Trading venues need to detect immediate and emerging threats
When we talk about risks in the context of communication, it is important to distinguish between emerging risks and immediate risks—and remember that we do understand the former.
Immediate or daily risks may appear as early as tomorrow, ranging from manageable to significant. However, because of the more immediate dangers, people tend to pay too much attention to them. This can be avoided if you take a bird’s-eye view and build a more comprehensive picture. Can identify patterns and correlations, and respond to many of these threats.
In contrast, emerging risks may be more medium- or long-term in nature—their impact is more far-reaching. So let us first consider the threats we can see, and then return to the daily risks.
We define emerging risks as new or unfamiliar threats that will emerge under new or unfamiliar conditions. Any well-run organization will discuss the impact of these emerging risks on its strategy and whether they can be addressed early. However, the time frame of emerging risks is usually longer than the typical three-year corporate strategy cycle.
For example, take the possible threats of artificial intelligence and quantum computing. Future computing power may mean that encryption standards—such as 64-bit—are no longer secure. It may take five years; it may take longer. But this is a topic that needs to be resolved now.
Other emerging risks include the uncertainty of future monetary policy—especially the impact of a shift in interest rate cycles.
In addition, the new requirements for sustainability-this is a problem everyone is talking about, but how it manifests is not completely clear.
Then, the last but not least of these emerging risks is competition from large technology companies. They have begun to invest in stock exchange participants to obtain data and financial technology.
You may have read Google’s announcement: it has invested $1 billion in CME Group. As part of the transaction, the transaction operator will transfer more transaction business to Google’s cloud data center. But the result may have a negative impact: competition is crowded out. Fewer market participants may mean less competition and less specialization.
The immediate risk is more obvious. This means that existing controls and mitigation measures can be used to manage them, although these require continuous investment.
For example, for exchange participants like us, operations and security face risks every day, such as the interruption of the trading system. Third parties also bring cyber security risks-if the supplier is hacked.
Similarly, we also face direct risks in the credit sector-for example, the loss of cash collateral. Then there is the risk of non-compliance with EU and US regulations and employee behavior-this topic has become prominent in the past few years.
Legal risks may also include unforeseen loopholes, such as custodian defaults not covered by the terms and conditions.
Finally, another daily risk we are concerned about is the unfair playing field: the different regulatory treatment of newcomers and incumbents.
New trading platforms—for crypto assets and other securities—are different from our conversations in terms of regulation, so they can evolve quickly. They will not face the strict regulations that we must comply with as a critical infrastructure provider. For us, the use of these platforms will bring the risk of disintermediation-we may lose contact with customers.
We must strike a balance between these two worlds. On the one hand, our business is highly regulated, on the other hand, we want to move towards a future of rapid innovation. Art brings these two worlds together without stifling innovation.
For us, what are the main types of direct risks? Security-external threats from cyber attacks. We don’t want to downplay financial risks and market risks, but we can manage them more easily. External technology and network security are a different perspective.
We do have several cybersecurity projects running, but it’s not enough to just start one project, close it, and say “The world is great!” It requires continuous investment in security, because external threats will change-and change quickly.
Five years ago, we established the most advanced security center, but we must continue to invest. We have been continuously investing in ransomware protection and mitigation because this is a complex subject that requires long-term attention and will evolve as threats evolve.
Another long-term investment that the exchange needs to make is to integrate security into its IT architecture. You can program your technology in a flexible way so that you can add it later when you realize that you need another layer of protection. But you need to have the system architect sit next to the programmers and risk experts. In this way, they can challenge each other and build for the next five to seven years.
Jochen Dürr is the Chief Risk Officer and Member of the Executive Board of the Swiss Infrastructure and Exchange (SIX) Group