On Friday, March 20, Finastra, which was formed in 2017 after the merger of D+H Misys, detected that “a bad-actor was attempting to introduce malware into our network in what appears to have been a common ransomware attack,” which resulted in the vendor taking its servers offline.

Finastra counts some of the largest banks in the world as clients—with an especially strong presence in the retail space—and as a result, several banks saw disruptions to their services according to notices put up on their websites. Also, as the Wall Street Journal reported, “financial firms encountered problems moving Treasury bonds among themselves Friday, reporting slowdowns and outages on the Federal Reserve’s electronic securities ledger,” due to Finastra server shutdown.

Finastra’s servers were returned online on Sunday, though full IT operations were not restored as of Monday afternoon. “At this time, we do not have any evidence that any customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” Finastra’s chief operating officer, Tom Kilroy, said in a statement on the company’s website.

Ransomware and similar cyber-attacks are simply a fact of life for financial services, but they’re likely to become more common as a result of firms enacting their business continuity plans (BCPs). The outbreak of the coronavirus pandemic has forced cities across the globe to enact measures to keep its citizens in their homes to curb the spread of Covid-19, the new disease resulting from the coronavirus.

What I’m finding now, our biggest concern is security: With many of our bankers using new networks and devices to do work, our attack surface has increased a lot. And though we planned for remote security, we are still seeing some holes in our strategy, which we are working on.

Bank CTO

Because of their embrace of cloud and software-as-a-service (SaaS) solutions, banks, asset managers, and vendors are better prepared for a remote workforce, as only minor disruptions have thus far been reported. Still, it is to be expected that bad actors are going to look to take advantage of this situation, and due to their embrace of cloud, financial services firms have increased their potential attack zones.

“My company is now completely working remotely, and we have not had a lot of challenges having already adopted many cloud apps,” says the chief technology officer of a US-based bank. “But what I’m finding now, our biggest concern is security: With many of our bankers using new networks and devices to do work, our attack surface has increased a lot. And though we planned for remote security, we are still seeing some holes in our strategy, which we are working on. Also, cybercriminals are taking advantage, putting viruses into Covid-19 information sites, phishing government or health care emails, etc.”

As of right now, there’s no way of knowing if the ransomware attack on Finastra was precipitated by the coronavirus—did a criminal spy a new vulnerability created by the company enacting its BCP? Or was it just a normal attack that would’ve happened regardless? (As ZDNet reported, Finastra had issues previously with its Pulse Secure VPN servers and its Citrix servers.)

What is clear is that even if firms’ BCPs hold up to government-enforced shutdowns and mandatory working from home, there are new and unique questions that will have to be answered.

Without Delay

On March 9, Alex Fleiss, CEO of quant hedge fund Rebellion Research, ran 33 miles—but not because he wanted to.

In Florida, on a trip to visit his college roommate, who works for a health insurance company, he was supposed to be having a good time. Instead, the pair of investors watched the stock market as it crumbled around them. They decided to run it off.

“I was going nuts,” Fleiss says. “We were both getting annihilated in the market, and we were losing it, so he kept running, and I kept running.”

The financial markets have been dealing with disruptions and crashes for decades. In many ways, this comes with the territory if you’re a trader. But new innovations have helped to mitigate disruptions. While Fleiss was very concerned about markets, from a technological perspective, Rebellion was “essentially built for Armageddon.” Its proprietary machine-learning trading engine is built on the cloud and comprises Bayesian networks that are physically separated across several locations far apart from one another. That way, if one became corrupted, the fund would see it immediately.

The biggest concern, says Rebellion’s Fleiss, is how the government handles cyber-threats from abroad. The hedge fund recently hired a former agent from the International Criminal Police Organization (Interpol), and Fleiss says he is now much more concerned with the government’s vulnerabilities to cyber-attacks than he is with finance’s.

“Your average PC is more secure than Plano, Texas’, municipal government. So often, you’ve got these local governments that are getting hacked into all over the place,” Fleiss says. “Yes, technically, without a doubt, there will be more cybersecurity issues. There’s no question.”

Tech innovations over the last decade have allowed for BCPs to run more smoothly than before, such as when Hurricane Sandy struck America’s East Coast or the terrorist attacks of September 11, 2001. Cloud, SaaS platforms, and increased bandwidth have offered the ability for staff to increasingly work remotely. Teleconference and messaging apps ensure essential communication doesn’t drop off. Yet, for all of these advancements, new challenges have emerged.

We’re in a much better place than five or 10 years ago, but you realize how much more there is to do.

Mazy Dar, OpenFin

Institutions that have been slow to adopt cloud policies will be cut off to certain sensitive data that is stored only on-premise; traders will have to contend with less screen real estate; a horde of new home networks and VPNs are beckoning cybercriminals, and then there’s the question of whether the bustling traffic thrust upon Wi-Fi networks in residential areas can support widespread working from home.

