Financial markets, now heavily dependent on technology, need to be safeguarded against cyberattacks, natural disasters and the more prosaic scourge of human error that can cause massive disruptions, according to experts and a federal panel.
In March 2012, a software error forced the equities exchange BATS to cancel its own initial public offering. Two months later, the IPO of Facebook was delayed when Nasdaq had trouble with its stock trading system. In August 2012, Knight Capital lost money when technology problems with trading software led the firm to submit unintended orders for New York Stock Exchange securities. Also last year, Superstorm Sandy led to a two-day closure of the NYSE and Nasdaq. And always looming is the threat of a cyberattack that could disrupt securities trading, erase financial records or even steal assets.
To combat these types of high-profile snafus of the past year, the Financial Stability Oversight Council’s 2013 annual report lays out suggestions for protecting markets and people’s money from technology failures.
“The extremely high speeds at which markets operate can compound the overall impact of even small operational failures,” Treasury Secretary Jacob Lew testified in May before the Senate Committee on Banking, Housing and Urban Affairs.
The Financial Stability Oversight Council’s report said the Securities and Exchange Commission, in conjunction with various market participants, is examining the relationship between the operational stability and integrity of the securities market and the ways in which market participants design, implement, and manage complex and interconnected trading technologies.
One called Regulation Systems Compliance and Integrity — or Regulation SCI — is aimed at making automated securities trading systems safer by requiring the many firms that are pieces of the financial market puzzle meet standards for the security of their technology. But Dave Lauer, owner of Step Ahead Technologies Inc., is worried that Regulation SCI is riddled with loopholes because all but the largest private electronic trading platforms — called dark pools — are exempted.
“It doesn’t matter how much volume you are doing. If you’re connected to the national market system, you are a threat. Anything can come through you,” Lauer says.
Planning for disruption
To make securities trading more secure, the oversight council proposes:
- More testing exercises by those connected to the financial system, such as exchanges, clearinghouses, data repositories and the utilities that serve them.
- Contingency plans that can handle any stock market problem. Both staff and electronic systems need to be geographically dispersed so a disruption affecting a geographic area doesn’t shut down operations.
- A review of the protocols for deciding when to close markets because of problems.
- Better sharing of information between government and companies about cyberattacks, and senior management attention to the issue within firms. The report notes that a dozen financial institutions were hit with distributed denial of service attacks during the last four months of 2012.
Lauer says the cyberattack scenarios haven’t drawn enough attention from the financial industry because a high-profile attack hasn’t happened yet.
But the industry already is aware of the risks, says Thomas Price, managing director of the Technology, Operations and Business Continuity Group at the Securities Industry and Financial Markets Association, or SIFMA. “(The) frequency and intensity are increasing at a dramatic rate (in) the types of cyberattacks,” Price says.
In June, SIFMA ran a training exercise of a simulated cyberattack with as many as 60 participants, including exchanges, financial firms and utilities. SIFMA also does an annual disaster contingency exercise where firms run their securities trading systems from backup locations.
“There are lots of resources and personnel dedicated to mitigating these risks,” Price says.
But whether it’s a natural disaster, attack or human error such as bad software coding, no system will prevent all disasters, says Wallace Turbeville, a former investment banker and senior fellow at the think tank Demos in New York.
“Engineering, by definition, has a certain degree of failure. The real problem of those risks is how they can be compounded. So much trading is done by algorithms,” Turbeville says.
Automatic securities trading, in the absence of human intervention, means when something happens, the problem can be replicated by market reaction. Turbeville says he’d like to see federal regulations that slow down order flow. But, he acknowledges, “You’re trying to put a genie back in a bottle.”
Former SEC Chairman Harvey Pitt says the Financial Stability Oversight Council’s report offers useful ideas, and Regulation SCI provides a start on operational risk problems. But, he says, the real answer to operational risk will come from companies working together on solutions and doing it because their livelihood depends on it, not because of government regulations. Knight Capital was a case study. It went from being the largest trader in U.S. equities before its software malfunction to being acquired after the scandal.
Lauer says the Superstorm Sandy market shutdowns show how whole markets can lose when disaster planning faces a disaster and loses. U.S. markets will lose out in the international competition for business if they aren’t seen as being stable, even in the face of disaster.
Firms need to run live trading from their backup sites more often to make sure they are ready to do it in a disaster. “To maintain our leadership position in the world, we need to be prepared,” Lauer says.
Pitt, now CEO of Kalorama Partners LLC in Washington, D.C., says so far companies are “reluctant to acknowledge they have real vulnerabilities. People haven’t asked the one crucial question: What can go wrong?”
In addition, figuring out how to eliminate those vulnerabilities is not always clear in a technological environment that is changing so fast. “The possibilities of what can go wrong are gargantuan, if not infinite,” Pitt says.
Financial service firms have a responsibility to constantly look at how they can better protect their securities trading systems. “People are deluding themselves that their systems are impervious or better than they are,” Pitt says.
Many experts agree on one thing: Reducing operational risks is crucial.
“The wealth of this country is tied up in our capital markets. If those markets are not secure … significant damage can be done.” Pitt says.