[Status history] ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services.
CFTCBehnam: .@CFTC staff will publish the updated report as soon as firms have reported their trades. We hope to resume normal reporting Friday, February 10.
🟡 🟠 🔴
☑️ #24 Mar 17, 2023
March 17, 2023: The cyber-related incident at ION prevented the submission of timely and accurate data to the CFTC last month
[Transcription] The cyber-related incident at ION prevented the submission of timely and accurate data to the CFTC last month. As a result, the weekly CFTC Commitments of Traders (CoT) report has been delayed. Today, staff will not issue the Commitments of Traders report as data for this week will need to be reviewed and validated.
The CFTC intends to sequentially issue the missed COT reports, subject to reporting firms submitting accurate and complete data.
☑️ #23 Mar 15, 2023
Keynote of Chairman Rostin Behnam at the FIA Boca 2023 International Futures Industry Conference, Boca Raton, Florida
@CFTC: Today @CFTCbehnam delivered a keynote address at the FIA Boca 2023 International Futures Industry Conference in Boca Raton, Florida. Read it as prepared here:
[Transcription] [Excerpt] An Eye on Cyber Risk and Service Providers
Just as I was preparing the remarks I referenced earlier, the CFTC issued its first public statement on the cyber-related incident at ION Cleared Derivatives.[4] The severity of the impact on each futures commission merchant’s (FCM’s) operations varied based on the ION application used, and the FCM’s ability to work-around impacted applications. The incident prevented certain FCMs from submitting timely and accurate positions data to the CFTC and, as a result, the CFTC’s release of Commitments of Traders (CoT) paused. The CFTC is receiving corrected historical data and is now publishing the CoT Reports sequentially. It is expected that publication of backlogged reports will be complete this month.[5]
Current law could not have prevented the ION incident, as the direct regulation of third-party service providers is beyond our jurisdiction. With growing cyber risk permeating all elements of our markets, as I testified last week,[6] I believe that Congress, through reauthorization, must consider what role the CFTC should have with respect to entities who provide services to registered entities, and, perhaps more broadly, to our markets.
In the interim, and in addition to addressing the increasing reliance on third-party service providers in conjunction with upcoming rulemakings aimed at establishing adaptive CFTC-specific cyber requirements for FCMs and swap dealers, I have asked our Market Participants Division to further identify potential weaknesses with respect to third-party service providers and vendor relationships and identify appropriate solutions for Commission consideration.
The goal of any upcoming proposals on cybersecurity will be the fostering of sound and responsive cybersecurity practices among our registrants; elevating existing standards that will ultimately improve operational resilience across the financial sector and better protect customer assets.
[Transcription] As a result, the weekly CFTC Commitments of Traders (CoT) report had been delayed. Today, staff is issuing the Commitments of Traders report that was originally scheduled to be published on February 17, 2023.
☑️ #21 March 8, 2023
Testimony of Chairman Rostin Behnam Before the U.S. Senate Committee on Agriculture, Nutrition, & Forestry
@CFTC: Today @CFTCpham delivered an opening statement before the Market Risk Advisory Committee. Read it as prepared:
Last month, the Commission issued its first public statement on the cyber-related incident at ION Cleared Derivatives.[8] The directly impacted FCMs represented less than 10 percent of the cleared derivatives market overseen by the CFTC based on the total customer funds held collectively by FCMs for their clients trading futures, foreign futures, and cleared swaps transactions. The incident prevented certain FCMs from submitting timely and accurate positions data to the CFTC and, as a result, CFTC’s release of Commitments of Traders (CoT) Reports was delayed. CFTC has started receiving corrected historical data and resumed publication of the CoT Reports sequentially; it is expected that publication of backlogged reports will be complete in the coming weeks.[9]
Current law could not have prevented the ION incident, as the direct regulation of third-party service providers is beyond CFTC jurisdiction. Recognizing the relevant risk, I have asked our Market Participants Division (MPD), which is currently developing rule proposals to address cybersecurity and related risk, to further identify potential weaknesses with respect to third-party service providers and vendor relationships and identify appropriate solutions for Commission consideration. However, even if the Commission supports a rulemaking in this area, with growing cybersecurity risk permeating all elements of our markets, I believe this Committee’s reauthorization effort should consider what role and relationship the CFTC should have with third party service providers and vendors of registered entities.
