The cyberattack on CME Group Inc. (CME:US) last week, routed through Hong Kong, is reminding the financial services world of one of its most constant threats to business.
The owner of the world’s largest futures markets last week joined companies from Citigroup Inc. and JPMorgan Chase & Co. (JPM:US) to the New York Stock Exchange in revealing that it’s been targeted by hackers. Financial services firms need to boost spending the most to fend off at least 95 percent of attacks, according to a 2012 Bloomberg Government study.
“We shouldn’t view this as a futures market story alone, all financial services and markets are a target,” said Craig Pirrong, a finance professor at the University of Houston. “Investors do need to be concerned.”
CME Group, based in Chicago, said Nov. 15 that its ClearPort clearing system was breached in July and some customer information was compromised. The company said there’s no evidence that transactions on its electronic-trading system or its clearinghouse were affected. The Federal Bureau of Investigation said it’s investigating, while a person familiar with the matter said the U.S. Commodity Futures Trading Commission is looking into the incident.
Financial services firms are constantly being assessed by potential hackers for weaknesses, a phenomenon known as “opportunistic probing,” said Pete Lindstrom, an analyst at Spire Security in Philadelphia.
“It’s very common for folks to think they’re too small or too obscure to be a target,” even though that’s not the case, he said.
In June, eight people were charged with hacking customer accounts at more than a dozen financial institutions, including Citigroup and JPMorgan, in a plot to steal at least $15 million. The scheme involved breaking into customer accounts and moving money into the control of crews called “cashers.” Withdrawals were then made from automated teller machines and fraudulent purchases were racked up in New York, Massachusetts, Illinois, Georgia and elsewhere, U.S. Attorney Paul Fishman said earlier this year.
A hacker group’s threat last year to erase the New York Stock Exchange from the Internet for a day failed as its website functioned without interruption. Users saw occasional delays logging on to NYSE.com around the time the Anonymous collective said its attack was to begin. The NYSE and its parent company NYSE Euronext were acquired last week by IntercontinentalExchange Group Inc., a CME Group rival.
The danger to capital markets from hacking is underappreciated, said John Edge, a managing director at New York-based Nice Actimize who specializes in global trading and market structure issues. It’s likely there will be a large-scale attack that causes a major disruption, he said.
“From a statistical point of view, it’s completely improbable that it won’t happen,” he said. “The hacking community belongs to usually one of three groups: state-sponsored, organized financial crime or agenda-based activists. You’ve got some very well-funded, very talented, competent people whose job it is to breach security.”
Cybersecurity has been flagged as one of the biggest threats to markets and governments by industry groups and regulators. A study in July found that computers at about 53 percent of exchanges around the world were attacked during the previous year. Nasdaq OMX Group Inc. discovered suspicious files on its website in 2011, prompting a federal investigation.
ClearPort, the system that CME Group said was targeted, provides clearing services for block trades that are negotiated privately in over-the-counter energy and metals markets. “To protect participants, CME Group forced a change to customer credentials impacted by the incident, and is corresponding directly with the impacted customers,” the company said in a statement last week.
“Assuming no customer assets were affected, this is useful as an eye-opener,” Lindstrom said. “We continue to see various types of folks who are hacked,” he said. “It starts to generate concern over our financial infrastructure.”
Michael Shore, a CME Group spokesman, declined to elaborate on the statement, which said the incident was the subject of a U.S. criminal investigation.
“We did receive the referral” from CME Group, said Joan Hyde, a spokeswoman for the Chicago office of the Federal Bureau of Investigation. “We are looking into the matter.”
The CFTC, the main U.S. derivatives regulator, is helping with the investigation, according to a person familiar with the matter, who asked to not be named because the inquiry is private. The attack on CME Group came from a hub in Hong Kong, although the perpetrators could have been based elsewhere, the person said.
CME Group offers futures based on interest rates, equity indexes, currencies, metals, energy products and agricultural commodities. It also guarantees interest-rate swaps and credit-default swaps with its clearinghouse.
From January to August of this year, CME Group handled 2.17 billion futures contracts, according to an analysis by the Futures Industry Association, making it the world’s largest exchange by volume.
While computer attacks are global, American exchanges have reported the most instances of attempted sabotage via the Internet, according to a July study co-authored by the World Federation of Exchanges and the International Organization of Securities Commissions. About 67 percent of U.S.-based trading venues said they had to fight them off, the study showed. About 89 percent said it represents a systemic risk.
Nasdaq OMX in 2011 disclosed an intrusion involving “suspicious” files on its Directors Desk system, which lets corporate board members communicate and share information. The National Security Agency, the top U.S. electronic intelligence service, joined a probe of the 2010 attack, people familiar with the investigation said in March 2011.
Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial system or cutting communications, according to the Bloomberg Government study released in January 2012.
Of all the industries surveyed for the Bloomberg study, financial services would face the steepest increase in spending to reach an ideal state of protection. Financial companies’ annual security costs would jump almost 13-fold on average to $292 million per company to fend off 95 percent of attacks, from about $23 million, according to the Bloomberg Government report.
To contact the reporter on this story: Matthew Leising in New York at firstname.lastname@example.org
To contact the editor responsible for this story: Nick Baker at email@example.com