Article img

The Witching Hour - Financial Institutions and Cyber Security

  • Published by:

  • Topics:
    • Cyber
    • Emerging Risks
    • Financial Institutions
    • Risk Management
    • Topical Trends

An outage at a major bank or financial institution and the disruption it would cause is not that hard to imagine...

In the past couple of years TSB and the London Stock Exchange have suffered noteworthy outages. Beyond the obvious issues there could be even more severe consequences if confidence were to be shaken in the financial institution in question or the financial system itself.

Increasing attacks on banks

According to the Prudential Regulatory Authority, Financial Services companies saw data breaches rise fivefold between 2017 and 2018, rising from 25 to 145 in this period. Investment banks in particular saw the largest increase, climbing from just 3 in 2017 to 34 in 2018. However, their usually less glamourous cousins in the retail banking sector saw a larger relative increase going from a solitary event to 25 in the same period.

The FCA produced this helpful graphic highlighting the various causes of incidents at banks:





The FCA amended some of the definitions of the ‘Root causes’, so this is not a perfect comparison.

This can hardly be a surprise given that several UK retail banks had to limit or shut down their systems after sustaining significant cyber-attacks which were costly to remedy. Towards the end of last year, Tesco Bank were fined £16.4m following the theft of over £2m across 34 transactions.

However, it could be that this rise in incidents is not a genuine increase in the frequency of attacks, but an improvement in reporting. Companies are now obliged to notify such events under the General Data Protection Regulation (GDPR) which came in to effect during this period.

A CIO at one high-street bank has been quoted as saying that they are seeing an increase in threats across the whole spectrum of individuals all the way up to organised criminals and nation states. Another has cited the difficulty in protecting against them compared with more traditional threats faced by banks such as an economic downturn or a bank run.

The scale of this threat and the potential consequences of a major shutdown of a bank’s systems has prompted concern from Financial Services regulators, with focus ranging from macro-prudential stability to helping customers understand the reliability of their bank’s IT systems.

Potential scenarios

Bank run

As many financial bubbles and crises have proven over time, customer confidence is key. Company share prices, exchange rates and house prices all fluctuate based on the latest data and people’s confidence, or lack of, in the underlying asset.

To illustrate this point, witness the recent fluctuations of the cryptocurrency market: when exchanges have suffered hacks, people have not only deserted the exchange, but also dumped significant amounts of the affected cryptocurrency.

In terms of the banking system, the Bank of England considered such a scenario in a recent paper, which  concluded that in the right circumstances, cyber risk does have the potential to pose a systemic risk to the financial system. It considered either a large-scale single event or a significant series of smaller events could serve to undermine confidence in the financial services industry and lead to a run on banks.

The other point of vulnerability is that there is certain infrastructure which cannot be readily replaced e.g. payment and clearing systems and compromise of these assets would clearly pose a systemic issue.

Its overall view is that as technology dependency, increasing points of attack and a widening gap between ‘the technology environment we operate and our ability to understand and secure it’ prevents an increasingly large and complex attack to surface. Its opinion was that the proliferation of automation and artificial intelligence will only exacerbate the risk and make mitigation more difficult.

In June 2014 a bank in Bulgaria experienced a run following spurious e-mails and social media coverage questioning the bank’s financial stability. Likewise, in China several smaller banks suffered runs after rumours circulated on social media. It’s a scary thought that even gaining control of a bank’s social media accounts could be enough to trigger a crisis without the need for a direct attack on systems.

Stock markets

When the London Stock Exchange’s (LSE) FTSE 100 and FTSE 250 indices suffered an unexpected outage lasting just under 2 hours in mid-August 2019 it was an interesting insight in to what a cyber-related outage might look like. The LSE was forced to open nearly two hours after the usual 8am start of the trading day. Given the average daily trading volume on the LSE is valued at £4.4bn, it’s easy to see how even short interruptions like this can start to rack up significant losses quickly. However, during the outage the LSE were able to trade FTSE 100 shares on the CBOE, although by some estimates (Alasdair Haynes, CEO of Aquis Exhange) trading was significantly lower.

However, this is not the first time the LSE has suffered an outage. They suffered a catastrophic event, in September 2008, when they were hit by a seven hour outage during the peak of the financial crisis. This occurred in the week after Fannie Mae and Freddie Mac had been bailed out by the US government with trading volumes below half of other days in that (admittedly unusual) period. I imagine it would have been interesting to adjust the BI loss in that week!

Most recently amid the market gyrations brought on by the outbreak of Coronavirus stock-trading app Robinhood suffered two outages in a week on separate days which could have been potentially lucrative trading days when the S&P 500 Index increased by 4.6% on the Tuesday. It was revealed shortly after that this had been caused by ‘unprecedented’ trading activity on the platform.

‘Witching hour’ currency trades.

Those of you who have followed the financial press in recent months may already be familiar with concerns over so-called ‘witching hour’ trades. During low volumes of trading between the trading day in New York and Asia there can be some anomalous results. For example, the value of sterling dropped 10% in just over 40 seconds in October 2016 and the Australian Dollar traded at a 10-year low against the US dollar during this period. One cause that has been mooted, is that as more trading is done by algorithms, especially during quieter periods, experienced traders able to spot anomalous pricing and unusual levels of volatility are less able to intervene in these unusual situations. However, these same algorithms also pull out of trading during periods of spiking volatility that they have created, further exacerbating the problem. This seems like a tempting opportunity for a malicious actor to alter an algorithm to behave in a way that benefits their own market positions, potentially manipulating the market on a scale that would make even the LIBOR scandal look like a momentary blip.

In the wake of post-crisis regulation and several high-profile trading scandals, it would appear that regulators have put their faith in algorithms.  Algorithms don’t become rogue traders, or collude with each other to manipulate markets so this trend may be set to continue. While nobody is alleging unscrupulous behaviour as the cause of these fluctuations, it could be argued that human traders would be better placed to intervene when quirks of market dynamics create such volatility.