Good morning and welcome to the first meeting of the Market Risk Advisory Committee (MRAC) in 2023 and our second MRAC meeting under my sponsorship.
As our agenda indicates, today we will engage in the CFTC’s first public meeting examining recent cyber disruptions that affected cleared derivatives markets.
On January 31, 2023, in a short statement, ION Cleared Derivatives, a division of ION Markets—a Dublin-based firm, acknowledged that “a cybersecurity event” had “affected some of its services.”[1] ION provides trading, clearing, analytics, treasury, and risk management services for capital markets and futures and derivatives markets. Many market participants, including some significant futures commission merchants, have entered into services agreements with ION for back-office trade processing and settlement of exchange-traded derivatives.
Because of this central role in trade processing, the cyberattack disrupted not only ION’s operations but also the operations of other market participants, triggering a ripple effect across markets. The cyber-incident halted deal matching, required affected parties to rely on manual (old school) trade processing, and caused delays in reconciliation and information sharing and reporting, among other challenges.
Recognizing that many affected firms are within the Commission’s remit and subject to the Commission’s oversight, I am asking the MRAC membership and invited speakers to engage in a deep dive discussion exploring cyberthreats that create risk management concerns. Specifically, I am asking them to offer informed, expert guidance on two issues.
First, while we have long implemented and enforced cyber risk regulation for registered market participants, we cannot rest on our laurels.[2] Technology is ever-evolving. Perhaps equally important, market structure concerns including concentration and consolidation require (re)evaluating and confirming that our existing risk management regulation is sufficiently robust to ensure effective cyber risk prevention and business continuity planning, cyberattack mitigation, and general recovery and resilience. Firms should have a day-one plan for responding to cyber-incidents. We must not misperceive cyber risks as siloed, individual enterprise risk management concerns. All too often, cyber threats demand coordinated action across several market participants with thoughtful incorporation of large, systemically important market participants.
Second, our economy is a digital economy. Global financial markets indisputably rely on the internet and the internet of things (IOT). We are now witnessing the deployment of Web 3.0. The salience of third-party service providers and reliance on non-proprietary software for operational mechanics such as trade processing, margin determinations, and data distribution underscore the importance of revisiting our risk management regulations to ensure that the Commission has adequate visibility into the system safeguards of firms that may impact the operational integrity of registered market participants. We must have fit-for-purpose cyber risk management regulations. What are the contours of our regulation for third-party service providers who offer integral operational services to registered market participants? Who determines if these services comply with our system safeguard regulations?
Our markets must increasingly navigate pervasive cyber threats deployed by well-resourced actors targeting critical infrastructure resources. The alarming threats that we have recently witnessed reveal that cybersecurity preparedness contributes to economic security, public safety, and national security.
As the recent financial crisis illustrated, our markets are deeply interconnected with significant investment and relational correlations. The interconnectedness and correlations may amplify the potential for contagion in the event of successful cyberattacks against critical infrastructure resources. For more than a decade, I have advocated for regulators and market participants to prioritize cybersecurity and investigate the potential for cyberthreats to create systemic risk or national security concerns.[3]
While other regulators, affected firms, the industry, and the Commission remain in a fact-gathering phase, in the wake of the recent cyber-incident, it is imperative that the MRAC fulfill its duty to serve as a timely and transparent forum for critical discussions regarding resilience, recovery, and resolution. As our financial market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats. In addition, we must seek to enhance cybersecurity across the network of firms, large and small, that facilitate trade execution, clearing, and settlement in our markets.[4]
In light of these observations, during our meeting today you will hear the diverse viewpoints of the MRAC membership and other market participants, executive members of the Office of the National Cyber Director, fellow market regulators, prudential regulators, self-regulatory organizations,[5] academics, public interest advocates, the public and others as we begin to identify, examine, and explore both the vulnerabilities in our markets and specific policy interventions for consideration by the Commission, best practices for industry participants, and public-private partnerships or industry-engineered initiatives designed to effectuate collaborative cyber threat responses and create cyber-defenses for interconnected segments of our markets.
