Facing the Four Risks

According to biblical texts, four horsemen will appear at the end of time, ushering in the Apocalypse. While that image may seem far-fetched the Apocalypse may not be looming, there are four very real-world dangers on the horizon: terrorism, an avian flu pandemic, cyber attacks and a credit crisis. These weigh heavily on the shoulders of CIOs tasked with preparing their firms to cope in the gravest of circumstances. If any of these scenarios played out, it wouldn't take apocalyptic cavalry to bring on widespread problems and panic. Waters asked industry experts to sound off on what every CIO needs to do to prepare.

An impending avian flu pandemic is the latest health crisis to make governments, corporations and citizens sit up and take notice. Avian flu—so-called because it is largely concentrated in bird populations—has the potential to develop into an epidemic. According to the World Health Organization, human cases of avian flu have been detected in numerous locations around the world.

So far, the flu has been limited to those who have come into direct contact with infected birds. But the danger is real: If avian flu develops into a pandemic, the global impact could be significant.

HSBC's head of crisis management Bob Piggott told reporters in January that in its preparations for bird flu, the bank used an estimate of 50 percent of staff being affected in the event of an outbreak.

Since the article, HSBC officials have stressed that the 50 percent figure is purely for worst-case scenario planning purposes, and the figure includes staffers who are unable to travel or who need to take time off to care for loved ones. It also includes the bank's average level of absence due to holidays, training courses, other illness and so forth. However, the material impact of avian flu on the financial markets has become a topic for the boardroom.

Jamie Jameson is a consultant in crisis management and business continuity at British risk management firm Link Associates. While he says that there is still uncertainty about the impact of a pandemic, estimates like HSBC's 50 percent are not unreasonable. His advises firms to study and follow official guidelines on the flu, but he says that investment firms face unique dangers.

"For those in closed communities like trading floors, the infection rate for such illnesses is higher," says Jameson. He cites two examples of firms that have implemented strategies to minimize infection risks. A utility firm has generated what it refers to as a "pandemic regime." Shifts will be longer to compensate for reduced staff numbers, and as shifts change, staff overlap will be minimized.

Jameson also describes one firm with a call center, where a one-hour gap between every shift allows for cleaners to disinfect the room. The variety of measures being taken reflects the uncertainty surrounding avian flu. "Some companies are suggesting giving everyone surgical masks—others are not. Having masks introduces a further problem of disposal," Jameson says.

Allowing employees to work from home would solve the logistical problem of getting staff to the office; however, the cost of installing secure, fast connections to homes might be too much for some firms to stomach. It is not as easy as it seems, Jameson says.

At press time, avian flu is primarily affecting the bird population, and has not mutated into a virus that can be transmitted among humans. But if this changes, its impact will be devastating.

Important sources for up-to-date information, Jameson says, are the central authorities. A spokesman from the Financial Services Authority (FSA) says that a survey of different firms' plans for the coping with the flu is under way. Whether firms can afford to wait for the results of that survey to be released is debatable.

For some, the question about the next terrorist attack is not where and how, but when. Given the importance of the financial markets in sustaining the global economy, financial districts are prime targets for terrorist attacks. However, technology can play a key role in minimizing the impact of an attack. Along with the benefits of technology, London clearing house LCH.Clearnet discovered the value of a practiced disaster recovery plan following the bombings last July.

Ron Heil is director of consulting at Pittsburgh, Pa.-based security services firm SecuraComm. Heil's first piece of advice for firms trying to prevent terrorist attacks is to move. He says that he has worked with clients who, after choosing headquarters, brought him in to deal with the on-site security. The first thing he says to them is that they should choose a different location.

"When a blast occurs, you need distance," says Heil.

If distance is an impossibility given the location of a building, setting up a wall is one way to shield the building from an attack. But for firms on Wall Street, and for many in the City, there is no space for either distance or a thick wall. "You can't realistically reinforce a building to survive a blast," says Heil.

For many securities firms, therefore, technology plays a key role in counter-terrorism strategies. A good counter-surveillance operation is necessary, Heil says. Before an attack, terrorists will survey an area to discover how best to attack it—and anyone with a camera in a financial district such as London's Canary Wharf knows how wary staffers are of recording equipment.

Counter-surveillance technology, such as security cameras, can deter those surveying an area with criminal intentions, says Heil. It is important to have an expert observe camera footage, and to train every employee to know what to watch for.

But to think of a terrorist attack as solely a bomb blast is to miss out on the bigger picture. Chris Falkenberg, a consultant with New York security firm Insite Security, highlights the possibility of a chemical or biological attack. "Firms can take steps including access control, active external surveillance, and package screening," says Falkenberg. Technology is available to combat chemical and even nuclear attacks. New chemical detectors can test for a wider array of chemicals. "New radiation detectors are both very accurate at detecting small doses and can discriminate between medical radiation and other more sinister sources of radiation," he says.

But he sounds a warning signal when it comes to biological attacks. "In my opinion, there is no effective way to detect or defeat a biological attack in a way that would provide a substantive benefit," Falkenberg says. However, governmental bodies, such as the US Department of Health and Human Services, have extensive advice on how to deal with such events.

