In daily business news, organizations like the Depository Trust & Clearing Corp. (DTCC) or the Options Clearing Corp. (OCC) typically don't make headlines. That could be considered a good thing. DTCC and OCC are clearing houses, acting as intermediaries between financial institutions such as banks and investment firms. Operating largely behind the scenes, clearing houses are responsible for clearing and settling millions, or even trillions, of dollars daily in securities exchange and other financial markets. (See "Clearing Houses Defined" below.)
But even if name recognition is low, their importance is outsized, and the job clearing houses do is crucial to the health of economies. They are, in fact, comparable to a utility, like a water or power company. "We are the financial market's silent partner," says Adam Shaffer, who is based in Chicago and serves as executive director of internal audit for OCC. "We are the sole clearing agency for listed equity options in the U.S."
Like all financial organizations, cybersecurity is a top concern for clearing houses, and more so because a successful cyberattack isn't just an issue for that organization. It could actually cause disruptions throughout financial markets.
"So we are designated a SIFMU — a systemically important financial market utility," explains Shaffer. In the U.S., The OCC is one of only eight financial organizations with this status. Three other SIFMUs are subsidiaries of DTCC, including the Depository Trust Company, the National Securities Clearing Corp., and the Fixed Income Clearing Corp.
Because of their status as financial utilities, clearing houses have a very low risk appetite. "At DTCC, we want to mitigate risk as much as possible," says Steven Jacovetti, DTCC's executive director of internal audit, who is based in Jersey City, N.J. "Our firm's mission is to protect the financial services industry. We have to do everything in our power to make sure that we are providing the highest levels of risk management to protect the firm and our clients."
So what do audit functions at highly regulated, extremely low-risk appetite organizations focus on when it comes to cybersecurity? Experts say resiliency and disruption, third-party risk, and insider threats are among their chief areas of concern.
Resiliency and Disruption
The status of clearing houses as intermediaries means that, generally, these organizations don't deal directly with customer data. Instead, they direct their efforts toward preventing disruptions and building in redundancies.
"When you think of cybersecurity, the majority of the population thinks of personal data — personal identifiable information (PII)," Shaffer says. "We are far more focused on disruption. As a company, we don't maintain much PII. Our walls are really built around making sure that we are — like your power company — a dependable resource that continues to operate."
Clearing Houses Defined
A clearing house provides clearing and settlement services for payments, exchange-traded contracts, and cleared, over-the-counter derivatives. It acts as the neutral counterparty between every buyer and seller, ensuring the integrity of every trade. Its main role is to ensure that the transaction goes smoothly, with the buyer receiving the tradable goods he or she seeks to acquire and the seller receiving the right amount paid for the tradable goods he or she is selling.
To illustrate one type of clearing house, when an investor decides to purchase a security, his or her order goes through a clearing member firm, which acts as a guarantor to the investor. An investor will typically purchase the security through a brokerage firm, which may or may not be a clearing member firm. If the brokerage firm is not a clearing member, it will have an arrangement with a clearing member firm to "maintain custody" of the investor's securities account. The order is then submitted to a clearing house, which matches a buyer with a seller and executes all activities involved in clearing, securing, and settling the transaction. The clearing house acts as a go-between for the two clearing member firms — monitoring, processing, and assuming the legal counterparty risk for the trade.
Having a cyber-resiliency plan and an incident-response plan are must-haves, says Daniel Pokidaylo, vice president of internal audit at The Clearing House (TCH) in New York City. Like OCC, TCH is a designated SIFMU. However, the 168-year-old TCH differs from the other clearing houses in that it is owned by 24 of the largest banks in the U.S. and its role is primarily to clear and settle payment transactions, including Automated Clearing House (ACH) payments.
"Ransomware has become very popular and is hitting the news all the time, so it's important to have an appropriate incident response plan to mitigate cyberthreats," Pokidaylo says. "I think everyone has an incident response plan, but it could be 50 to 100 pages, and when push comes to shove, you may not know who to call. You can't spend time going through the entire plan and figure it out during an actual event, so companies have to make sure that the plan is tested, the appropriate contact information is in there, and procedures are really easy to see and follow."
