What can the ION Markets ransomware attack teach the industry about cyber-threats?

When ION Markets was hit by a ransomware attack last week, it reverberated across the trading landscape and disrupted derivatives trading.

Many UK, European and U.S. firms were forced to revert to manual settlement processes. While ION was clear to communicate that the incident was contained, it was just the latest example of cyber criminals targeting vendors serving the critical financial services sector – and the widespread impact this kind of attack can have on the broader market. The attack was allegedly the work of the LockBit ransomware group, which devised an attack on the UK’s Royal Mail, causing severe delays and disturbance to mail deliveries. Other recent ransomware breaches include the early February attack on thousands of global servers in Canada, Finland, France, Italy and the US.

Disruptions such as these, and the Microsoft 365 outage earlier in January, show that the industry still has work to do when it comes to implementing robust safeguards and securing company-wide commitments to resilience that empowers firms to be agile and nimble in handling unexpected snags.

Too often firms place the burden of cybersecurity on their third parties, but attacks like this demonstrate that cyber risk is not transferable. It’s crucial that firms not only perform vendor due diligence when retaining the services of a partner, but continuously perform robust risk and impact assessments when outsourcing such critical business functions to ensure that they can continue to operate through these disruptions.

What else should the industry be doing to help fend off such attacks? There should be more focus on the need for holistic cybersecurity and Operational Resilience (OR) programs that can ensure firms can deliver on customer promises while protecting themselves and their clients from breaches.

These types of programs should include a Business Continuity Plan (BCP), which ensures operations can continue as close to normal as possible in the event of an attack and an Incident Response Plan (IRP) that comprehensively covers key contacts and escalation criteria. They should also include incident tabletop exercises, which prepares key internal stakeholders through the process of dealing with a simulated incident scenario.

Once a holistic cybersecurity and operational resilience program is implemented, firms can pinpoint and understand the risks a particular service outage may cause. This helps them prioritize resilient or redundant alternatives to ensure standard processes and functions can operate as usual. For ION, this meant many top banks taking themselves offline and having staff process trades directly with the exchange.

This holistic program execution can be even more critical in the financial services sector, which is often thought of as lucrative “big money” for such attackers due to the access to huge amount of funds and sensitive data.