacted credit bureau and confirmed the systems did not belong to it directly, meaning its data was being shared through third-party providers. Further research revealed that the system belonged to a Chicago-based securities lending firm that was inadvertently revealing internal data through its testing and verification processes.
“What was surprising in all of this was that they [the securities lending firm] were disclosing the complete data structure, and how it was being stored on the credit bureau’s internal database system.”
Sood was able to access the complete data structures from the exposed systems managed by the securities lending firm. The data dumps revealed how the credit bureau stored the highly sensitive customer information such as social security numbers, credit card numbers and salary information unencrypted and determine the systems were sub-par from robust security practices. Sood clarifies that no hacking skills were required to access the data. Sood simply knew what to look for and had the patients to sift through large quantities of raw information.
In the case of the US securities lending firm, Sood’s investigation revealed significant details of data shared between the exposed firm and a large Canadian bank it had been dealing with. Large quantities of the bank’s data that was sent to its counterparty was left open to view by anyone who was interested. He says bluntly: “If I can find it, attackers can find it.”
“The application programming interface’s were blatantly broken, with no security, and anyone on the internet could access the data from the exposed systems of the securities lending firms for example, and the real question is: who is responsible?”
Plugging the gaps
But surely Sood’s discovery is just a one-off case? How widespread could this exposed cyber network actually be? According to Matt Bernard, CEO of ENSO, most of the major and frequently used messaging services for securities lending transactions rest entirely on the cloud already. However, Bernard notes that rates, quantities and counterparts change so frequently that any type of potential risk from a hacker would need to go undetected for a long period of time before obtaining information.
“If you look at historical breaches, they tend to be from larger static data sets and not data that is updated daily. To protect against security breaches, information is encrypted as best practice and therefore protected at all times,” Bernard adds.
As well as unencrypted data transfers, securities lending firms are also guilty of improper system testing processes that once again leave high-value data open to anyone with internet access.
To test a system you create a replica of the same environment and test each and every control in a private environment to make sure it’s working well. The first thing Sood did was look into how the APIs were being used. There was no authentication, no authorisation or controlling systems because the two-way systems were not validating these controls and that means you’re simply using a basic data extraction application programming interface (API) that connects the two systems and dumps that data at the back of your system. This is very bad practice.
“Some of the securities lending firms we’ve now looked at will allow these systems to be exposed and that allows you to get a complete picture of how the data is structured in the internal databases of the credit bureaus’ systems.”
This highlights a potentially ruinous flaw in the cyber networks that increasingly dominate financial markets: any network is only as strong as its weakest link.
Sood warns that cyber attackers may be going after the credit bureaus but actually target small securities lending firms that work with credit bureaus and big banks to gain access to the data in an indirect way.
Commenting on the need to maintain a vigilant cyber defence, Bill Graves, chief technology and data officer at CIBC Mellon, said: “CIBC Mellon recognises the importance of protecting the information, systems and technology under its control. CIBC Mellon’s approach to information security is built on a detailed and synchronised programme that is updated and tested in order to support responses to an ever- changing risk landscape. Our program is designed to protect the confidentiality, integrity, and availability of the information under our control.”
“With the pace of change in the information security space, CIBC Mellon has adopted an approach of near-continuous strategy validation and updates. Inputs to strategy include business priorities, the evolving threat landscape, regulatory trends, technology developments and internal security posture assessment as informed by risk assessments, audit, compliance and regulatory gaps, incidents and benchmarking exercises.”
“CIBC Mellon and its parent companies monitor and assess the IT environment for potential vulnerabilities and threats on a regular basis, and invest in and implement protections as deemed necessary.”
Know your enemy
No one in the wider financial market is looking at securities lending as a major cyber security risk, but there is a chain reaction that can take place and all the players involved must be aware of the whole scenario.
Sood explains: “Nobody knows the whole system because it’s really complex, but if you connect the dots it’s really amazing and shocking. Why learn to exploit a system and achieve an advanced level of hacking when you can just get the same data the
easy way.”
When asked what more those that handle sensitive data of third parties could do, Sood says simply that compliance with today’s data protection regulations does not mean you’re safe from attack, or that you’re even hidden from basic snooping tactics.
Under the responsible disclosure guidelines, the security flaw was reported to the concerned parties and has been fixed as exposure to the vulnerable systems have been restricted.
The introduction of the General Data Protection Regulation (GDPR) across Europe in May will intensify cyber risk scrutiny further, bringing the prospect of more, and larger, fines for businesses who do not comply. “Compared to the US where privacy laws have been strict for decades and cyber security and privacy regulation is continuously evolving, firms in Europe now also have to prepare for tougher liabilities and notification requirements. Many businesses will quickly realise that privacy issues can create hard costs once the GDPR is fully implemented,” says AGCS’s global head of cyber, Emy Donavan.
