Today we announced Cara - the virtual security expert for the automated cyber risk assessment and surveillance of electronic trading networks. It is a major milestone for Corvil. We started Cara as a result of a conversation with one of our customers on Wall St just over a year ago. He had just attended the Bloomberg conference where the then SEC chair, Mary Jo White pronounced that cybersecurity was the biggest risk facing the financial system. White said SEC examiners were very pro-active about doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyber attack.
In fact the SEC has listed cybersecurity inspections as one of its top priorities for 2017. "We can't do enough in this sector," she said. All of this prompted our customer to state: “You know we do not monitor our trading infrastructure for cyber attacks. We assume we are ok because it is a private network and we don’t want to impact our execution performance. I am not sure this is a valid assumption any more. Clients are asking us what we are doing? Can you help us?”
It was clear from our deep-dive discussion that there were a number of challenges:
We built Cara to meet these needs. Full details on Cara’s capabilities and how it works can be found here.
Our first priority with Cara is to protect and provide early cyber threat warning for our existing customers who trust Corvil to watch over and monitor their electronic trading infrastructures. With Cara, we are moving our scope to include security surveillance and assurance. We see this as a natural extension of our product’s capabilities as we pursue our mission to safeguard business in the machine world. In this new world., the latest algorithmic and A.I. technologies are leveraged to gain business advantage. However this is not without risk and it can provide an even more inviting environment for the smart hacker to exploit inherent vulnerabilities.
We know that upcoming regulations from European and US lawmakers mandate financial markets organizations to put in place appropriate cybersecurity policies and protections e.g. MiFID II. Last week Warren Buffett went as far to say cyber attacks were a bigger threat to humanity than nuclear weapons during his Berkshire Hathaway’s annual shareholder meeting. This problem is not getting smaller and going away anytime soon.
So, with all of that said, why do some people who are running trading infrastructures seem to believe there is little to no risk to worry about. Bottom line is that they believe they are safe. Why? Firstly, trading infrastructures are typically run on private networks that are isolated from the general network. Second, there is the belief that if anything bad happens in terms of illegal trades, they can be cancelled and the effect nullified post-trade.
Both are weak assumptions in our experience. Firstly, networks are never perfectly isolated or perfectly private. Anyone who is in the security business knows that “inside is the new outside”. In the recent Verizon report, 81% of breaches happened from the inside. Stolen or lost credentials are the typical cause. Early results from Cara, have shown that people’s assumptions about the privacy of the trading network are false. We have found lots of user traffic and application traffic on these networks that was not supposed to be there.
In the book “Future Crimes” there is a great saying “once connected, you are vulnerable”. By definition, trading networks are connected to multiple third parties. You are only as secure as the weakest link on that connected path. Not knowing, not looking and simply assuming you are safe because it is a private network is a weak assumption in today’s cyber world.
Second, we know that hackers with stolen credentials are capable of moving laterally within a trading organization and remain undetected for weeks and months as they carefully exfiltrate sensitive data or sit dormant ready for a future attack. The recent KCG incident is a good example of this. It is our strong belief that cyber attack on global trading infrastructure is a major risk. It is not a matter of if, but when. We know these infrastructures well, and one does not have to stretch the imagination too far to see what could be done if one had the right stolen credentials.
This is why we have built Cara. A simple software upgrade with zero impact on execution performance. A cyber risk assessment report emailed each morning. We have tried our best to make this a no-brainer to add cyber assurance to the trading environment. It is time to shine the cybersecurity light on trading networks and secure them from within. It is better to know you are safe than to hope you are safe.