Financial markets and institutions face some of the most constant cyber risks. JPMorgan has disclosed that the bank now invests $15 billion per year and employs 62,000 technologists to counter about 45 billion potential attacks monitored on a daily basis. Mary Callahan Erdoes, head of JPMorgan Chase’s asset and wealth management division, said that the bank now has “more engineers than Google or Amazon”. On the same day, the Federal Reserve’s Vice Chair for Supervision, Michael Barr, addressed the second annual Conference on Measuring Cyber Risk in the Financial Services Sector and highlighted the impact of digital vulnerabilities in the banking system. Barr stated that researchers at the New York Fed recently found that “the impairment of a single large bank, a group of smaller banks, or a common service provider could be transmitted through the payments system and result in significant spillovers to other banks.” In essence, the weakest link puts the integrity of the entire chain at risk. Researchers also estimated that the potential impact of a cyberattack is systematically greater during stressed financial conditions, which is a very relevant point, considering three of the four largest bank failures in US history occurred last year and the underlying causes of those events remain a present threat in the banking system today.
It was just over two months ago that hacker group Lockbit hit the US brokerage unit of the Industrial and Commercial Bank of China (ICBC) with a crippling ransomware attack that froze automated trading and disrupted the exchange of US Treasuries. Reuters reports ICBC Financial Services was the sole settlement agent for BNY Mellon’s Treasury securities trading and, in the wake of the hack, ended up owing as much as $9 billion to the bank at one point, an amount many times larger than ICBC Financial Services’ net capital. A cash injection from its parent bank helped ICBC Financial Services cover the payment owed to BNY Mellon and a ransom of an undisclosed amount was ultimately paid to Lockbit to unlock the broker’s systems. The Lockbit hackers have successfully extorted $91 million across 1,700 attacks since 2020, according to the US Cybersecurity and Infrastructure Security Agency.
While the attack on ICBC’s US arm was contained, financial sector customers were impacted and could have faced significant losses if a larger parent company hadn’t been present or well-capitalized enough to act as a backstop. Moreover, the ripple effect went far beyond just the two aforementioned institutions, as more than $62 billion of US Treasuries failed to deliver on the day of the hack, DTCC data showed. The number of ransomware attacks in the finance industry surged by 64% last year, and was nearly double the 2021 level, according to data from Sophos.
Securities regulators in the US are getting more serious about combatting cybercrime that could disrupt or distort financial market activity. McKinsey notes the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, requires critical infrastructure companies to report all cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). In addition, the US Securities and Exchange Commission (SEC) in March 2022 proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight. New rules regarding incident reporting and governance disclosure requirements took effect on December 15, 2023 and impact not only publicly-traded companies registered with the SEC, but third-party software and supply chain companies that could be implicated in cybercrimes. Noncompliance, negligence, and violations of the new framework could result in costly legal action from the SEC, making proactive investments in cybersecurity solutions ever more essential.
The SEC itself, however, has had its own run-ins with cybersecurity fumbles. Earlier this month, the SEC’s official account on X.com (formerly known as Twitter) was compromised by a hacker that used the @SECGov handle to falsely announce that new Bitcoin-backed ETFs had been approved for launch in the US one day before any official decision had been made on this issue. This caused a material shift in market prices of cryptocurrencies and the share prices of associated companies. An investigation by X Safety found that @SECGov was indeed accessed by an unauthorized user who acquired the phone number associated with the account. X noted that “the account did not have multi-factor authentication enabled”, a very basic first line of defense against hackers. Ironically, @SECGov had highlighted the need for multi-factor authentication in previous posts on the same platform. By not following this advice themselves, SEC officials might have also violated a 2021 executive order that required all Federal Civilian Executive Branch agencies to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”