“Past experience has shown that a company’s response to a cyber crisis, such as a breach, has a direct impact on the cost, as well as on a company’s reputation and market value. This will become even more the case under the GDPR.”
Where does the buck stop?
The Boston horror story is just one case study of what will come an increasingly important factor in effectively managing a lending programme. The good news is that most firms seem cognisant of the huge dangers that modern digital trading poses. The latest Allianz Risk Barometer, published in January, reinforced the point that cyber security was a top priority. Five years ago it ranked fifteenth. Today it’s second.
In its report on the survey, Allianz states: “Multiple threats such as data breaches, network liability, hacker attacks, ensure it is the top business risk in 11 surveyed countries and the Americas region and second in Europe and Asia Pacific. It also ranks as the most underestimated risk and the major long-term peril.”
“Recent events such as the WannaCry and Petya ransomware attacks brought significant financial losses to a large number of businesses. Others, such as the Mirai botnet, the largest-ever distributed denial of service attack on major internet platforms and services in Europe and North America, at the end of 2016, demonstrate the interconnectedness of risks and shared reliance on common internet infrastructure and service providers.”
Allianz Risk Barometer results show that awareness of the cyber threat is rising among small- and medium-sized businesses, with a significant jump from sixth to second for small companies and from third to first for medium-sized companies.
Sood’s opinion on the matter is clear and comes with a simple message: “Security is a shared responsibility. Any entity (or enterprise/organisation) that deals with sensitive customer data is required to follow defense-in-depth strategy to make sure data is secured from adversarial attacks. Not only the credit bureaus are expected to strengthen the security posture of their infrastructure but the securities lending firms have to deploy proactive measures to make sure data stays private
and secure.”
Gone are the days of a good-old-fashioned bank heist. Riding into town, pistols drawn, throwing a lasso round the bank’s safe and riding off into the sunset before the sheriff knows what’s happened. When banking went digital, the criminals followed. The modern day Bonnie and Clyde need nothing more than a laptop, a good wifi connection, and bit of IT know-how to have a crack at your most valuable assets.
Today, the majority of the world’s money is nothing more than blips on a screen, capable of being sent halfway around the world at the push of a button. The advent of the internet allowed the world’s financial markets to truly interact for first time, but it also offered cyber criminals the opportunity to access more money than their outlaw predecessors could have ever dreamed of. Worst of all, today’s cybercrime challenges do not simply involve protecting the cash in people’s accounts; the real prize is often the highly sensitive personal data that firms now store on their clients. This data can be used to access accounts and siphon off assets secretly or held to ransomed back to firms eager to avoid losing the public backlash that revelations of data loss always bring.
Unfortunately, the risks that such situations pose are far from purely theoretical, as one securities lending participant discovered last year.
Aditya Sood, security expert and author of Targeted Cyber Attacks at Elastica, was able to access highly-sensitive data from cloud-based data handling servers of securities lending firms without any security systems being activated.
“There’s a lot of stories in the media about cyber attacks and threats to cybersecurity but I wanted to see if some of these firms that were compromised actually had exposed systems on the internet that were available to anyone,” Sood explains.
“I came across a few hosted web systems on the Amazon Web Services (AWS), which is a cloud infrastructure, that were running data handling services connected to the credit bureau and including credit bureau-related data.”
“It was not clear if these systems explicitly belonged to credit bureau or some other third-party entity.”
Sood contacted credit bureau and confirmed the systems did not belong to it directly, meaning its data was being shared through third-party providers. Further research revealed that the system belonged to a Chicago-based securities lending firm that was inadvertently revealing internal data through its testing and verification processes.
“What was surprising in all of this was that they [the securities lending firm] were disclosing the complete data structure, and how it was being stored on the credit bureau’s internal database system.”
Sood was able to access the complete data structures from the exposed systems managed by the securities lending firm. The data dumps revealed how the credit bureau stored the highly sensitive customer information such as social security numbers, credit card numbers and salary information unencrypted and determine the systems were sub-par from robust security practices. Sood clarifies that no hacking skills were required to access the data. Sood simply knew what to look for and had the patients to sift through large quantities of raw information.
In the case of the US securities lending firm, Sood’s investigation revealed significant details of data shared between the exposed firm and a large Canadian bank it had been dealing with. Large quantities of the bank’s data that was sent to its counterparty was left open to view by anyone who was interested. He says bluntly: “If I can find it, attackers can find it.”
“The application programming interface’s were blatantly broken, with no security, and anyone on the internet could access the data from the exposed systems of the securities lending firms for example, and the real question is: who is responsible?”
Plugging the gaps
But surely Sood’s discovery is just a one-off case? How widespread could this exposed cyber network actually be? According to Matt Bernard, CEO of ENSO, most of the major and frequently used messaging services for securities lending transactions rest entirely on the cloud already. However, Bernard notes that rates, quantities and counterparts change so frequently that any type of potential risk from a hacker would need to go undetected for a long period of time before obtaining information.