Agenda items arising from existing workstreams will reflect the MRAC’s continuing commitment to understand, measure, mitigate, and address risk management concerns at the core of our rapidly-evolving markets and at the center of our well-tailored regulatory framework. These efforts underscore the role that MRAC, the other advisory committees, and the Commission play in enhancing transparency and ensuring the integrity of our markets—an issue that is the very subject of a hearing before the Senate Agriculture, Nutrition, and Forestry Committee this morning.[6]
Finally, consistent with the MRAC’s historic role in delivering first-of-its-kind or unprecedented reports and recommendations, we anticipate furthering the Commission’s focus on targeted recommendations to address climate-related risks in our markets and delivering recommendations for the regulation of digital asset markets.
Before we move into the substance of today’s meeting, I want to thank our Chairman, and Commissioners Goldsmith Romero, Mersinger, and Pham, for participating today and for their invaluable contributions to this discussion. As the agenda for each of the five advisory committees takes shape, I think that it will be increasingly clear that there is common interest in addressing the challenges that our markets face. This common interest will also reveal common ground that may enable us to find consensus and build bridges that lead us on a pathway from these challenges to effective solutions. In accord with the statutes governing the advisory committees,[7] let’s consider and coordinate joint meetings that focus on parallel workstreams, leverage the talent and expertise of the resources across advisory committees and subcommittees, and deliver valuable recommendations that effectively address these issues.
Agenda
Today, we will hear from a number of distinguished speakers regarding a wide range of topics all relevant to the MRAC’s market risk-related mandate, including in the areas of emerging technology-oriented risks affecting the derivatives and related financial markets, such as recovery and resilience in the event of cyber-security incidents; central counterparty risk and governance; climate-related market risk; market structure developments; and interest rate benchmark reform. We will examine the many facets of risk and risk management that traditional market participants and new entrants to our markets must navigate.
Increasing threats such as ransomware attacks require collective consideration of operational resilience, industry-wide communication, a major incident response plan, and protection of customer assets and information. In an incredibly timely discussion, Matthew Cronin and Caitlin Clarke with the White House’s Office of the National Cyber Director will share opening remarks, reflecting on the National Cybersecurity Strategy released last week.[8]
The National Cybersecurity Strategy outlines two key cybersecurity objectives: rebalancing the responsibility to defend cybersecurity and realigning incentives to favor long-term investments.[9] To achieve these objectives, the National Cybersecurity Strategy suggests an approach to make our digital ecosystem more defensible, resilient, and values-aligned. The approach rests on five key pillars: (1) defending critical infrastructure, (2) disrupting and dismantling threat actors, (3) shaping market forces to drive security and resilience, (4) investing in a resilient future, and (5) forging international partnerships to pursue shared goals.[10]
Following these introductory remarks, we will hear from Tom Sexton, President and Chief Executive Officer of the National Futures Association; Walt Lukken, President and Chief Executive Officer of the Futures Industry Association; Julie Holzrichter of CME; Amanda Olear, Director of the Market Participants Division of the CFTC and Greg Ruppert, Executive Vice President of FINRA. We will examine the role of the National Futures Association in standard setting designed to mitigate cyberthreats and the Futures Industry Association’s central role in steering industry participants through the recent cyber-incident at ION.
