Explore
Close
Your acceptance of all cookies will permit robust site functionality. If you don't allow cookies, some features and functionality of OCC's site may not operate as expected. If you do not choose either cookie setting for our site, or if you close this window, this message will continue to display on each page you visit. Cookie settings can be controlled in your Internet browser to automatically reject some forms of cookies. For more details on cookies this site uses, see our OCC Site Cookies page. In addition to using cookies, we retain other information, including your Internet Protocol (IP) address, for the purposes listed in the Privacy Policy.

Enhancing Traditional Approaches to Manage Cyber Security Risks

Mark J. Morrison
October 24, 2019
By Mark J. Morrison, Senior Vice President and Chief Information Security Officer

At the July World Federation of Exchanges Technology Summit in Umea, Sweden, there was a lively cyber security panel discussion covering the challenges associated with implementing new and emerging technologies in the financial sector. The panel, consisting of senior security representatives from the National Stock Exchange of India, the SIX Group Services, and OCC explored how the implementation of technologies like Blockchain, Distributed Ledger, Artificial Intelligence, Machine Learning, and Public Cloud requires financial institutions to enhance traditional approaches for protecting information systems and data to address the operational, regulatory, and security risks introduced.

Blockchain and Cyber Security

While it is commonly acknowledged the adoption of Blockchain will improve overall financial transaction security through the ubiquitous deployment of advanced data encryption and multi-factor authentication, significant cyber security risks remain that must be remediated. Blockchain is essentially a highly secure application to facilitate the exchange of financial transactions across multiple participants, but most institutions will execute this application on insecure hardware running insecure operating systems and hypervisors. It has been well documented that advanced cyber adversaries, including cyber-criminal elements and nation states, have initiated successful attacks targeting security vulnerabilities within the system hardware and firmware. These attacks could provide the cyber adversary with access to sensitive information and allow for the unauthorized manipulation of financial transaction data while in an unencrypted state. The cyber adversary also could exploit these security vulnerabilities to execute a denial of service attack.

The Use of AI and Machine Learning

Many financial institutions are applying commercially available artificial intelligence and machine learning techniques to assist with quickly identifying and responding to cyber attacks impacting critical business operations, breaching corporate information systems or resulting in an unauthorized disclosure of sensitive information. By adopting machine learning in cyber defense, a financial institution can collect, synthesize and analyze large amounts of systems data looking for patterns of anomalous behavior associated with more advanced cyber attacks. Several cyber security companies have developed artificial intelligence-based product lines to automate the necessary remediation responses to detected cyber attacks through the development of comprehensive security incident response and business continuity playbooks. As the sophistication of cyber adversaries increases, financial institutions must adopt new technologies and processes to detect and respond to a wide variety of cyber-based attacks.

Migrating Functionality to the Cloud

Another emerging technology discussed in depth by the panel was the security implications for financial institutions planning to migrate business operations and functionality to public and/or private cloud instances. The panel members identified several areas for financial institutions to consider when adopting cloud technology, including the importance of defining your cloud architecture (Infrastructure as a Service, Software as a Service) so you will implement the appropriate security controls. Other factors to consider include developing an understanding of where applications will execute and how data will be processed and stored; defining user identity and access management controls; logging and review of system activity; securing containers within virtual private cloud instances; and establishing communications with financial regulators so they can achieve understanding of the cloud security strategy.

To learn more about OCC's thought leadership on industry issues, visit OCC's Blog.

This web site discusses exchange-traded options issued by The Options Clearing Corporation. No statement in this web site is to be construed as an endorsement, recommendation or solicitation to purchase or sell a security, or to provide investment advice. Options involve risk and are not suitable for all investors. Prior to buying or selling an option, a person must receive a copy of the disclosure document, Characteristics and Risks of Standardized Options. Individuals should not enter into option transactions until they have read and understood this document. To obtain copies, contact your broker, any exchange on which options are traded, or The Options Clearing Corporation, 125 S. Franklin Street, Suite 1200, Chicago, IL 60606 (investorservices@theocc.com).