Heil and Falkenberg stress the value of trained staff and a well-prepared DR plan. An established chain of command is paramount. "You don't want to have the corporation beheaded and stopped," Falkenberg says.

While the risk of a systemic breakdown in the credit default swaps (CDS) market may not be as dramatic as a terror attack or as panic inducing as the bird flu, the exposure of firms to the risk of a major credit default is a cause for concern. Simply put, a CDS is a form of insurance for investors who wish to hedge their risk if an investment goes into default.

Although credit market performance remains stable, mounting pension problems and recent news of poor sales from Ford Motor and General Motors, two of the most-widely referenced names in the credit derivatives and structured products markets, have sent shivers down the spine of the credit market.

If a widely referenced company defaults, it could trigger a possible credit crisis, says Larry Tabb, founder and president of industry analyst firm The Tabb Group. "If these large companies go bankrupt, it depends on who holds these obligations, how they are priced and the people who have taken bets and lost. Have they properly hedged that risk? I can't say yes or no, nor whether a GM default would plunge us into a national recession, but it's something people are worrying about," he says.

If that weren't enough, several firms dealing in credit have yet to get their back offices in order. The paperwork in credit agreements, says Tabb, has been a big nightmare for the market. "There are all sorts of issues with confirmations and contract letters not being properly filled out, signed, agreed upon or confirmed. About 25 percent of credit default swaps paperwork is not complete," he says.

The regulators have taken notice and are taking steps to urge the dealers to get their back offices in order. Harrell Smith, manager of the securities and investment group with analyst firm Celent, says the firms are working hard to address this matter. "They realize it is important to them as well. Now, when they are called to the carpet by the Fed, they will generally take that seriously. But when they will meet the deadline and how well they can reduce operational risk with regard to credit derivatives trade processing remains to be seen."

In a December 2005 interview with Waters' sibling magazine Credit, one credit solutions provider commented on the impact that the dramatic growth of the credit derivatives industry has had on the back office. According to Mark Beeston, president of credit derivatives processing solution T-Zero and former COO of credit trading at Deutsche Bank, "The biggest dealers will have around half a million payments to make in the next quarterly cash roll. Consider that two years ago, dealers had fewer than a thousand cash flows to process on a daily basis. Now they have a day coming up that is five hundred times the size of that."

The issue of cyber-attacks—whether automated in the form of viruses, or intelligent, under the control of hackers—has been brought up again after a virus caused the RTS (Russian Trading System) Stock Exchange to suspend trading for an hour on Feb. 2.

According to officials at the exchange, all RTS markets were closed from 4:15 p.m. to 5:20 p.m. "as a result of a computer virus." Once the problem was pinpointed, the infected computer was disconnected from the network. Specialists checked the exchange's systems, rebooted and resumed operations.

Officials say that no permanent damage to trading systems was done, and no trading data was lost. According to RTS vice president and head of IT services, Dmitry Shatsky, the virus got into a computer connected to the trading testing system through the Internet. "The infected computer started to generate false traffic in tremendous amounts, causing the overload of the RTS routers. As a result, the work traffic—data being entered into the trading system—was not processed," says Shatsky.

Graham Cluley is senior technology consultant at anti-virus solutions firm Sophos. While viruses are clearly still an issue Cluley says that during 2005, Trojan horses comprised almost two-thirds of new malicious software (malware). Unlike a virus, a Trojan horse doesn't multiply and spread like a virus, but rather, is under the control of a hacker, allowing stealthy intrusion into a system.

It used to be that the vast majority of virus writers were teenagers in their bedrooms hoping to get into the headlines, says Cluley. "Today, a lot of malware writers have financial motives in mind. They don't want headlines, and they are much more stealthy," he says.

To deal with software threats, Cluley's advice echoes that given regularly to consumers: Regularly update anti-virus software, set up firewalls to limit intrusion, and those using Microsoft Windows should install patches as soon as they become available.

"A network should be like a prison," says Cluley. A prison doesn't have just one perimeter wall, but lots of walls and doors inside to prevent anyone from gaining immediate access to the whole complex. "A firm should have firewalls within the network, as well as across connections to the outside world," he says. With internal firewalls, if someone gains access to a single workstation, they will have limited access to the rest of the network.

But an emerging danger is now hardware rather than software. Keyboard loggers—small, inch-long boxes that can be attached to keyboard cables—store all data transmitted from the keyboard to the computer, including sensitive information like user identifications and passwords. There is virtually no way for software to detect such devices. "In large organizations where there are cleaners and other service personnel, it can be very difficult to ensure that such hardware devices aren't being added and removed," says Cluley. With the possibility of confidential passwords being stolen, internal firewalls to separate segments of the network are all the more important.

Disgruntled staff might even copy sensitive information to a USB hard drive, or an Apple iPod. "The problems are not just external," says Cluley. Given such warnings, some firms' policies banning such devices from the trading floor seem more reasonable than ever.