[2] In 2016, the Commission adopted amendments to its system safeguards rules for designated contract markets (DCMs), swap execution facilities (SEFs), and swap data repositories (SDRs) and for derivatives clearing organizations (DCOs) (Final Rules). System Safeguards Testing Requirements, 81 Fed. Reg. 64,272 (Sept. 19, 2016) (codified at 17 C.F.R. pts. 37, 38, & 39); System Safeguards Testing Requirements for Derivatives Clearing Organizations, 81 Fed. Reg. 64,321 (Sept. 19, 2016) (codified at 17 C.F.R. pt. 39). The Final Rules enhanced and clarified existing requirements relating to cybersecurity testing and system safeguards risk analysis by, among other things, specifying and defining five types of cybersecurity testing essential to a sound system safeguards program, including: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessment. For specified registrants, the Final Rules also provided minimum frequency requirements for testing, and requirements for them to engage independent contractors to conduct some of the required testing. The Final Rules also clarify rule provisions relating to the scope of system safeguards testing, internal reporting and review of testing results, and remediation of identified vulnerabilities and deficiencies.
The system safeguards provisions of the Commodity Exchange Act and Commission regulations applicable to all DCMs, SEFs, and SDRs require these entities to maintain a program of risk analysis and oversight to identify and minimize sources of operational risk. See SEFs: 7 U.S.C. § 7b-3(f)(14) & 17 C.F.R. § 37.1400; DCMS: 7 U.S.C. § 7(d)(20) & 17 C.F.R § 38.1050; and SDRs: 7 U.S.C. § 24a(c)(8) & 17 C.F.R. § 49.24(a). Commission regulations concerning system safeguards provide that the program of risk analysis and oversight required of each such entity must address specified categories of risk analysis and oversight to identify and minimize sources of operational risk. SeeSEFs: 17 C.F.R. § 37.1401; DCMs: 17 C.F.R. § 38.1051; SDRs: 17 C.F.R. § 49.24(b), (c).
Regulation 39.18 implements DCO Core Principle I and, among other things, specifies: (1) The requisite elements, standards, and resources of a DCO's program of risk analysis and oversight with respect to its operations and automated systems; (2) the requirements for a DCO's business continuity and disaster recovery plan, emergency procedures, and physical, technological, and personnel resources described therein; (3) the responsibilities, obligations, and recovery time objective of a DCO following a disruption of its operations; and (4) other system safeguards requirements related to reporting, recordkeeping, testing, and coordination with a DCO's clearing members and service providers. See 17 C.F.R. 39.18.
[3] Kristin N. Johnson, Cyber Risks: Emerging Risk Management Concerns for Financial Institutions, 50 Ga. L. Rev. 132 (2015) (explaining that “cybersecurity concerns are an ever-increasing threat,” and concluding that enterprise risk management solutions focusing only on an individual firm’s cyber defenses may be inadequate to address concerns arising from reliance on third party service providers or resulting from the networking or interconnectedness created by transactional relationships); Kristin N. Johnson, Managing Cyber Risks, 50 Ga. L. Rev. 528 (2015) (emphasizing market participants’ adoption of the NIST cybersecurity framework).
[4] Remarks by FIA President and CEO Walt Lukken before the U.S. Commodity Futures Trading Commission’s Market Risk Advisory Committee, Mar. 8, 2023, https://www.fia.org/fia/articles/fias-ceo-walt-lukken-speaks-cyber-resilience-cftc (describing FIA’s leadership role in steering its members and other market participants during the recent market disruptions following a cyber-incident at ION and announcing the creation of the FIA Global Cyber Risk Taskforce).
[5] Remarks by National Futures Association President Tom Sexton before the U.S. Commodity Futures Trading Commission’s Market Risk Advisory Committee, Mar. 8, 2023 (describing NFA initiatives dating back two decades designed to promote business continuity and disaster recovery plans that implement recovery and resilience processes; supervise the risks of unauthorized access to or attack of information technology systems, and introduce a supervisory framework relating to third-party providers that perform regulatory functions).
[7] Four of the CFTC Advisory Committees are governed by the Federal Advisory Committee Act (FACA), 5 U.S.C. app. 2. The Energy and Environmental Markets Advisory Committee is separately authorized.
