FIA Taskforce

FIA Cyber Taskforce Recommendations: Concrete plan of action or regurgitated recommendations?

The FIA Task Force on Cyber Risk's report has been lauded for addressing the critical issue of cybersecurity in the derivatives industry. However, is it reliant on existing programs and frameworks or is it an assertive and forward-thinking approach to truly fortify cybersecurity measures?

The ransomware incident that occurred in January 2023 on a third-party service provider, served as a giant wake-up call for the global derivatives industry. This disruption revealed the far-reaching impact a single breach could have and left the industry in turmoil for weeks on end. Firms resorted back to manual processes and there were significant delays in vital operations experienced by all. There were also huge complications in restoring normalcy, with some firms reportedly needing up to two weeks or more to recover. The disruption was particularly hard felt due to the nature of the highly interconnected sector of the exchange-traded derivatives markets. The attack emphasised the need to prioritise resilience and focus on improving the recovery process. 

In March 2023, the Futures Industry Association (FIA) responded by establishing a Cyber Risk Taskforce. It comprised experts and leaders from the industry, including exchanges, clearinghouses, clearing firms, end users and vendors. Their aim was to bolster the exchange-traded and cleared derivatives industry’s ability to withstand the disruptive effects of cyberattacks. Additionally, they would focus on enhancing responses to future attacks and boosting coordination and information sharing for operational resilience. After months of industrious work their report was subsequently released in September 2023 titled, “FIA Task Force on Cyber Risk – After Action Report and Findings”. 

General feedback regarding the set of recommendations made has been somewhat mixed. Some have noted that “it seems light on specifics but heavy on suggestions for further investigation and collaboration. Others have felt it has been significant as it “highlights the present state and future trajectory of cyber risk and operational resilience”. The comprehensive framework focused on six key elements, communication, integration, coordination, information, standardisation and preparation.

Firstly, effective communication channels were noted as being pivotal in crisis management as well as establishing a secure means to share information and coordinate responses. The task force subsequently recommended creating an “Industry Resilience Committee” to foster the development of such channels. Integration secondly referred to the importance of connecting the exchange traded and cleared derivatives industry with sector-wide groups that specifically specialise in operational resilience. During future cyber incidents, these groups could serve as a trusted forum for the sharing of information. In the meantime, they would meet regularly to share threat intelligence and promote preparedness. 

Thirdly, there was a recommendation that “market participants should review their policies and procedures for reconnection to impacted parties during and after a cyber incident”. It was recommended that this could be achieved using existing guidance and frameworks and considering how they could be applied to the exchange-traded and cleared derivatives industry. The task force also encouraged market participants, service providers and market infrastructures to establish procedures for sharing critical data with their counterparties and clients in a timely manner.

Fifthly, the task force recommended that the industry should be more efficient in identifying the assessment of risks to operational resilience. They specifically noted how it is already common practice for firms to question their third-party service providers. Greater standardisation within these questionnaires would make the process more efficient. Finally as was expected, the task force believed that the derivatives industry should participate in regular cyber preparedness exercises. This should include participation by key stakeholders and indirect participation through the FIA. Their recommendation also mentioned leveraging existing programs rather than creating a new program.

One of the most critical takeaways is that the derivatives industry is increasingly vulnerable to cyber threats and the report has been lauded for addressing this issue as a whole. There have been arguments though that the recommendations have fallen short of providing actionable solutions and are more like a collection of broad suggestions. Is this what the industry needs though? Or does it need a concrete plan of action with obtainable solutions? A lack of specific directives may hinder swift implementation and leave organisations in a state of uncertainty. The emphasis on collaboration and information sharing may also have noble intentions, but a cynic could see it as an attempt to shift responsibility from individual organisations to more of a collective, potentially diluting any further accountability. 

Only time will be able to tell the real impact. The nature of this industry, being a complex interconnected ecosystem, makes for a compelling target for cybercriminals that are growing in both number and sophistication. This further underscores the need for due diligence resulting in the robust measures described within the report. There is still an opportunity though, for them to do more and recommend specific initiatives and measures that aren’t seen as conservative and are instead seen as assertive and forward-thinking. The FIA Task Force’s report is hopefully the beginning of an ongoing journey and a reminder that the financial industry must adapt to evolving requirements and stay vigilant in the face of future challenges.

You may also like

Sell-side Clearing Management Insight Report

This report is based on a survey of Acuiti’s Sell-Side Clearing Expert Network, a group of senior executives at banks and non-bank FCMs from across the global market. The report includes a detailed look at EMIR 3.0, CCP default risk, DORA and training in manual clearing.

Read More »

Would you like to read more articles like this?

Sign up using the option below to receive the latest articles sent straight to your inbox.