“We’re in a much better place than five or 10 years ago, but you realize how much more there is to do,” says Mazy Dar, co-founder, and CEO of industry operating system provider OpenFin, which works closely with many of the biggest banks.

One area that leaves much to be desired still is chat, Dar adds. In a conference call last Friday, Dar sat on the line with about 15 to 20 people, some of whom were on the client-side. The person leading the call instructed everyone on the line to use a Symphony chatroom to communicate so that no one would miss important conversations or messages.

Dar asked to be added into the chatroom but was told it was restricted, and that he’d first have to go through an onboarding process, which could take weeks. It’s just a simple example, he says, but in an environment like this one, you realize some rules in the capital markets—put into place for good reason, such as ensuring compliance—are limiting.

However, while some banks and asset managers have gotten comfortable with using the public cloud, that transition might not have happened soon enough to help with this latest disaster. Large banks still look to maintain a majority of their data on the firms’ local servers. Dar says this leads to two problems: one, data is less accessible. Two, those firms are banking on believing their own backup systems are built on par with the major cloud providers, Google, AWS, and Microsoft.

In 2000, Dar joined electronic trading venue Creditex Group as chief strategy officer, working through the SARS outbreak in 2003. He remembers the time distinctly. Traders had commonly accessed the platform through desktop applications in their offices, and a security measure many firms had taken by that time was to lock down the IP addresses so that the app was only available through bank-owned IPs. When SARS—the respiratory disease caused by the SARS coronavirus—took hold, traders who were working from home couldn’t access the platform.

“These things are always hard because it’s a balance between security, compliance, and privacy on the one hand, and then, on the other hand, ease of accessibility, as well as things like redundancy and scalability, which the cloud provides,” Dar says. “The reality is that today, cloud security and the tools available to manage compliance are there. So it’s not that the cloud is not secure. It’s simply that the industry has not moved fast enough to embrace it. And this should be a wake-up call.”

OpenFin, which is based in downtown Manhattan, moved to allow its staff to work from home starting the week of March 16. In the days leading up to peak market and cultural hysteria, the vendor, upon reviewing its existing BCP plan, tripled its accounts for video conferencing service Zoom. All internal and client meetings are being conducted virtually or via phone.

Similarly, Trading Technologies (TT), the OMS and futures trading platform provider, has instituted a work-from-home policy for all its employees through April 3 at the earliest. After introducing its SaaS platform TT in 2014, and announcing the sunset of its more than 20-year-old predecessor X_Trader, TT has finished the migrations for more than 50% of its customers and has been working to round that figure off to 100%.

Brian Mehta, TT’s chief marketing officer, acknowledges that despite enthusiasm from other clients to start or complete remaining migrations, the mass work-from-home situation and general uncertainty spurred by the ongoing spread of the virus is causing some delays. However, he anticipates the ordeal will be a positive overall for the company, as it may bring a surge in cloud and SaaS adoption. (Rebellion’s Fleiss predicts the same outcome.)

Migrations remain the top priority for the vendor, but other initiatives, particularly around custom solutions, have stalled for the time being. “With something like the Covid-19, those plans do get delayed. And with delays, not only does it impact our clients in terms of what they want to do, but also us in terms of making sure that we’re there not only to do the work but also address it when they need it,” Mehta says. “Then obviously, there’s a trickle-down effect across the board.”

Individual project and roadmap delays can lead to diminished growth—even shrinkage—and thinner profits. Aside from those battles, there’s the question of whether at the end of this, as clients jump back into the swing of things all at once, will that lead to bottlenecks?

And though it hasn’t yet received any complaints or concerns related to outages, or latency as a result of working on residential networks, Mehta says it’s a possibility if businesses and offices stay shuttered for several weeks.

New World

Big banks, in particular, are accustomed to having a certain number of remote laptops connect to their local servers via VPNs either because the user regularly works from home, or for when employees are traveling. That alone carries some security risk, but suddenly, the banks now have a free-for-all on their hands.

This is an unprecedented time when it comes to having a remote workforce, says Brad Bailey, research director of capital markets technology at Celent. It’s also likely that it’s not just the employee who is working from home—as many cities across the globe are locked down to some degree, that means that roommates, significant others, and children are also competing for internet resources.

Bailey, who’s currently working from his home alongside his son and daughter, who are completing coursework online, says that’s a potential hazard, especially for bankers or traders with young children.

“What if they start banging on your computer while you’re in the restroom? God knows,” he says. “I mean, theoretically, a monkey could type Shakespeare. But there are things you need to think about that are both technology and security, but also making sure people are using these tools properly. I think this is all being played out, and I’m very curious to see what happens now in light of—hopefully—this short experiment in virtual communication.”

Perhaps the only known right now is the unknown.