[Transcription] As a result, the weekly CFTC Commitments of Traders (CoT) report had been delayed. Today, staff is issuing the Commitments of Traders report that was originally scheduled to be published on February 17, 2023.
Staff has adjusted today’s CoT report to account for reporting discrepancies, specifically, open interest in the CME 1 Month SOFR, CME S&P 500 Annual Dividend Index, IFED PJM Western Hub Day-Ahead Peak, IFED PJM Western Hub Real-Time Off-Peak Fixed Price, IFED MISO Indiana Real-Time Off-Peak Fixed Price, IFED MISO Indiana Hub Day-Ahead Peak, IFED Palo Verde Day-Ahead Off-Peak Fixed Price, and IFED Condensate Diff-TMX C5 1A Index contract markets have been modified to provide the best estimate of positions for the report dated February 14, 2023.
@CFTCcgr: Join us 3/22 (webcast) to hear presentations from experts on Cybersecurity: The ION Markets Attack and Beyond, Exploring Decentralized Finance, and Responsible Artificial Intelligence
[Transcription] Washington, D.C. — Commissioner Christy Goldsmith Romero, sponsor of the CFTC’s Technology Advisory Committee (TAC), today released the agenda for the inaugural meeting of the committee. The committee will meet March 22, 2023 from 12:00 p.m. to 4:30 p.m. (EDT) at the Commodity Futures Trading Commission’s (CFTC) Washington, D.C. headquarters. The public will be able to watch the live meeting via webcast on cftc.gov.
“The Technology Advisory Committee is poised to take on the most challenging issues at the intersection of technology, law, policy, and finance,” said Commissioner Goldsmith Romero. “That’s why it is important to hear from experts fluent in the issues and deeply experienced in markets and technologies.”
🟡 🟠🔴The ION Markets Attack and Beyond
The TAC will discuss cybersecurity and the cyber threat landscape for financial markets:
“With the severe cybersecurity attack that recently impacted derivatives markets, and the continuing cyber threat to other parts of the U.S. economy, the Commission will greatly benefit from the insights of senior cybersecurity officials at the Treasury Department and the National Institute of Standards and Technology,” said Commissioner Goldsmith Romero. “These leaders will present to the committee on the lessons learned in recent attacks and outline pillars of sound cybersecurity frameworks.”
Exploring Issues in Decentralized Finance
Another TAC panel will discuss complex issues in decentralized finance, or DeFi:
“A discussion about DeFi, including cyber vulnerabilities, indicators of ‘decentralization,’ digital identity and unhosted wallets, will contribute to ongoing policy discussions in Washington, D.C. and beyond the beltway,” said Commissioner Goldsmith Romero. “The committee has an opportunity to look past labels and examine the issues presented by DeFi thoughtfully and holistically.”
Responsible Artificial Intelligence
The final panel will examine responsible artificial intelligence (AI) and the emerging threat of AI-enabled cyber attacks.
“Given recent developments in AI, the U.S. government should take proactive steps to understand the implications and considerations surrounding this emerging technology,” said Commissioner Goldsmith Romero.
@CFTC: CFTC’s Commitments of Traders (CoT) report scheduled for a Feb-3 release is now live! ICYMI, the cyber-related incident at ION prevented submission of timely data to the CFTC. Backlogged reports will run until approx mid-March. Learn more: https://cftc.gov/MarketReports/CommitmentsofTraders/index.htm…
February 24, 2023: The cyber-related incident at ION prevented the submission of timely and accurate data to the CFTC. As a result, the weekly CFTC Commitments of Traders (CoT) report had been delayed. Today, staff is issuing the Commitments of Traders report that was originally scheduled to be published on February 3, 2023. Staff will issue Commitments of Traders reports on an expedited basis going forward and continues to expect that publication of backlogged reports will be complete by mid-March. In addition, staff has adjusted today’s CoT report to account for reporting discrepancies resulting from the cyber-related incident at ION. Specifically, open interest in the IFED MISO IN RT Off-Peak and CME USD Malaysian Crude Palm Oil Calendar Spread contract markets has been modified to provide the best estimate of positions for the week ending January 31, 2023. In addition, open interest in the Dow Jones U.S. Real Estate Index appears to have been impacted for report dated January 31, 2023 as a result of the ION incident; however, the reportable position data has been confirmed to be accurate.
