Information Security in Securities Finance

With the latest computing and networking advancements, Information Security has become one of the most discussed areas within the enterprise, especially in the financial services industry. You hear about vulnerabilities, breaches, compromised identities, and stolen credit card numbers almost on a daily basis. As a result, companies are spending billions of dollars to bulletproof their security.

Taking a closer look at various security-related incidents in the financial industry, most of them are related to consumer based data. Institutional data is rarely stolen or breached, and when it is, it is done for a different purpose, related to gain a competitive advantage.

The securities finance industry, being a truly institutional business, has always been somewhat shielded from all this. However, with the introduction of many different vendors on the market, product and technology managers are finding themselves increasingly involved in defending their business practices concerning Information Security.

Security Assessment

Every time a new service is introduced, either internally or through a vendor, part of the vetting process always includes some sort of TRM assessment.

In order to correctly classify the product from the information security point of view, all of the financial companies are required to conduct a product and/or system assessment, which usually involves filling out a lengthy questionnaire with the answers being translated into a security score, typically divided into three categories: confidentiality, integrity, and availability. These categories were introduced by the Sarbanes Oxley (SOX) Act of 2002, and are now overwhelmingly used to conduct various assessments beyond the original assessment of controls in financial reporting.

Since most securities finance transactions are conducted with counterparts and not with clients, many controls, usually reserved to safeguard the client data, are not applicable. Also, since the securities finance transactions are considered to be post-trade, besides being illegal, it is also impractical to gain access to the data with the intent to manipulate the market.

You may not realize it but your data is already sent to many places for various purposes. Contract and billing compare, benchmarking, and mark to market processes are among the few.

Moreover, with the introduction of Securities Financing Transactions Regulation (SFTR) in Europe and the latest indication from the Office of the Financial Research (OFR) in the U.S. about their commitment to collecting data for global repo transactions, we can see that regulators are becoming increasingly concerned about the lack of transparency in the industry.

Additionally, all of the three securities lending benchmarking companies, FIS Lending Pit, IHS Data Explorers, and Datalend, are already collecting all of the “proprietary” data from their participants in order to be able to correctly calculate the industry rates.

Cloud Based Architecture

With a very slow adoption rate for cloud based architecture in the financial industry, many companies are arguing that they can better safeguard the data when the systems are installed on premises rather than on the cloud.

This can be true, however, the same companies are forgetting that they most likely already have many systems installed on the cloud without realizing it. A typical securities finance setup in U.S. involves Loanet, which is a private cloud SaaS provider, and Broadridge BPS, which is installed in a very similar fashion. When dealing with these two providers, the data actually travels outside of the bank’s space and between several private networks. This is no different than if a company was to have a system installed on a private Amazon cloud via VPN or another secure channel.

The bottom line is that the data can be as secure as the company would like it to be, without being entirely on the company’s personal network or hardware.

Vendor Risk

With a blossoming number of the financial technology companies operating in institutional space and covering various aspects of the business, it is difficult to bypass their offerings when it comes to a very specific market segment.

Until recently, the Securities Finance market had always been dominated by just a couple of technology companies offering robust but old solutions. With the introduction of more dynamic and agile products, the market now has a choice of several vendors that are offering cloud-based, easily deployable, and compartmentalized products. But why has the adoption rate for them been even slower that the cloud adoption itself?

Many banks, understandably so, are afraid to deal with small companies due to the increased operational risk when dealing with smaller vendors. However, there is a quick and inexpensive solution for this - a software escrow agreement. If the size of the vendor is a concern, sign a tri-party agreement between your company, your vendor, and a third-party escrow service company. The latter will work with the vendor and will collect the source code of the system being deployed for you. The vendor will be contractually obligated to deposit the initial source code and then continue doing so with each release. If the vendor fails or goes out of business, your company can officially take over their system, with a full source code available to you. You can even sign a more advanced SaaS escrow agreement where the escrow company will be running and/or supporting the installation on your behalf.

No single business unit is universal to fit into the internal Information Security framework, so take your time to familiarize yourself with various options to be able to explain them to your Information Security organization.

#securitiesfinance #informationsecurity #cloud #vendormanagement #riskmanagement