CME hack draws FBI probe while renewing market structure anxiety

November 17, 2013 11:59 AM
Systems were hacked in July

The computer intrusion at CME Group Inc. has spurred a federal investigation and renewed concerns about the trustworthiness of electronic markets.

The Chicago Mercantile Exchange’s owner said yesterday that its systems were hacked in July and some customer information was compromised. CME Group said there’s no evidence that transactions on its electronic-trading system or its clearing services were affected.

Although CME Group downplayed the significance of its incident, the danger to capital markets from hacking is underappreciated, said John Edge, a managing director at New York-based Nice Actimize who specializes in global trading and market structure issues. It’s likely there will one day be a large-scale attack that causes a major disruption, he said.

“From a statistical point of view, it’s completely improbable that it won’t happen,” he said. “The hacking community belongs to usually one of three groups: state- sponsored, organized financial crime or agenda-based activists. You’ve got some very well-funded, very talented, competent people whose job it is to breach security.”

Cybersecurity has been flagged as one of the biggest threats to markets and governments by industry groups and regulators. A study in July found that computers at about 53 percent of exchanges around the world were attacked during the previous year. Nasdaq OMX Group Inc. discovered suspicious files on its website in 2011, prompting a federal investigation.

Customer Credentials

ClearPort, the system that CME Group said was targeted, provides clearing services for block trades that are negotiated privately in over-the-counter energy and metals markets. “To protect participants, CME Group forced a change to customer credentials impacted by the incident, and is corresponding directly with the impacted customers,” the company said in a statement yesterday.

“Assuming no customer assets were affected, this is useful as an eye-opener,” Pete Lindstrom, an analyst at Spire Security in Philadelphia, said of the CME Group incident. “We continue to see various types of folks who are hacked,” he said. “It starts to generate concern over our financial infrastructure.”

Michael Shore, a CME Group spokesman, declined to elaborate on the statement, which said the incident was the subject of a U.S. criminal investigation.

“We did receive the referral” from CME Group, said Joan Hyde, a spokeswoman for the Chicago office of the Federal Bureau of Investigation. “We are looking into the matter.”

Hong Kong

The Commodity Futures Trading Commission, the main U.S. derivatives regulator, is helping with the investigation, according to a person familiar with the matter, who asked to not be named because the inquiry is private. The attack on CME Group came from a hub in Hong Kong, although the perpetrators could have been based elsewhere, the person said.

CME Group offers futures based on interest rates, equity indexes, currencies, metals, energy products and agricultural commodities. It also guarantees interest-rate swaps and credit- default swaps with its clearinghouse.

From January to August of this year, CME Group handled 2.17 billion futures contracts, according to an analysis by the Futures Industry Association, making it the world’s largest exchange by volume.

While computer attacks are global, American exchanges have reported the most instances of attempted sabotage via the Internet, according to a July study co-authored by the World Federation of Exchanges and the International Organization of Securities Commissions. About 67 percent of U.S.-based trading venues said they had to fight them off, the study showed. About 89 percent said it represents a systemic risk.

‘Big One’

That’s similar to the conclusion made by Depository Trust & Clearing Corp., which processes U.S. stock trades. It said in August that hacking is the gravest threat to financial markets.

“Cybersecurity is a large and growing problem for all financial service providers,” Howard Ward, the chief investment officer for growth equity at Rye, New York-based Gamco Investors Inc., which oversees about $40 billion, wrote in an e-mail. “We must accelerate our investments in protecting our financial system and power grid from intruders before they score a big one.”

On July 25, U.S. prosecutors said they indicted four Russians and a Ukrainian in what was called the largest hacking and data breach scheme in U.S. history. Nasdaq OMX was among their targets.

‘Suspicious’ Files

Nasdaq OMX in 2011 disclosed an intrusion involving “suspicious” files on its Directors Desk system, which lets corporate board members communicate and share information. The National Security Agency, the top U.S. electronic intelligence service, joined a probe of the 2010 attack, people familiar with the investigation said in March 2011.

Although unrelated to hacking, U.S. stock and options exchanges have experienced a series of self-imposed technical errors this year, reinforcing concern that electronic markets are fundamentally flawed. The errors, including an Aug. 22 malfunction at Nasdaq OMX that prompted a three-hour trading suspension for thousands of stocks, prompted Securities and Exchange Commission Chairman Mary Jo White to demand infrastructure and protocol improvements.

About the Author