[Transcription] CFTC Announces Postponement of Commitments of Traders Report
February 16, 2023
Washington, D.C. — Staff of the Commodity Futures Trading Commission Divisions of Clearing and Risk, Market Participants, Data, and Market Oversight today released the following statement to update the public on reporting delays due to the cyber-related incident at ION Cleared Derivatives (a subsidiary of ION Markets), a third-party service provider of cleared derivatives order management, order execution, trading, and trade processing:
“Following the ION cyber-related incident, reporting firms are continuing to experience some issues submitting timely and accurate data to the CFTC. As a result, the weekly Commitments of Traders (CoT) report that normally would have been published on Friday, February 17, will be postponed.
“CFTC staff intends to resume publishing the CoT report as early as Friday, February 24, 2023. Staff will begin with the CoT report that was originally scheduled to be published on Friday, February 3, 2023. Thereafter, staff intends to sequentially issue the missed CoT reports in an expedited manner, subject to reporting firms submitting accurate and complete data. Staff anticipates that, pending the timely, accurate and complete submission of backlogged data by reporting firms to the CFTC, these missed CoT reports will be published by mid-March. After that, CoT report publication will resume its usual weekly schedule.”
January 31, 2023 > February 10, 2023: no news or updates since January 31, 2023
Screenshot (*partially modified content). Source: ION Group, New York
☑️ #14 February 10, 2023
Second week and NO Cot reports!
@goldseek: Cyber attacks! This is turning into a big story! Second week and NO CoT reports! Never seen this in the nearly 3 decades watching these weekly commodity reports. Same issue in Europe: Euronext delays commodities report in wake of ION cyber attack
[Transcription] Washington, D.C. — Staff of the Commodity Futures Trading Commission Divisions of Clearing and Risk, Market Participants, Data, and Market Oversight today released the following statement to update the public on reporting delays due to the cyber-related incident at ION Cleared Derivatives (a subsidiary of ION Markets), a third-party service provider of cleared derivatives order management, order execution, trading, and trade processing:
“Although the impact of the cyber-related incident at ION has been mitigated, firms that are responsible for reporting are continuing to experience some issues with respect to the submission of timely and accurate data to the CFTC. As a result, the weekly Commitments of Traders report, that is produced by CFTC staff, will continue to be delayed until all trades can be reported. A report will be published upon receipt and validation of data from those firms.
“Further, CFTC staff recognizes there remain impacts to some reporting firms due to the incident at ION. Each affected reporting firm should continue their best efforts to expedite compliance obligations in preparing the daily large trader reports required under Part 17 of the Commission’s regulations, working with CFTC staff, to ensure timely compliance. A reporting firm should also file revised reports once the reporting firm's systems are operational. CFTC staff will consider any necessary further action as appropriate.”
-CFTC-
☑️ #12 February 10, 2023
Attack disrupted trade-matching and margin processes
Cyber attacks are one of the most persistent and severe threats facing companies today. Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets and economies.[2] In November, I spoke twice about the need for cyber resilience and warned of the dangers associated with cybercrime from three interrelated threats: (1) zero-day and n-day vulnerabilities; (2) third-party service provider vulnerabilities; and (2) ransomware vulnerabilities.[3]
Last week, a third-party service provider, ION Markets, suffered a cyber attack that compromised a number of brokers in the derivatives markets. For days, the attack disrupted trade-matching and margin processes at approximately 42 firms, according to news reports.[4] This type of disruption can also impact exchanges. According to news reports, a ransomware group known as LockBit claimed responsibility for the ION attack, which I will not confirm. [5] Fortunately, the damage appears to have been contained.[6] I appreciate all of you who worked with the CFTC to ensure that was the case.
