One-fifth of CME clearing members hit by Ion hack

Around 20% of all CME Group clearing members were affected by the Ion ransomware event, an executive at the clearing house has told a public hearing.

Ion Group, which supplies software used to process cleared derivatives trades, had to shut down access to some of its services on January 31 after hackers seized control of its servers.

The outage affected 42 Ion clients, forcing some to process trades manually and delay regulatory reporting. CME has 67 clearing members.

Julie Holzrichter, CME chief operating officer, said a subset of the affected members saw a “material impact” as a result of the hack. She was speaking on March 8 at a meeting of the Market Risk Advisory Committee (MRAC) of the Commodity Futures Trading Commission (CFTC).

At the forefront of everyone’s minds is cyber risk, including both how to mitigate it, and how to recover from a direct cyber attack or one on a third-party service provider

Amanda Olear, CFTC

Banks are weighing their legal options over the cyber attack that has disrupted derivatives trading and drawn the scrutiny of regulators and law enforcement agencies around the world.

As events unfolded, Holzrichter said that CME “observed an unusual build-up of message queuing”. It then quickly took steps to ensure environments were protected, including blocking network connections with Ion, evaluating its environment for the published indicators of compromise, and reviewing its own systems that it believed could be exposed to contagion risk for any potential vulnerabilities.

Shortly after becoming aware of the Ion incident, CME engaged with firms to help them retrieve necessary files and perform functions within its systems. The financial market infrastructure firm extended its end-of-day processing timelines to allow clients extra time to complete their tasks, and told clearing firms that reporting might be delayed. It also put in place enhanced risk monitoring for the affected firms.

“Some of the impacted clearing members were not able to submit customer gross margin files, so we leveraged our own records and knowledge of relationships between the gross and net margin requirements to track Ion’s customers’ gross margin requirements, making adjustments to the impacted firms’ requirements as appropriate,” said Holzrichter.

What role for CFTC?

Speaking in the same meeting, Amanda Olear, director of the CFTC’s market participants division, said the agency was embarking on an effort to revisit its risk management requirements for futures commission merchants (FCMs) and swap dealers to determine whether there was space to adapt the rules to meet the evolving challenges posed by an incident such as that at Ion.

The CFTC will be issuing an advanced notice of proposed rulemaking, posing specific questions soliciting feedback from the public to inform its work in the area. Additionally, the CFTC plans to begin engaging directly with its registrants to get their perspectives on its risk management regime and to “identify opportunities to enhance its effectiveness for identifying, monitoring and managing all of the attendant risks to their FCM or swap dealer activities”.

A core focus of those discussions will be identifying key risk areas that should be monitored and managed, amendments to periodic risk reporting, and risk management governance more broadly.

“A key risk area that I’m sure is at the forefront of everyone’s minds is cyber risk, including both how to mitigate it, and how to recover from a direct cyber-attack or one on a third-party service provider,” says Olear.

At present, CFTC registrants are subject to cyber security requirements from the self-regulatory National Futures Association or through prudential or other regulatory regimes, rather than directly from the CFTC itself. But Olear said the CFTC believed it could “play a more direct role in fostering strong operational resilience practices amongst our registrants”.

The CFTC has accordingly begun work to develop policy recommendations addressing FCMs and swap dealers with respect to their cyber security practices.

Ion Group’s cleared derivatives subsidiary is a third-party service provider of order management, order execution, trading and trade processing software.

Walt Lukken, president and chief executive of the Futures Industry Association, told the MRAC hearing that on the day of the Ion incident, the FIA held a call with 150 industry members from across the globe. Over the course of the first week, its calls with the industry grew to include more than 700 individuals.

Lukken said on February 6, after Ion accelerated the recovery and rebuilding of its systems over the preceding weekend, that the industry began to reconnect to Ion, and that it was now the FIA’s understanding that firms utilizing the vendor’s software suite were “back to business-as-usual operations”.

As a result of the incident, the FIA has formed a global cyber risk task force to develop recommendations for improvements to cyber protections and protocols, examine the effectiveness of the industry’s initial response, and look at safeguards around third-party service providers. The FIA aims to release an initial report by the second quarter of this year.

The task force will determine whether additional cyber security regulations are needed to strengthen the industry’s resilience. The FIA will also review its annual disaster-recovery exercise for exchanges, regulators, clearing houses, clearing firms, service providers, executing brokers and software vendors, in light of the events that occurred at Ion.