“If you look at historical breaches, they tend to be from larger static data sets and not data that is updated daily. To protect against security breaches, information is encrypted as best practice and therefore protected at all times,” Bernard adds.
As well as unencrypted data transfers, securities lending firms are also guilty of improper system testing processes that once again leave high-value data open to anyone with internet access.
To test a system you create a replica of the same environment and test each and every control in a private environment to make sure it’s working well. The first thing Sood did was look into how the APIs were being used. There was no authentication, no authorisation or controlling systems because the two-way systems were not validating these controls and that means you’re simply using a basic data extraction application programming interface (API) that connects the two systems and dumps that data at the back of your system. This is very bad practice.
“Some of the securities lending firms we’ve now looked at will allow these systems to be exposed and that allows you to get a complete picture of how the data is structured in the internal databases of the credit bureaus’ systems.”
This highlights a potentially ruinous flaw in the cyber networks that increasingly dominate financial markets: any network is only as strong as its weakest link.
Sood warns that cyber attackers may be going after the credit bureaus but actually target small securities lending firms that work with credit bureaus and big banks to gain access to the data in an indirect way.
Commenting on the need to maintain a vigilant cyber defence, Bill Graves, chief technology and data officer at CIBC Mellon, said: “CIBC Mellon recognises the importance of protecting the information, systems and technology under its control. CIBC Mellon’s approach to information security is built on a detailed and synchronised programme that is updated and tested in order to support responses to an ever- changing risk landscape. Our program is designed to protect the confidentiality, integrity, and availability of the information under our control.”
“With the pace of change in the information security space, CIBC Mellon has adopted an approach of near-continuous strategy validation and updates. Inputs to strategy include business priorities, the evolving threat landscape, regulatory trends, technology developments and internal security posture assessment as informed by risk assessments, audit, compliance and regulatory gaps, incidents and benchmarking exercises.”
“CIBC Mellon and its parent companies monitor and assess the IT environment for potential vulnerabilities and threats on a regular basis, and invest in and implement protections as deemed necessary.”
Know your enemy
No one in the wider financial market is looking at securities lending as a major cyber security risk, but there is a chain reaction that can take place and all the players involved must be aware of the whole scenario.
Sood explains: “Nobody knows the whole system because it’s really complex, but if you connect the dots it’s really amazing and shocking. Why learn to exploit a system and achieve an advanced level of hacking when you can just get the same data the
easy way.”
When asked what more those that handle sensitive data of third parties could do, Sood says simply that compliance with today’s data protection regulations does not mean you’re safe from attack, or that you’re even hidden from basic snooping tactics.
Under the responsible disclosure guidelines, the security flaw was reported to the concerned parties and has been fixed as exposure to the vulnerable systems have been restricted.
The introduction of the General Data Protection Regulation (GDPR) across Europe in May will intensify cyber risk scrutiny further, bringing the prospect of more, and larger, fines for businesses who do not comply. “Compared to the US where privacy laws have been strict for decades and cyber security and privacy regulation is continuously evolving, firms in Europe now also have to prepare for tougher liabilities and notification requirements. Many businesses will quickly realise that privacy issues can create hard costs once the GDPR is fully implemented,” says AGCS’s global head of cyber, Emy Donavan.
“Past experience has shown that a company’s response to a cyber crisis, such as a breach, has a direct impact on the cost, as well as on a company’s reputation and market value. This will become even more the case under the GDPR.”
Where does the buck stop?
The Boston horror story is just one case study of what will come an increasingly important factor in effectively managing a lending programme. The good news is that most firms seem cognisant of the huge dangers that modern digital trading poses. The latest Allianz Risk Barometer, published in January, reinforced the point that cyber security was a top priority. Five years ago it ranked fifteenth. Today it’s second.
In its report on the survey, Allianz states: “Multiple threats such as data breaches, network liability, hacker attacks, ensure it is the top business risk in 11 surveyed countries and the Americas region and second in Europe and Asia Pacific. It also ranks as the most underestimated risk and the major long-term peril.”
“Recent events such as the WannaCry and Petya ransomware attacks brought significant financial losses to a large number of businesses. Others, such as the Mirai botnet, the largest-ever distributed denial of service attack on major internet platforms and services in Europe and North America, at the end of 2016, demonstrate the interconnectedness of risks and shared reliance on common internet infrastructure and service providers.”
Allianz Risk Barometer results show that awareness of the cyber threat is rising among small- and medium-sized businesses, with a significant jump from sixth to second for small companies and from third to first for medium-sized companies.
Sood’s opinion on the matter is clear and comes with a simple message: “Security is a shared responsibility. Any entity (or enterprise/organisation) that deals with sensitive customer data is required to follow defense-in-depth strategy to make sure data is secured from adversarial attacks. Not only the credit bureaus are expected to strengthen the security posture of their infrastructure but the securities lending firms have to deploy proactive measures to make sure data stays private
and secure.”
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
