An ounce of prevention: Markets, issuers get ready for possible Iran cyberattacks

Register now

A quiet unease is hanging over the municipal bond market as participants wait for a potential retaliation against U.S. interests that may include cyberattacks against the financial services industry after the strike that killed Iranian Gen. Qassem Soleimani in Iraq.

The Multi-State Information Sharing & Analysis Center MS-ISAC raised its cyber threat alert level to blue (guarded) on Tuesday.

MS-ISAC evaluated the current situation and took the action after the U.S. Department of Homeland Security released a National Terrorism Advisory System Bulletin on Monday detailing Iran's cyber program and how the country can execute effective cyberattacks against the United States.
“In particular, Iran is capable of carrying out cyber attacks with temporary disruptive effects against critical infrastructure,” MS-ISAC said. The mission of the MS-ISAC is to improve the overall cybersecurity posture of the nation's state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery.

“The MS-ISAC encourages all United States state, local, tribal, and territorial government entities to share any relevant threat information with the MS-ISAC SOC,” the organization said. “Organizations and users are advised to update and apply all appropriate vendor security patches to external vulnerable systems and to continue to update their antivirus signatures daily. Another line of defense includes user awareness training regarding the threats posed by attachments and hypertext links contained in emails especially from untrusted sources.”

Meanwhile, the U.S. financial industry has been keeping tabs on the unfolding situation in the Mideast.

The Financial Services Information Sharing and Analysis Center said on Tuesday that it is focused on the situation and is keeping its members informed.

“The [FS-ISAC] is closely monitoring recent geopolitical developments on behalf of our members,” it said in a statement. “We have advised our members to remain vigilant as we continue to monitor the situation.”
FS-ISAC is an organization dedicated to reducing cyber risks in the global financial system. It is headquartered in the U.S., with offices in the U.K. and Singapore. The organization leverages its intelligence platform, resiliency resources and a peer-to-peer network of experts to anticipate, mitigate and respond to cyber threats financial institutions and their customers.

“The events of the last few days have had a significant impact on the international landscape. These events affect the markets and the macro environment, ultimately impacting our municipal clients,” Rick Kolman, head of the municipal securities group at Academy Securities, said on Monday.

Jordan Mauriello, senior vice president of managed security at CRITICALSTART, said on Tuesday that vigilance was key for the private sector as well as the public sector.
“In today’s cyber threat landscape, it’s not just the military industrial and defense industries that have a legitimate reason to be concerned about cyber terrorism and state-sponsored cyberattacks. Attacks from state-sponsored sources have significantly increased over the past few years for businesses, too," Mauriello said. "From financial services and health care to even retail services, targeted attacks against any number of organizations could occur in an attempt to disrupt the U.S. economy."

He said that while many are downplaying the Iranian cyber capability, the evidence shows it should not be taken lightly.

"Iran has spent significant resources and time building their cyber capability since 2011. Many believe this was in response to the Stuxnet attacks which targeted and significantly impacted their uranium enrichment programs," Mauriello said. "As both the recent attacks on Atlanta and the serious tone of DHS warnings provide evidence to support, Iran has been successful in building a strong capability. As an industry, we should be taking a serious look at this threat and ensuring American businesses are ready to detect and respond to this threat in a timely and effective manner.”
New York City Mayor Bill de Blasio said on Tuesday that the city was taking all threats very seriously.

“We have a very strong cyber capacity here in New York City to defend ourselves, a lot of work is being done not only to protect the city government and everything the city government does for the people of this city, but also to work with the private sector and other types of public institutions,” de Blasio said in the Inside City Hall radio show. “So, a lot of work is happening, but the threat is real. Iran is a major cyber power and they will, I’m certain, be looking to do disruptive things in this country over time. So, we take it real seriously, as do we the threat of more traditional forms of attacks.”

