Ion wasn’t deemed a ‘critical’ vendor by most clients

Ion Group, which suffered a ransomware attack on January 31 that disabled some of its services and initially raised systemic fears, was not classified as a critical third-party vendor by many of its clients, according to a US Treasury official.

“Many firms that were onboarded [by] Ion didn’t use the highest level of scrutiny that they use for their most critical third-party vendors,” said Todd Conklin, deputy assistant secretary in the US Treasury department’s Office of Cybersecurity and Critical Infrastructure Protection, speaking at a meeting of the US Commodity Futures Trading Commission’s (CFTC) Technology Advisory Committee on March 22.

Ion escaped close inspection despite having many of the attributes of a critical third-party vendor. It was a “significant market player” that dealers, brokers and even central banks relied on “for quite a few software applications”, Conklin noted. “And over the course of the last few months, they’ve been on a bit of an acquisition spree. So, you have this potential sprawling impact zone for a firm that we found later many institutions didn’t even classify necessarily as a critical third-party vendor.”

The situation seemed to be spiraling in the wrong direction that morning, very, very, very quickly

Todd Conklin, US Department of the Treasury

Conklin has since spoken with the chief risk officers of some large, global systemically important banks about the lapse. “It’s an area where the government can help provide some additional framework around risk management,” he said.

The Treasury Department has already kicked off an initiative, dubbed ‘The Secure Project’, that aims to map the financial sector’s exposure to critical third-party vendors. “How do we begin to shine a light on the critical nodes, so that the largest firms that have thousands of vendors can triage the third-party risk management onboarding process a little bit better? How do we add the intel mindset to the risk management space in ways we haven’t before?” Conklin asked. “We’re trying to go down a new lane with that this year.”

Another initiative being discussed by the Treasury department’s recently established interagency Cloud Services Steering Committee may lead to direct supervision of some critical vendors. “We’re going to explore the authorities required to provide more direct oversight of cloud service provider infrastructure itself—not just cloud service infrastructure through the lens of financial services firms, but actually examination potentially of the cloud service providers. That is a workflow that we’re going to begin in earnest in the coming weeks.”

The Ion services that were taken offline after the cyber attack were hosted in the cloud.

Systemic risk?

Ion, which supplies software used to process cleared derivatives trades, shut down access to some of its services on January 31 after hackers seized control of its servers. The outage affected 42 clients, forcing some to process trades manually and delay regulatory reporting. The CFTC suspended publication of its weekly Commitments of traders report because of the cyber attack.

Conklin said the Treasury department became aware of the cyber attack on the afternoon of January 31, “with not much clarity on exactly what was impacted”. At this point, “there wasn’t much information coming out of Ion itself”, but Treasury officials began hearing from their contacts in Ireland, Japan and the UK “that there were some significant delays in derivatives processing”.

The lack of solid information from Ion compounded fears about systemic risk. “We had a very heightened concern going to sleep on January 31,” Conklin said. The next day, February 1, began as “a complete unknown in terms of the number and type of Ion services disrupted, unknown in the number and size of financial institutions that were impacted” and the amount of outstanding trades that were affected.

“By the time we woke up, Japan had completely disconnected from Ion,” said Conklin. “So, the situation seemed to be spiraling in the wrong direction that morning, very, very, very quickly.”

Several banks have also complained about Ion’s communication following the cyber attack.

US regulatory authorities sprang into action. The Securities and Exchange Commission, working with the CFTC, raced to identify the impacted services.

“Fortunately, it wound up being limited to about 11 of their applications, most of which [were] in the derivatives market,” said Conklin.

The CFTC subsequently confirmed that 42 clients were affected by the outage and that there was no significant impact on central banks.

“So within a matter of hours, we were able to basically get a really clear operating picture, so that concern that started in the morning, by the afternoon, it was clear that we had a much less severe situation.”

Treasury officials turned their attention to controlling the public narrative. The first news reports about the cyber attack were published on the afternoon of February 1. “They were taking the view we had the day before, that this was going to be a systemic issue,” Conklin said.

The Treasury department developed an incident response playbook for cyber attacks that included a crisis communication strategy after the Colonial Pipeline hack in 2021, which triggered fuel shortages and panic buying across parts of the US. “We got to deploy that playbook for the first time during the Ion incident,” Conklin said.

Later that afternoon, initial news reports were updated with a statement from Conklin: “The issue is currently isolated to a small number of smaller and mid-size firms, and does not pose a systemic risk to the financial sector.”