There are lessons to be learned from last week’s cyber attack. If we all can discuss those and how to implement those lessons, we can adapt and take steps to build a more resilient market. I invite further discussion with me on this subject.
After all, in 2012, then-Director of the Federal Bureau of Investigation (“FBI”) Robert Mueller warned, “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”[7] Or as FIA President Walt Lukken said at the start of the conference, there are those that have been hacked and those who don’t know they’ve been hacked.
A 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year. Critical market infrastructure, like exchanges and clearinghouses, already experience cyber security incidents.
The threat of ransomware continues to grow and evolve, as does the Department of Justice’s (“DOJ”) ability to counter the threat. Ransomware is no longer limited to sophisticated actors. DOJ recently infiltrated and disrupted a ransomware group known as Hive.[8] Hive and LockBit operate as Ransomware-as-a-Service (“RaaS”). That’s a model where the developers create ransomware and an easy-to-use interface and recruit affiliates to deploy the ransomware to attack victims in exchange for a percentage of ransom payments.[9] The result can be extremely disruptive.
Everyone has a part in strengthening cyber resilience across financial markets. In my discussions with cybersecurity experts, I have learned that many cyber attacks start with common vulnerabilities that can be resolved through good cyber hygiene. Phishing attempts, attacks on software and systems that have not been updated with patches, access through remote connections, and insiders being tricked into giving access continue as the tools that cyber criminals employ.[10]
One of the lessons learned from last week is that a firm’s cybersecurity is only as strong as its most vulnerable third-party service provider—which is something I warned about in November.[11] The financial firms at the center of global markets rely on hundreds of third-party service providers. These financial firms and their third-party service providers employ thousands of people who can open the door to potential exploits of sensitive financial data and systems. The threat compounds where several firms use the same provider, as was the case with ION. Firms owe it to their clients—and I would say the markets—to have ongoing communications and other due diligence with third-party service providers to understand their cybersecurity controls and any weaknesses that could put the firm at risk. One path firms can consider is to request regular updated Systems and Operational Controls 2 (“SOC 2”) audits and opinions that the third party service provider has met, and better yet, exceeded, standards.[12]
The danger of this threat is why I have made cyber resilience one of my top priorities. I recently supported the CFTC’s proposed rule to expand clearinghouse notification of cybersecurity incidents.[13] I said at that time, “A major cyber incident involving U.S. clearing houses carries the potential to create disruptions—if not short-term chaos—throughout our financial markets. Imagine the equivalent of the Colonial Pipeline attack on a clearing house or major clearing member.”[14]
The threat of cyber attacks is so severe that it requires all of us to adapt and evolve to meet the changing threat. Chairman Behnam has asked me to lead an agency effort to adapt and evolve the CFTC’s cyber-resilience framework for brokers (FCMs) and dealers (Swap Dealers). We expect to propose a rule in the coming months. My office has already begun internal and inter-agency discussions, including with colleagues at the prudential regulators and the National Institute of Standards and Technology, among others that can provide valuable insights.
Additionally, I sponsor the Technology Advisory Committee (“TAC”), along with its Cybersecurity subcommittee. The TAC is a perfect forum to navigate the complexities of cyber resilience to counter the dangerous threat of cybercrime. We are preparing to announce a remarkable group of members in the next two weeks, including cybersecurity experts, and hold a public meeting next month.
Given the rapidly evolving cybersecurity threat, the public and private sector can be powerful when we join forces to counter that threat. If we all shore up vulnerabilities, and communicate about rapidly evolving threats, together we can adapt to have a more cyber resilient market.
@Ole_S_Hansen: The weekly #COT reports from the CFTC and ICE exchanges will face further delays. Missing so far, are two weeks worth of data from January 24 to Feb 7
@FIAPTG: Our top reads this week include: Cyber attack at financial data group Ion affects derivatives trading; follow-ups to @NYSE systems glitch; and more on @FTX_Official.
