Between cloud migration, the COVID-19 pandemic, and nation-state cybercrime, risk management principles and practices have changed dramatically in a few short years. Headlines blare “Breach!” and “Hack!” in virtually every industry, and disruptions and shutdowns have become routine.
Due to the growing monetary value of sensitive data, the legal consequences of exploit, and expanding attack surfaces across the world’s most complex computing environments, the financial sector is especially vulnerable and has been among the hardest hit. Perhaps more than anything, the pressure is on due to intense competition for technical parity and market share within the global trading and exchange ecosystem.
Risk managers responsible for trading infrastructures and transactional performance are facing an out-of-control influx of known and unknown threats that are scaling with the cloud. At the same time, bad actors are exploiting the weak links that remain with legacy systems. These conditions may seem chaotic and transitory, but in fact define today’s new state of risk management maturity.
Financial exchanges around the world are settling in to a new normal of high bandwidth, ultra-low latency trading capabilities. Though everyone would like to build out their networks from a greenfield starting point, there are virtually endless, entrenched legacy systems up and down not just digital but hardware supply chains and channels. The stress is building on the greater financial infrastructure.
Point-in-time events and attacks are inevitable, but disruption is now the primary enemy and business continuity is the mission. For risk professionals – and for the executive leadership teams that rely on their counsel – operational resilience and uptime are the new strategic imperatives for the financial sector. Those threats are existential, and nothing less than enterprise viability is at stake.
If exchange operators and market makers are unable to provide trading integrity and liquidity, the likelihood of a flash crash increases. And now, with far more global connectivity points, the potential danger to anyone executing a trade is acute.
Though network perimeters continue to crumble, we still have a long way to go to untether from legacy system and traditional data center vulnerabilities. In the meantime, there are fundamental premises risk managers must understand and best practices to embrace before the financial sector fully adopts and matures into public, hybrid, and dedicated private cloud ecosystems.
First, the nature of the risk has changed. We are now less focused on events, and more concerned with systemic stress that needs to be managed in real time, with an eye toward what application developers are calling CI/CD – continuous integration and deployment of network controls with dashboard system monitoring and security scanning. In this environment, code is exposed at every step along the transaction and payments continuum. Compliance audits are no longer one-and-done quarterly or annual events, and third-party risk assessments and attestations are now merely data points that can inform, but not assure, risk management strategies. Risk can never be eliminated, just managed.
Next, where are the pain points? Every organization is unique and will have a different risk priority profile. Human intuition plays more of a role within each company’s bespoke infrastructure. Whatever the individual situation, everyone is affected by systemic demand for higher volume, higher-frequency trading. Safe, hyperscale cloud computing – and reliable, managed networks that sustain trading in this environment – are now expected by exchanges, counterparties and customers alike.
The main stressors are increasing data volumes and more global interconnections between markets and traders. Activity in one country or a single stock exchange is going to drive activity in another, with the provision of market liquidity adding to the priority burden. Traders and market makers are asking: what happens if liquidity dries up? Can the infrastructure cope with increasing volumes and higher demand for uptime and resiliency?
Here’s a quick check list of mission-critical imperatives for financial enterprise risk managers to consider for integration and deployment. Strategies, vulnerability profiles, and Operational Resilience Management (ORM) best practices will differ between organizations, according to
threat level and risk posture:
- Global connectivity is the name of the game, and real time is the real deal with data communications networks.
- Industry players need to connect flawlessly and seamlessly with other businesses and applications every time, all the time. Here’s where the operational resilience rubber meets the road for the risk manager.
- 100% availability and uptime are revenue imperatives. Breaches come and go, but the new way to think about this is that downtime is the problem, and every lost nanosecond is a lost opportunity.
- Costs of managing multiple locations and outposts add to this challenge. Power is going to go out somewhere and cloud service providers (CSPs) are going to go down, so redundancy and backup are key. Relying on one central data center is no longer acceptable.
- Traders and their counterparts, hubs and providers need to connect across all asset classes within a reliable and transparent managed service infrastructure.
- This is where scalability and private network control comes in. Similar to how retail payments need to scale up during the holidays, trading platforms need to scale up and down not just seasonally, but at a moment’s notice. Expect this volatility as the new normal.
- Remote data facilities need to host, connect, and collocate with the same assurance as central hubs and traditional financial centers. Solving engineering and architecture design challenges is paramount.
- The costs of piecemeal network upgrades can be incredibly expensive and the complexities of upgrading in place are almost always more than expected. Legacy systems have their burdens, and a fresh start with a managed network is the best strategy if possible.
- CSPs are stepping up and partnering effectively with enterprise service companies and trading exchanges in today’s volatile financial ecosystems. However, if you’re waiting for an endgame, it’s a long way off.
- The implications of shared data risk must fall more upon the enterprise than the CSP. Take responsibility for your organization’s public and private cloud strategy, peer-to-peer connections and secure extranets with an eye on a closely held, monitored and managed infrastructure.
We’ve entered a new era of risk, and managers need to report less about threats to the board of directors, and more about ROI and contributions to revenues. Always ask: how am I managing risk to protect and bolster the bottom line? It doesn’t stop with resilience and uptime. In addition, you need to manage risk to keep up with competitors and new technologies, all while taking informed chances on known and unknown exposures. Even traditional C-level teams need to adopt a true risk management mentality toward securing their transactions and trades.
After experiencing extreme market conditions driven by pandemic, market volatility and more sophisticated adversaries, the financial sector and supporting infrastructures are at a crossroads. Applications providers, service companies and exchanges are over the target, keeping up and contributing to the new “bottom line” paradigm.
Risk managers have plenty to be concerned about but should not allow incidental threats to dominate their thinking, or to get distracted by a headline about what just happened to another firm. Instead, we manage our networks within a digital cloud atop a hardware platform customized to handle systemic risk. The biggest gamble on this journey may be taking too much caution at the expense of maintaining competitive, technical advantages.
Jeff Mezger is Vice President of Product Management at TNS with responsibility for its managed services for the financial industry. He oversees product development and strategy for market data, online and data center services.