The financial institutions are under attack from a new generation of cyber-criminals, ones that are looking to exploit weaknesses in the algorithms used to conduct automatic trades. Algorithms are widely used within financial institutions to generate mass trades – at one venture capital company, an algorithm has been appointed to the board of directors
EJ Hilbert, head of cyber-investigations at Kroll, said that algorithms were a tempting target for cyber-criminals. “Algorithms manipulate data and the bad guys understand that – manipulating data is what they know.”
He couldn't say how common a problem it was as he could only comment on cases where Kroll was brought into investigate. He did say that he knew of at least two recent cases: one where the company had in place procedures that identified a particular issue and one where the company just thought there was something not quite right. “In one case, the bad guy was someone internal; in the other, we couldn't identify where the gang was from.” He pointed out, however, that these were highly organised criminal gangs, ones who were able to sell information and launder the proceeds accordingly.
Hilbert, a former FBI cyber-crime investigator said the really interesting question is what the criminals would do with the compromised source code, whether it would be used to sell it back to the companies that it had been stolen from or whether the criminals would use it themselves. “We know, from monitoring the dark web, that there are discussions about how to use this information,” he said.
Financial authorities have already identified a problem with hedge funds. In April last year, the USA's Security Exchange Commission said it would be looking into brokerage firms and investments advisors to ascertain how protected they were against cyber-attacks and what steps they were taking to protect customer data.
On this side of the pond, regulatory authorities are more circumspect. “We would ensure that companies have adequate systems and controls in place for the management of IT risks,” said a spokeswoman for the Finance Conduct Authority, but said that the authority didn't treat hedge fund companies any different from other financial institutions. Nor did the FCA look into any detail at the level of protection. “We're a financial regulator not a body that assesses IT risk,” the spokeswoman said.
Hilbert said the regulators would want to keep a close eye on trading systems and maybe introduce new procedures. “When there was a lot of credit card crime, systems were tightened and PCI DSS was introduced and there's no less of a problem,” he said.