The Walls Really Do Have Ears

This is, in no small part, due to the fact that the bad guys are so varied. Criminal gangs use cyberattacks to siphon and extort money from the populace, the digital equivalent of a knife-point mugging in a New York alleyway. Meanwhile the more advanced, organized elements have figured out ways to infiltrate the world’s payment systems, and nation states are linked with attacks that have brought down hospitals, nuclear bunkers and infrastructure.

Recently, I was sat behind two very senior, very experienced cybersecurity specialists—one who had spent his career in government, one in finance—waiting for a conference panel to start.

“People just want a problem to solve, especially in finance, and it’s hard to tell them that this is not a problem that can be just solved,” said one to the other. “Especially when it comes to nation states, when you have 40,000 people sitting on keyboards against you. No private-sector entity can stop a state-sponsored hack.”

Most conversations with cybersecurity specialists tend to come back to this central point, which is that you simply can’t avoid cyberattacks, and that they are going to happen at some point. Preventative measures are important, but it’s almost impossible to guard against every threat vector. Likening it to close protection of public figures, a former Federal Bureau of Investigation cyber agent once told me: “If somebody wants to shoot the US president, they will. The difference is that they’re going to get shot, too, but you can’t stop a fanatic.”

Then it becomes an issue of getting in the way of the bullet, so to speak, and minimising the damage.

The problem with cybersecurity these days is that there may not be a Lee Harvey Oswald sitting in a sixth-floor window, waiting to take his shot. Rather, the threat sits on USB sticks and fitness bands, in kitchens and even in the very plumbing of a building. Bring your own device used to make information security officers think that employees were carrying ticking bombs in their pockets, via their BlackBerrys and iPhones. Now they’re putting them on their desks through the Internet of Things (IoT).

Waters reporter Emilia David has a fascinating feature on IoT and cybersecurity coming out next week, so keep your eyes peeled for that. But with the latest rash of attacks through WannaCry affecting hospitals, and most recently, car plants, there is a general sense of unease that a sophisticated attack might infect exchanges, brokers or—heavens forbid—clearing houses and spread like wildfire through the financial system.

As such, serious questions might need to be asked about what’s being brought into a firm’s systems, and how those threats can be mitigated. Quantifying the benefits of this is important. Cyber risk has been creeping towards the top of the business agenda for a while, but there is still a sense among many firms I speak to that it’s a hard sell. Why spend millions on cyber defense when it’s not going to generate returns on that investment?

Finding a way to measure that benefit in dollars and cents, before the true cost of a cyberattack hits home, would seem to be a key challenge.

This week on Buy-Side Technology:

• Phones, excel spreadsheets and cut-and-paste axe lists transmitted through Bloomberg messages. No, we’re not back in the Nineties, we’re talking about the European credit repo market, which at least one industry group thinks is ripe for technology to come and do its thing. Oddly enough, though, it kinds of works as it is.
• The Markets in Financial Instruments Directive (Mifid II) continues to extend its reach across trading firms, and Eze Software Group is the latest to lay claim to solving the unbundling crisis through the launch of its new platform. This one’s in the cloud.
• If you think cyber risk is scary, wait until you hear about artificial intelligence. Alright, drone-camera footage of mall parking lots isn’t the stuff of nightmares, but Anthony Malakian has a nice piece here on how machine learning and similar techniques may be a new arms race among the more technologically minded shops.
• Meanwhile, IHS Markit and Deloitte have partnered for… wait for it… Mifid II. This one’s around client communications.
• Startup Quantave also wants to put some good old-fashioned regulatory wrappers around the Wild West of the digital currencies market, given the problematic scenario at present where exchanges tend to be venues, custodians and often brokers in one. I’m actually keen to speak further on the topic of digital currencies becoming an institutional-grade asset class, so if anyone has any thoughts, get in touch. You can shoot me an email on james.rundle@incisivemedia.com or call me on 646-490-3974.