The ION ransomware event that began at the end of January 2023 was an unprecedented occurrence for the global derivatives industry. While there were no cataclysmic outcomes like bankruptcies or market crashes, the industry and its customers faced weeks of disruption and uncertainty as manual processes were required to keep the lights on and the wheels turning. It would be impossible to overstate how significant the event was when, in many instances, statements and margin calculations were days (or more) behind, leading customers and firms to fly blind and resulting in some firms refusing to do business with others, effectively black balling them. In short, it was both a “close call” and a “wake-up call” for the global financial industry.

In response, the Futures Industry Association (FIA) assembled a task force in March 2023 to examine the ransomware event. Composed of “subject matter experts and business leaders of the exchange-traded and cleared derivatives industry, including members from exchanges, clearinghouses, clearing firms, vendors, and end users”, the task force worked diligently to dissect the ION affair and issued a report within six months, on September 28, 2023. 

At first blush, the “FIA Task Force on Cyber Risk – After Action Report and Findings” appears short on details and long on recommendations for further study, new committees, better coordination, and the like. A closer reading, however, reveals that the FIA report is a solid indicator of both the present state and future climate when it comes to cyber risk and operational resilience.

The FIA report presents a six-part “equation” that focuses on communication, integration, coordination, information, standardization, and preparation:

• Communication: One immediate lesson from the ION ransomware event was the importance of defined communication channels throughout the many tiers of responsibility and interest. Regulators, exchanges, clearing firms as well as third parties, including major cloud providers and other non-traditional vendors, need to have the ability to communicate in the event of any type of disruption. 
• Integration: The connection and functioning of the trading and clearing function is pretty well established but work is needed to broaden that reach to include other interested parties, including “sector-wide groups that specialize in cybersecurity and operational resilience across the financial services sector.”
• Coordination: Solid communication and integration plans are essential first steps but efforts need to go beyond initial crisis management to include the critical “what happens next” steps that will get operations back online following a disruption. It is critically important to quickly “right the ship” in a crisis but just as important to get back underway as soon as possible. In the case of the ION event, it took up to three weeks for some firms to fully come back online.
• Information: A disruption like the ION affair quickly reveals where there are gaps and breakdowns in the transmission and sharing of information. As discussed in our blog post, “Data is a Key Component for Enterprise Resilience”, strong data policies are at the heart of operational resilience as the firm level and the same holds true for the industry as a whole. 
• Standardization: One way to improve resilience in a future episode is to learn from the most recent event and improve questionnaires and other procedures that are used to assess states of resilience readiness. These standards should be continually evaluated and improved over time.
• Preparation: Introspection and assessment are all fine and well but they won’t lead to improved results if the lessons learned aren’t applied in an active manner through thorough and continued preparedness testing. The industry is now fully aware of how important this is and should adopt an attitude of continual improvement when it comes to testing.

The Most Important Lesson from the ION Ransomware Event

For several years now, industry experts have sounded the cry that it was only a matter of time before a major cyber event affected financial markets and the ION affair brought those warnings to life. The financial industry is ever more complicated and interconnected and, at the same time, the bad actors of cybercrime are continually increasing both their activities and their sophistication. Every player in the financial services ecosystem must be aware of both current and future requirements for due diligence. At the end of the day, the FIA Task Force report is only the beginning, not the ending, of this episode and its after effects.

BornTec is a Chicago-based technology solutions firm that provides tools to support surveillance, risk, compliance, and regulatory reporting functions in financial markets. Contact us for a demo of our data resilience solutions.