Risk Perspective on ION Trading Technologies Ltd Cyber Attack
Updated: Nov 10
The Dublin-based ION Trading Technologies Ltd. suffered from a major cyber-attack on 31 January. This firm builds softwares that automate the matching of both sides of a trade and clearing of derivative transactions. The attack resulted in the firm taking its systems offline, and many financial institutions were forced to confirm trades manually.
The incident also showed that even banks and other financial companies with mature cybersecurity must assess how ready their business partners and third-party providers are to weather outages. This incident is a stark reminder that any organisation is as strong as its weakest link.
The attack also demonstrated how the disruption of one piece of the global market's infrastructure could quickly gum up the gears. The disruption has rattled the global futures market, which has relied on automated software produced by companies such as ION to process trades for many years. Cyber specialists have identified such centralised service providers as core targets from cyber-criminals who have been leveraging the ongoing digitalisation and centralisation of such services to generate wide-spread disruptions and profits for themselves.
In this particular case, market participants rely on automated trading confirmation to process a derivative trade; no confirmation means no trading. With that, the strike resulted in brokers having to resort to manual methods of recording trades and caused delays in trade matching, trade processing, and daily positioning reports. Such manual intervention could also lead to errors in trading instructions and further operational risks and losses down the line. This has also impacted regulators that relied on such automated infrastructure to monitor market activities.
To strengthen a firm's cyber response, firms must
assess how ready business partners and third-party providers are to weather outages;
assess the end-to-end cybersecurity readiness of tech companies that run the services, utilities, and software that keep the market humming;
have strict standards governing operational risk;
have incident and crisis response and back up plans in place;
conduct regular vulnerability assessments and penetration tests to identify potential weaknesses in their systems and networks;
educate their staff on social engineering tactics and system attack red flags; and
patch vulnerabilities as soon as possible, backup their files, and get an Endpoint Detection and Response solution including 72-hour ransomware rollback, and zero-day ransomware protection.
According to the Russian hacker group Lockbit, which claimed responsibility for the cyber-attack on ION Trading Technologies Ltd., the alleged ransom has been paid, and a decryption key provided to the firm - although it declined to give details. However, even with the decryption key, the firm plans to build new infrastructure for its derivatives platform rather than risk returning to the hacked systems. Lockbit was also behind the recent attacks on Royal Mail and the Housing Authority of the City of Los Angeles (HACLA).
The self-spreading, automated ransomware works by gaining access to a system through a compromised server or remote desktop account and encrypting it, rendering it unusable, and issuing a ransom demand.
The authorities take a dim view of cyber-attack ransoms being paid and could respond with financial penalties that match or exceed the ransoms themselves. For example,
"The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack. The cyber-attack took place in November 2016." Source – FCA Website
In July 2022, the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) issued updated guidance stating that "Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data." The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. The US Treasury's Office of Foreign Asset Control (OFAC) has also issued an updated advisory warning all ransomware victims that they could be subject to financial penalties if they pay foreign actors who are subject to US sanctions.
The recent attack on ION Trading Technologies highlights the importance of maintaining robust cybersecurity protocols to protect sensitive data and systems. Financial institutions and their business partners must work together to develop and implement a comprehensive cybersecurity program that incorporates all aspects of the business. By taking a proactive and end-to-end approach to cybersecurity, firms can reduce their risk of becoming a victim of a cyber-attack and minimise the impact if an attack occurs.
Don't hesitate to reach out if you would like to discuss your cyber posture and crisis management framework.