About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

OFR’s Ref Data Could be a Cyber Attack Target, Warns Sans Institute’s Paller

Subscribe to our newsletter

As well as coming under attack for its central theory of collecting data for systemic risk analysis during a government organised roundtable last week (see more on which here), the US Office of Financial Research (OFR) also came under fire for the potential information security threat it could pose. Alan Paller, founder and research director of the global security focused Sans Institute, indicated that federal agencies currently prove to be easy targets for cyber attacks and unless much more rigorous IT security measures are taken for the OFR, it will end up putting the data it collects at risk.

“As long as security remains so lax inside government, there is great risk that any data gathered by government would be easy prey for financial criminals and nation states bent on cyber mischief,” said Paller. “This concern applies particularly to small agencies that may lack the scale to implement first class cyber security protections. For example, if the OFR moves data from well protected financial sites to less well protected government or contractor sites, they will put that data at risk.”

Given that Swift and the Depository Trust and Clearing Corporation (DTCC) have been backed by the industry to take on the mantle of establishing and maintaining the new legal entity identification (LEI) standards that are required by the OFR, both will no doubt refute that their data repositories could pose such a threat. After all, Swift sells itself on the basis of the security and resilience of its financial messaging network and the DTCC is already a data repository and clearer trusted by the government authorities.

However, it is by no means a done deal that these two will act as the technology and standards partners for the whole of the OFR, this mandate only covers the LEI. What of the other systemic risk monitoring data items listed by Berner and Liechty last week? Surely sensitive transaction reporting and internal risk data are potentially at threat in Paller’s eyes?

To guard against the dangers of a cyber attack, Paller therefore listed a number of suggested defences that should be introduced against these dark forces:

  • Continuous (daily) monitoring of the 20 key controls in the Consensus Audit Guidelines (CAG) and the exclusive use of tools that strictly adhere to the automation and interoperability requirements of the security configuration automation protocols developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
  • Implacable adherence to operating system and software configurations defined in the Universal Gold Master configurations approved by the Department of Defence’s Joint Consensus Working Group.
  • Rigorous multi-factor identity validation of every user without exceptions.
  • A team of at least eight “hunters and tool builders” who use constantly updated scripts to monitor OFR system logs and network information continuously to find evidence of penetrations and then reverse engineer, and eliminate malicious programmes that make it through the perimeter.
  • Software code analysis and penetration testing for all software that accesses sensitive information and any that allows access to the systems, such as websites.
  • Auditors who verify these defences are in place and substantial consequences for auditors if they miss well known problems.

If the risk to the nation’s financial system is great enough, determine whether the collected data should be treated as, and protected as classified data.

Subscribe to our newsletter

Related content


Recorded Webinar: Re-architecting the trading platform for interoperability, resilience and profitability

Trading platforms have come a long way since the days of exchanging paper certificates and shouting across trading floors, pits and desks in the early 2000s, but there is progress still to be made as firms strive to reduce risk, increase profitability, and make their mark in digital assets trading. This webinar will review the...


FinScan Combines Data Quality Experience with Technological Expertise to Deliver Agile AML Solution

FinScan has combined experience in data quality with technological expertise in screening to provide an Anti-Money Laundering (AML) solution designed to help financial institutions develop more efficient AML programmes that generate fewer false positives and support better detection of true alerts. The company is part of Pittsburgh-based Innovative Systems, which was founded in 1968 and...


AI in Capital Markets Summit London

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.


Regulatory Data Handbook 2023 – Eleventh Edition

Welcome to the eleventh edition of A-Team Group’s Regulatory Data Handbook, a popular publication that covers new regulations in capital markets, tracks regulatory change, and provides advice on the data, data management and implementation requirements of more than 30 regulations across UK, European, US and Asia-Pacific capital markets. This edition of the handbook includes new...