Every regulator has finally woken up to vendor cybersecurity risk

Virginie O’Shea, founder and chief executive of Firebrand Research, examines increased regulatory focus on cybersecurity, the wake-up call resulting from the ransomware hack of Ion and how regulators can approach addressing risk.

Everywhere you turn these days, you hear regulators talking about operational resilience and cybersecurity. Of course, this isn’t a new thing for some of them (the Digital Operational Resilience Act, or DORA the third party risk explorer, has been in the works for a while, after all), but numerous others have joined the fray over recent months.

A case in point is the Commodity Futures Trading Commission (CFTC), whose chairman Rostin Behnam took the stage at the annual Futures Industry Association (FIA) Boca conference earlier this month to highlight the regulator’s upcoming focus on all things cybersecurity. The ransomware hack of derivatives trading system provider Ion at the start of the year seems to have provided something of a wake-up call for the regulator about the systemic risks posed by critical third party providers.

Behnam indicated that the CFTC is currently working on drafting rules focused on critical infrastructure providers that are not being directly regulated by the regulator or its peers. It is also working with the National Futures Association (NFA) to draft new industry guidelines for all third party providers. The CFTC is far from alone in wondering what future relationship regulators should have with industry vendors, who have traditionally sat outside of their direct regulatory purview.

Market infrastructures are a much easier crowd to directly regulate and they continue to be a big focus of DORA and its various finreg relatives across the various jurisdictions. Technology vendors, on the other hand, are much harder to address from an oversight perspective.

The initial focus of DORA seemed to be the large cloud providers who pose concentration risk across all segments of the market. However, the Ion incident and its ongoing repercussions (that noise you can hear in the background is a lot of angry clients demanding why the vendor was so slow to inform them of the LockBit ransomware incident and to lay out its approach to resolving the issues) have focused many regulatory minds on your common or garden variety vendors.

What constitutes a systemically important vendor? Do they have to be large multinationals or bigtech firms? What about smaller vendors in niche areas with few natural competitors? How do you go about setting consistent rules across such a wide range of potential candidates? Do you leave it up to their clients to compel them to disclose information, or do you ask for direct disclosures? These are the questions all regulators are wrestling with at the moment.

Firebrand has just put out its latest paper on the topic of operational resilience and the Financial Services Information Sharing and Analysis Center (FS-ISAC) has also put out its latest report on the cybercrime landscape. Our report highlights the rising incidences of operational outages across the capital markets landscape and FS-ISAC’s highlights the increasing sophistication of cyber-criminals, who are using tools such as ChatGPT to design even more convincing phishing emails.

The threat landscape continues to evolve and the more digital we become the more avenues criminals have to exploit. And word to the wise, vendors, the regulators are looking at you…