Network Management – Moving Towards a Brave New World

Over the last 30 years, the network management function has undergone a number of irrevocable transformations. These changes follow a series of landmark events – most notably the immobilisation and dematerialisation of physical securities in the mid 1990s; the introduction of post-financial crisis regulations; the emergence of disruptive technologies; CSD Regulation; and most recently COVID-19. In the case of the latter, the strategic significance of robust cyber-security and operational resilience have been laid bare. But should network managers be entrusted with monitoring these risks at their sub-custodians?

Cyber-security – One click away from a crisis

Cyber-crime is a problem that has been fairly ubiquitous for a long time now. In 2018, SWIFT issued a stark warning that securities market participants were especially vulnerable to cyber-attacks, a scenario which risked causing all sorts of systemic challenges. In a worst case scenario, a successful cyber-attack on an intermediary provider(s) could result in assets being frozen or stolen in the custody chain, or the manipulation of market and/or reference data (i.e. standing settlement instructions, pricing, etc. ) for financial gain.

The pandemic – and the sudden emergence of hybridised working practices – has made firms more susceptible to cyber-attacks – especially as employees are increasingly using unencrypted home Wi-Fi networks and personal devices to carry out their day-to-day work activities. For example, BAE Systems noted that 42% of financial institutions confirmed that work-from-home arrangements made them feel far less secure. The scale of the challenge was illustrated in a survey by the DTCC (Depository Trust & Clearing Corporation), which found 24% of financial institutions believed that cyber-crime was the biggest risk facing markets in 2022. Accordingly, cyber-hygiene is an issue which network management teams are increasingly scrutinising.

There are several reasons for this. Were client monies to be stolen or misplaced in the custody chain, liability clauses contained within EU regulations such as AIFMD (Alternative Investment Fund Managers Directive) and UCITS V could kick in – requiring custodians to make investors whole on any losses. Aside from regulation, changing institutional investor behaviour is also forcing network managers to gain a better understanding of all things cyber. For instance, the recent emergence of crypto-custodians and bank digital custody solutions has correlated with the spectacular rise of cryptocurrencies as an asset class. With a number of crypto-exchanges having suffered catastrophic hacks and subsequent losses, network managers are keen to ensure crypto-custodians or banks offering digital wallet safekeeping services have stringent cyber-security protocols in place.

While the AFME (Association for Financial Markets in Europe) due diligence questionnaire (DDQ) does make a number of passing references to cyber-security, network managers are divided on whether they are sufficiently well-positioned to be asking sub-custodians detailed questions on such a highly technical topic. Some have warned that cybersecurity reviews on sub-custodians by network managers – who are not experts in the field of cyber-security - risk becoming nothing other than mundane tick-box exercises. In contrast, other industry experts stress that cyber-assessments should be undertaken by dedicated in-house ICT risk professionals or external cybersecurity auditors – to ensure the responses serve their purpose. Moving forward, the most optimal outcome will be if network teams collaborate closely with IT experts – either at their own firms or externally when conducting reviews of the cyber-policies and protections at their agent banks. You can find more about our approach to same – with our partner Bluevoyan, here. At CENTRL, internal and external collaboration features are already included in the content. These enable network managers to assign responses to questions or sections of a due diligence questionnaire to SMEs who can make properly informed decisions. All of this remains within the platform - not extracted and communicated via email - and remains controlled within the detailed audit trail.

Resilience takes centre stage at custodians

Although transactional volumes in securities markets reached extraordinary highs during the start of the pandemic, the industry largely withstood the volatility. Nonetheless, operational resilience is something which banks and regulators are paying closer attention to. The UK’s Financial Conduct Authority (FCA) – along with the Bank of England and the Prudential Regulation Authority published a set of requirements designed to improve the operational resilience of financial institutions. Meanwhile, the European Commission’s Digital Operational Resilience Act (DORA) outlined the basic safeguards it expects financial institutions to build into their systems so as to mitigate risks associated with cyber-attacks and ICT disruption. So how are network managers responding to this?

In the case of sub-custodians, network managers want assurances that providers have fully documented contingency plans in place should an existential crisis unfold. A handful of highly vigilant network teams are even conducting fourth party risk management assessments during their agent bank selections and ongoing reviews to determine that their sub-custodian’s core suppliers are both sound and resilient. A failure at a fourth party – such as a critical IT vendor or software provider (e.g. a cloud based service provider) – could have serious downstream consequences for custodians and their clients. As with cyber, questions covering BCP (business continuity planning) are included in the AFME DDQ and it is an issue which bank network management teams are increasingly taking seriously. Market practitioners can expect more detailed DDQ requests on these topics in the coming 12 - 24 months.

Network teams – covering more ground

Securities markets have undergone enormous changes over the last few years, and network managers are continuously adapting. Looking ahead, it is clear that detailed training on cybersecurity, crypto currencies, digital assets and operational resilience will be key focal areas for custodians, brokers and (I)CSDs when conducting due diligence or periodic reviews on their sub-custodians - or their sub-custodians critical service providers.