Cyber-crime is now a prime concern of business managers. Much of the focus has been on the risks of data theft and relatively petty crime, but, in reality, the growing risk of really major financial losses in the wholesale markets is even more worrying. There are currently 2,000 cyber-attacks a day worldwide and the estimated cost to business is around a staggering $460 billion per annum.
Cyber-crime may be the result of clever hackers or fraud in one or another institution. The securities services business looks after around a hundred trillion dollars of assets, the global funds industry has grown seven fold in the last two decades to seventy four trillion dollars and annual transaction throughput across the global securities industries is many multiples of those figures.
That is tempting for the global crime syndicates and they must be working on ways to divert or purloin some of this relatively unguarded wealth. So how could they most easily achieve this? The financial market is a world of interconnectivity, with portals and points of entry across infrastructure, clients, counterparties, data providers, regulators and governments. The financial world, within each entity, does not operate within a logical and structured IT architecture, but across multiple linked platforms with varying control processes, some aged and some modern. The industry is supported by large numbers of employees, ranging from long standing to temporary or agency workers.
And this environment creates a set of risks that were hardly known just a decade or so ago. An interconnected world is, by definition, a source of risk irrespective of the high quality technical, physical and structural security operated by all parties. The linked platforms across the global banks lead to multiple databases in a world that is still marked by poor static data, conflicting client data and different rules around issues such as pricing data or asset ownership; and all these reduce the efficiency of the structural security needed by preventing rapid and fast reconciliation of data to a single golden copy of each data element for each client. And employee turnover creates dependencies on short term contractors, especially in areas of technology specialisation, and this, in turn, creates opportunity for placement of people by fraudsters within the heart of the different organisations involved in the multiple processes at the core of our business.
For these reasons, I place a series of risks at the top of my most feared list which would have hardly featured there nearer the start of my career in the industry. The risks I would mention are internal fraud, conspiracy, data pillage and abuse and the perennial risks of defective operating procedures. I would foresee, from one of more of these risks, the potential, and almost inevitability, for a multi-billion dollar loss with the intermediary sector being most at risk. And the new rules around asset safety and supplier liability mean that such risks would need to be born financially by the injured party, most likely a bank, custodian, broker or administrator. And the worry is that the potential losses, if one considers the gross amount at risk, is likely to exceed the usual insurance cover, and perhaps even the capital bases, of many of the major houses.
Commercial companies all accept liability for internal fraud, and, to the best of my knowledge, do so without limit to their liability. That is not the case across all infrastructure and I have come across incidences where a CSD declines such liability or caps the maximum amount for which it could be held liable. But where is internal fraud most likely? Quite simply, as an example, in any entity where the standard dual control process is compromised by conspiracy between two empowered parties. In the past, and I recall T+10 and more settlement periods, the time to settlement made such action more difficult, as did the scale of market operations. But in today’s intraday, mega volume, multi instrument market, the risk is ever greater.
Data theft is not the greatest problem. Securities can basically be bought, sold, repo’d or pledged to create movement of value. Messages to move substantial sums in this way come electronically. The physical and technical security at each point of entry, and, in some cases, the insecure messaging means tolerated, create huge risks. I suspect that securities could be purloined with relative impunity for many suppliers do not undertake full effective daily reconciliations. Indeed, for several custodian to sub custodian relationships, monthly formal reconciliation is the norm.
Obviously we need to improve security across the board. Longer term the Block Chain security structure may be an answer to part of the problem, but that is unlikely to be applied within the next decade at the minimum. In the interim, a major effort should be made to reduce the simple risks of potential fraud, mainly at operating process level. First of all, the delinquent areas of technical linkage need to be reviewed by all parties and procedures adopted to minimise their risks. Some may be as simple as tightening up controls over passwords, improving exception processing of unusual transactions or introducing maximum lot sizes. Secondly, reconciliation processes need to be subject to material improvement. Reconciliation is not a standard back office process, it is a critical control and needs to be at a logical frequency, namely aligned to the speed of transactions. Thirdly, data networks must be made more secure and there is, perhaps, an opportunity for SWIFT, with its powerful security, to become more the intranet for firms as well as their peer to peer communication channel. Finally, and most importantly, liability structures need to be enhanced with all firms having total liability for fraud, outage or cyber-crime unless they make a reduced liability a clear condition of usage of their platform with their users. And those users, in turn, must accept liability for the risks they accept unless they can get the requisite waivers from their own clients.
Some politicians are talking of fining firms more for allowing cyber breaches. That is not the way forward. The law on liability should be strengthened and control processes enhanced. That will not eliminate risk, but it will improve the risk profile. Allowing poor controls and antiquated IT structures is not an option when the result could be the destruction of one’s entire business.