Jacovetti, Pokidaylo, and Shaffer all agree on the need to stay on top of third-party risk, which ranked as one of the top five "high" or "very high" risks among respondents in The IIA's 2021 North American Pulse of Internal Audit survey.
"Auditors are moving beyond control testing to understanding how external parties impact internal control processes, as well as how those efforts are reported," Shaffer says. "You need to have the skills to review contracts and understand exactly what you're committing to whenever you sign on with an external third party, as well as what they are providing in return. For example, what level of visibility do you have into their data to allow you to run an effective cybersecurity program? If you don't build those things into the contract, you're inherently blinding yourself to some things that you traditionally would be able to see in-house."
According to Pokidaylo, events like the SolarWinds cyberattack have underscored the risk involved in working with third-party vendors. "It's important to ensure that any third party we're using, or fourth party, is properly vetted," Pokidaylo says. "Depending on how much we're using that third or fourth party, we might even do an audit or get an audit of those parties done before we start using their services."
Governance also plays an important role in vendor management, such as having policies in place to ensure that information security and internal audit are involved in the adoption of new products and services, Pokidaylo says. "We have to make sure that before anything goes live, the proper security requirements are in place, pen tests are performed, and access controls are appropriate — so all those preventative controls have to be implemented," he says.
As Jacovetti points out, sometimes the weakest link has less to do with technology controls and everything to do with the human element. "I think when you ask anybody else about what keeps them up at night, you constantly hear about insiders — whether it's a malicious insider or not," he says. "Even an inadvertent change to a production system, human error, could potentially impact the industry and DTCC, from a reputation perspective."
Like a lot of organizations, DTCC runs quarterly phishing campaigns to educate its workforce on what to watch for when it comes to fraudulent emails. DTCC also uses physical cues within its email client — such as a phish reporting button — to remind people to be careful. "The training is a significant area of focus for us," Jacovetti says, adding that the cybersecurity campaigns highlight "not only the things that have happened, but also the things that can happen."
Beyond phishing threats, cybersecurity risk can also arise from teams simply not following procedures and not communicating with each other. "Different departments may do their own thing and may not necessarily speak to one another," Pokidaylo says. "So it's important to go to the information security team and say, 'Hey, I know you guys have these policies, but how are you educating the entire organization on them or making sure they adhere to it?' And then that eventually makes audit's job easier because once everyone is adhering to them, it enhances the risk culture of the organization. I think the information security team really respects that we're identifying these areas for improvement."
Jacovetti, Pokidaylo, and Shaffer all tout the necessity of building and maintaining good relationships to mitigate insider threat and cybersecurity issues in general.
"Since I lead the IT audit function at DTCC, I have regular meetings with the chief security officer and his direct reports," Jacovetti says. "I think everybody will say — if you're in audit — you want to be the first person they call, not the last person they call. So we try to make sure that we have good working relationships, that they understand what we need to do, that we understand what their roles are. It's important to have a good line of communication where if they need to reach out and inform us of something, they're not hesitating to let us know."
Using Internal Audit's Knack for Critical Thinking
Auditors themselves can be an important tool in the fight against cybercrime, just by using their tendency to question and imagine possibilities, Shaffer says. He regularly works with OCC's security team in the planning of their "red team" activities, in which participants simulate threats.
"I constantly think, 'How would I attempt to break our systems?' or 'How would I attempt to get the money in certain funds?' You kind of have to wear that hat, with the right intentions," Shaffer says. "I will always tell my team, 'You can spend a lot of time studying your controls, your environment, everything else, but you really need to take a step back and say, 'If I wanted to break all of it, how would I do it?' Some of the best auditors are the people that figure out really great ways of breaking things."
Learning From Low-risk Organizations
With cybercrime on the rise, internal auditors in all types of industries would do well to take a cue from more risk-averse organizations like clearing houses in preparing for cyber risk. Planning for resiliency and disruption, preventing insider threats, better understanding third-party risk, building relationships with IT and information security, and using internal audit's knack for critical thinking are all important tools in the fight against cybercrime.