Lots of companies around the world offer software and data services for trading and execution, and risk management. The problem is that due to the sheer amount of companies looking to take on BlackRock’s Aladdin, the space is very competitive. And, with new players appearing every day, maintaining a brand that is trustworthy and reliable is critical.
In the case of ION Group though, a particularly nasty ransomware attack has knocked confidence in a global solutions provider to banks and financial institutions. Headlines like “Hacked off: banks demand answers after ION cyber attack” have continued since the onset of the scandal in early February this year.
ION Group were attacked by the hacking group behind LockBit. How much the attack cost ION Group is unknown, but what we do know is that the LockBit debacle may well be the first of many. Have the floodgates been opened? Or will the debacle simply lead to more regulation?
What is LockBit?
According to leading cybersecurity firm, Kaspersky, the “LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network.”
LockBit is a subclass of ransomware also known as a ‘crypto virus’. It began in September 2019 when it was initially called the ‘abcd virus’. So far it has avoided attacking Russian or CIS located targets, leading to many believing that the people behind it are affiliated to Russia. Although it is also supposed to be based out of the Netherlands.
Interestingly, only a few days before ION Group was attacked, WIRED covered an in-depth story into the goings on behind LockBit’s activities. In the story a recent attack on the UK’s Royal Mail was mentioned, with a warning that “all eyes are now on LockBit”. All eyes that is, apart from the team responsible for cybersecurity procedures at ION Group.
The FBI has been looking at LockBit since 2020. In 2022 the organization released a FLASH report about LockBit:
According to Darkfeed, LockBit have been responsible for more than half of all cyber attacks in the last 12 months. The majority of them taking place in the United States, with the UK a distant second.
Why did ION Group get targeted?
There are several companies that monitor the cyber risk of companies. One of these is UpGuard where you can find scores about cyber resilience from BlackRock, Vanguard, State Street and others.
#DisruptionBanking took a look at the latest result for ION Group which UpGuard says is 732/950. The higher the better. A number that is actually higher than BlackRock at 703 or State Street Global Advisors at 637. A more similar competitor, Chatham Financial, also came in at 703. However, Charles River Associates, another competitor, has a rating of 760. Which one can preclude means that ION Group wasn’t a standout company for the hackers to hit. There may have actually been easier targets. Or was there something else that motivated LockBit?
There seems to be no correlation between some cyber resilience reports and the attractiveness of ION Group as a target. So one may have to look elsewhere for an explanation. Perhaps looking at the leadership behind ION Group, or a history of acquisitions, would be a better indicator as to why the firm was targeted.
Standing Tall and Being Counted following the Debacle
#DisruptionBanking has covered several stories about ION Group since 2020. Their PR Agency in London regularly sends press releases and requests to interview to our editorial about their client.
The stories have included the Buy-side FX focus on Technology with Lab49, Why ION MarketFactory is focussed on Transaction Cost Analysis (TCA), and The importance of automation, with ION Markets. Strong stories about the innovation and constant growth that ION Group wanted the market to see. Of course, our publication helped ION Group create these stories.
And throughout the interviews with stakeholders of ION Group one thing was always apparent. There was huge caution and reliance on the PR agency to ensure everything was painted as ION Group wanted.
What did ION Group say?
The Financial Times have also commented on how Andrea Pignataro, the founder of ION Group, avoids the spotlight. His firm only added a small explanation following the hack:
“ION Cleared Derivatives, a division of ION Markets, experienced a cybersecurity event commencing on 31 January 2023 that has affected some of its services. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.” (No updates were posted after this press release)
Small consolation for having to involve both the Commodity Futures Trading Commission (CFTC), the Futures Industry Association (FIA), and the FBI. Not to mention companies such as UBS, RBC, ABN Amro, Macquarie, Intesa Sanpaolo and another 37 of ION Group’s clients. A small trawl of the internet will show that ION Group offered neither consolation nor any type of explanation following on from the event. Just one post with no follow up so far. More than three months later.