He said that while the city didn't see anything happening immediately, "I absolutely want to caution people that, unfortunately, this is going to be the long game, because we’re dealing with a very different kind of adversity here — adversary, I should say. Iran is, not you know, a stateless terrorist movement, this is a major nation, with a major military, and a global terror network at its disposal. This is a whole new ball game."

On Tuesday, Texas Gov. Greg Abbott convened the Domestic Terrorism Task Force for a roundtable discussion at the Texas State Capitol. The task force analyzed prevention strategies against cyberattacks and discussed the importance of "good cyber hygiene" in both the public and private sectors.

"We must work together to develop meaningful solutions to fully eradicate domestic terrorism in the Lone Star State," Abbott said.
When it comes to preparedness training, the U.S. financial sector has not been a laggard.

In November 2019, the Securities Industry and Financial Markets Association held its latest cybersecurity exercise, Quantum Dawn V, a series of tests that let financial institutions practice and improve their coordination with government and other industry sectors in order to keep financial market operations up and running in the event of a systemic cyberattack. SIFMA held Quantum Dawn I in November 2011, Quantum Dawn II was in July 2013, Quantum Dawn III was in September 2013 and Quantum Dawn IV in November 2017.

The exercises are not judged on a pass or fail basis, but were designed as an opportunity to let participants interact across functions internally and with partners externally, locally and globally, and to allow them to test their crisis response and communications plans.

“There is likely no greater threat to financial stability than a large-scale cyber incident,” Kenneth Bentsen Jr., SIFMA president and CEO, said upon completion of last year’s exercise. “Quantum Dawn V simulated a low-probability, high-impact event, which is something the industry must prepare for just as we do for other possible crisis events. Building on our previous Quantum Dawn events, [in 2019] we made the exercise global.”

Over 600 people from more than 180 financial institutions and government agencies around the world took part in the training exercise. The scenario emphasized cross-jurisdiction communication and coordination between member firms and regulatory agencies in North America, Europe and Asia.

Quantum Dawn V let public and private sectors practice coordination and exercise incident response protocols internally and externally so as to maintain smooth functioning of the financial markets when faced with a series of sector-wide global cyberattacks. The exercise helped identify the roles and responsibilities of participants in managing a global crises with cross-border impacts.

Participants included securities firms, banks, asset managers, FS-ISAC, and financial market infrastructure providers of various sizes. It allowed regulators, central banks and government entities, including U.S. Treasury, the Securities and Exchange Commission, the Bank of England, Bank of Canada, Monetary Authority of Singapore, Honk Kong Monetary Authority, Reserve Bank of India and others to participate or observe.
“A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing,” Bentsen said. “No single actor — not the government, nor any individual firm — has the resources to protect markets from cyber threats on their own, nor do cyber incidents restrict themselves to one geographic region. That’s why the communication aspect was essential to the exercise’s success.”

And industry firms are reminded to remain vigilant in the days and months ahead and use any resources that are available to them.

“The financial services industry is a top target, facing tens of thousands of cyberattacks each day,” Bentsen said. “Enhanced harmonization of regulatory standards and supervision, to reduce the amount of duplicative or redundant rules, would help enable firms to devote more resources to security and better protect investors.”

While these are not incidents of terrorism, cyberattacks have hit these states and municipalities across the United States: Atlanta, Baltimore, Ohio, Texas and Riviera Beach, Fla.

Other recent examples of cyber awareness in the muni market include: Data from so-called smart devices, from watches to refrigerators to cars can trigger cybersecurity risks if mishandled, John Shegerian, co-founder of electronic waste recycling company ERI, said during the Preserving NY conference; Ohio’s local governments have a new line of defense to deal with computer hacking in a civilian cybersecurity reserve force that's part of the state National Guard; and work by the Port of Los Angeles to create a Cyber Resilience Center involving companies that do business at the port is a credit-positive approach to dealing with the risk of online attacks, according to Moody’s Investors Service.

For reprint and licensing requests for this article, click here.
Cyber security SIFMA SEC