@CFTCBehnam: .@CFTC staff will publish the updated report as soon as firms have reported their trades. We hope to resume normal reporting Friday, February 10.
[Transcription] CFTC Statement on ION and the Impact to the Derivatives Markets
February 02, 2023
Washington, D.C.—Staff of the Commodity Futures Trading Commission Divisions of Clearing and Risk, Market Participants, Data, and Market Oversight today released the following statement on the cyber-related incident at ION Cleared Derivatives (a subsidiary of ION Markets), a third-party service provider of cleared derivatives order management, order execution, trading, and trade processing:
“This week, CFTC staff alongside fellow regulators, market participants, and impacted parties have worked to understand the issues surrounding the cyber incident and to help ensure the CFTC regulated derivatives markets were not compromised.
“The ongoing issue is impacting some clearing members’ ability to provide the CFTC with timely and accurate data. As this incident unfolded, it became clear that the submission of data that is required by registrants will be delayed until the trading issues are resolved. As a result, the weekly Commitments of Traders report that is produced by CFTC staff will be delayed until all trades can be reported. A report will be published upon receipt and validation of data from those firms.
“Further, Commission staff recognizes that certain reporting firms affected by the incident at ION do not have enough information at this time to fully prepare the daily large trader reports required under Part 17 of the Commission’s regulations. Each affected reporting firm should use best estimates in preparing those reports, working with Commission staff, to ensure timely compliance. A reporting firm should also file revised reports once the reporting firm's systems are operational. Commission staff will consider any necessary further action as appropriate.”
[Transcription] FIA is aware of network issues caused by a cyber incident on certain ION Group systems which are impacting the trading and clearing of exchange traded derivatives by ION customers across global markets. We are working with impacted members, including clearing firms and exchanges, as well as market regulators and others, to assess the extent of the impact on trading, processing, and clearing.
FIA is coordinating communication and information sharing, through regular calls with relevant parties assessing the firms impacted, how firms can work together to mitigate the disruption and seeking clarity over concerns about affected regulatory obligations and reporting.
For firms in the derivatives industry looking for assistance, please email:
Don Byron, FIA's Head of Global Industry Operations & Execution, at dbyron@fia.org.
Stuart Bailey, FIA's Vice President of Clearing Policy & Operations, at sbailey@fia.org.
For those with additional questions that are not relevant to the current industry response and coordination, please contact fiapr@fia.org.
☑️ #2 January 27, 2023
Delisting
sec.gov: Form 8-K (current reports) - ScION Tech Growth II (CIK: 0001838431)
Item 3.01: Notice of Delisting or Failure to Satisfy a Continued Listing Rule or Standard; Transfer of Listing
On January 11, 2023, ScION Tech Growth II (the “Company”) received a notice from the Nasdaq Stock Market LLC (“Nasdaq”) indicating that the Company was deficient in meeting the requirements of Listing Rule 5620(a), which requires the Company to hold an annual meeting of shareholders no later than one year after the end of the Company’s 2021 fiscal year-end. In accordance with Nasdaq Listing Rule 5810(c)(2)(G), the Company has 45 calendar days (or until February 27 2023) (the “Compliance Period”) to submit a plan to regain compliance and, if Nasdaq accepts the plan, Nasdaq may grant the Company up to 180 calendar days from its fiscal year end, or until June 29 2023, to regain compliance. While the plan is pending, the Company’s securities will continue to trade on Nasdaq.
sec.gov: Form 8-K (current reports) - ScION Tech Growth II (CIK: 0001838431)
Item 7.01: Regulation FD Disclosure
On January 24, 2023, ScION Tech Growth II (the “Company”) issued a press release announcing that its board of directors has determined to redeem all of its outstanding Class A ordinary shares, effective as of February 13, 2023, because the Company will not be able to consummate an initial business combination within the time period required by its amended and restated memorandum and articles of association.