#DisruptionBanking reached out to both ION Group and the firm’s PR Agency Hawthorn Advisors for comment. Neither organization offered any comments after multiple attempts by our editorial team to contact them. Even with the working relationship that has been in place over the last two years prior to the hack both firms have ghosted our publication.
What about the markets?
Apart from the FBI, the FIA, and the CFTC there have been 42 other market participants affected by the hack which started on the 31st of January this year.
Arguably the biggest disruption was felt by the CFTC. Weekly reports of derivatives trading activity at the regulator came to a halt for three weeks in total.
It isn’t the first time a regulator has had to get involved with ION Group. Victor Meyer of Supply Wisdom highlighted in a recent presentation how ION Group had previously been challenged about its acquisition strategy. The UK Competition and Markets Authority (CMA) raised concerns about ION Group’s acquisition of Allegro Development Corp. in April 2019, for instance.
Additionally, ION Group has been on a shopping spree since April 2018. Back then it took over British trading firm Fidessa for $2.1 billion. Each time the company buys a new business its attack surface is enlarged according to Meyer. This may have led to a deterioration of ION Group’s aggregate cyber risk profile against the “Industry Average” by September 2022, Meyer elaborated. Something that some vendors like UpGuard haven’t picked up on.
ION Group also have a history of highly leveraged transactions. Think Glazers and Manchester United. There is an inherent risk in this type of transaction. Especially when buying companies that are bigger than the purchaser as was the case. Money is harder to find to ensure that infrastructure is able to deal with the challenges of a larger group of companies after a leveraged acquisition. Something that can take years to repay.
Third-Party Risk Management is a Priority
The words Third-Party Risk Management (TPRM) start to become more important after reading the above. At least if you work in a bank that is. In fact, the CFTC is also now pushing for futures and swaps dealers to exercise more due diligence and oversight of the third-party service providers they work with, and that they have a plan for responding to cyber incidents from the first day.
The Futures Industry Association (FIA) has also announced its own cyber-risk task force. The Chairman of the CFTC has asked Congress to consider expanding the agency’s ability to directly regulate third-party service providers.
Even UBS, ION Group’s sole financial adviser for most of its deals till 2019, has accepted that things had to change. The writing may have been on the wall for that long.
Credit Suisse was later drafted in to help raise $1.75 billion of debt with lenders at the end of 2019. But, either way, UBS failed to see the writing on the wall in time. The Swiss bank is still using ION Group as a supplier.
Systemic Risk in Markets Is Everybody’s Problem
Have Tax Payers footed some of the bill for ION Group’s Debacle? Will ION Group offer any compensation or explanation to its shareholders, clients and the wider market?
Ultimately nobody really wants more regulation. And nobody really wants to pay for it either. But with the CFTC and the FIA both heavily invested in ensuring that systemic risk is managed within the derivatives space, there seems to be no choice but to implement more regulation.
However, what nobody expected is for ION Group to carry on as if its business as usual. The company’s latest press releases suggest that ION Group certainly thinks that everybody should just move on. Easy to do when you are not the one who will have to foot the bill for a small host of new TPRM people and a few more people in regulators offices across the world.
What Next for ION Group?
Ultimately what always happens will happen. ION Group will continue to make substantial profits. Banks will raise their fees and pass on the cost to their customers. And the world will continue to work just as it did before.
But here’s an idea. With ION Group supporting so many trading desks, perhaps the answer is for the firm to IPO. It would ensure more transparency and would make the playing field fairer. In fact, the CFTC could simply insist that a listing is completed in order to improve TPRM. At least then ION Group can start to report their activities in such a way that their clients and the market can finally feel a little more secure.
Otherwise, as usual, the taxpayer will probably end up with the bill at the end of the day. And even the LockBit ransom fee will probably be passed on. Who the hackers approach next is still unknown. But they seem to have a good eye for companies that might be considered over-zealous, highly leveraged and that are ultimately growing too quickly. Companies that might also need to improve their governance. And certainly companies who seem to be keen to take risks.
Time for change. Especially if you are still using ION Group’s systems. At least until a proper explanation is not made available to the market.
Author: Andy Samu
#RansomWare #TPRM #Cybersecurity #Derivatives #CFTC #IONGROUP #Trading