Information security risk |
The risk of confidential client information being improperly shared or accessed. |
Nature of risk and appetite |
This risk generally applies to all NEX businesses. The NEX Markets business will routinely have access to information about the trading activity of its clients on its platforms, and the NEX Optimisation business provides a variety of services that necessitate access to its clients' trading, settlement, margining and risk activity. The failure to protect this information effectively could result in damages for breach of contract, breach of data protection requirements in certain jurisdictions and a loss of client trust. The board's risk appetite provides for the Group to maintain robust policies, procedures and systems reasonably designed to protect the confidentiality of client information. |
Trend |
This risk has increased as the incidence of cyber security threats and attacks continues to increase in the financial sector and in the markets generally. The risk is also likely to increase in light of two regulatory developments. One is the implementation of GDPR which increases both the obligations associated with protecting confidential information and the penalties associated with failing to do so. The other is the implementation of MiFID II, which took effect on 1 January 2018, and which requires specified new monitoring of the Group's EU-based EBS and BrokerTec trading platforms that will necessitate collection and proper handling of individual trader information. |
Mitigating controls |
The Group seeks to mitigate and control this risk through the following: - timely escalation and mitigation of risk events; - information security breach monitoring; - security incident response procedures, including regulatory notification, as appropriate; - cyber security programme, including penetration testing; - contractual liability limitations; - restrictions on physical access to Company facilities; and - staff training, awareness and accountability. |
Business resiliency risk |
The risk that key operating and control systems are unavailable. |
Nature of risk and appetite |
This risk applies to all NEX businesses. Clients of NEX use the Group to provide essential execution and optimisation services and, as such, rely on the services being available and operating as intended. A failure to maintain this availability could result in disruption and loss for clients, as well as increase their interest in using competitor service providers. This is a particularly significant risk for NEX Markets' trading platforms which have established well-regarded levels of liquidity that encourage continued use, but could face difficulty replicating those same levels of liquidity if clients were to make a significant and sustained switch to alternative venues. Certain NEX Optimisation businesses also rely on the network effects of multiple participants using a service at the same time, so a service disruption that prompted client defections could also have a pronounced negative affect on certain of these businesses. In certain instances, vendors provide critical services to NEX. Upstream difficulties encountered by these vendors could have a deleterious impact on business resiliency risk, with potential for the negative outcomes described above. The board's risk appetite provides for the Group to maintain robust policies, procedures and systems reasonably designed to ensure the availability of key systems. |
Trend |
This risk has increased over the past year, as the incidence and complexity of cyber threats continues to increase, and to target not only the theft of information but also the disruption of the operations of market participants. |
Mitigating controls |
The Group seeks to mitigate and control this risk through the following: - dedicated 24/7 monitoring of system performance levels; - enhanced product release and change management processes; - security event monitoring and triggering of alarms; - key vendor reviews; - cyber security programme, including penetration testing; - timely escalation and mitigation of risk events; - provision of training and guidance; - continuous technology investment; - contractual liability limitations; and - a documented and tested business recovery programme. |
Cyber security risk |
The risk that an external or internal party gains or exploits access to NEX electronic assets, with the intent of compromising and/or disseminating confidential data, impacting system operations or otherwise disrupting conduct of normal NEX business activities. |
Nature of risk and appetite |
This risk applies to all NEX businesses, although its potential impact may be more pronounced for NEX Markets, given the necessity for and client expectation of continuous, real-time, 24/5 system availability. There are numerous means by which parties - internal as well as external - can attempt to infiltrate a technology environment and, if successful, the impact can manifest in a variety of manners and with varying degrees of disruption and severity. These risks can also manifest themselves through clients, vendors and any other parties with potential on-line or physical access into our technology, as any weakness of theirs can potentially be used as a gateway into our environment. Cyber risk has previously been identified as a major potential source of risk to both Information Security and Business Resiliency, and that remains the case. However, it can also be a potential source of substantial risk for other areas of importance to the firm's operations, including liquidity needs and regulatory compliance, and is an area of considerable focus by senior management and board members. For these reasons, cyber security risk has this year been identified as a stand-alone principal risk. The board's risk appetite provides for a highly effective cyber security risk prevention programme in order to minimise the likelihood and impact of any successful cyber interruption. |
Trend |
This risk has increased over the past year, as cyber security events are occurring more frequently and attacks are designed with greater complexity and sophistication, focused not only on the theft of information but also on disrupting the operations of market participants. In addition, certain of our businesses use or are considering using cloud-based services, which could alter the nature and source of our cyber security risk. We also saw highlighted this past year the potential impact of security enhancements on operational performance. This was manifested in connection with security flaws associated with standardised industry chips, where certain remedial measures had the potential to negatively impact software performance, speed and latency, all of which are materially important to the operation of the firm's trading platforms. There is also a growing trend to introduce security flaws through the supplier chain by contaminating trusted software patches and updates. NEX has a team of staff in place across the firm focused on prevention and mitigation activities. The firm's current federated governance model means controls can be applied differently and we are working to create greater consistency across the firm. This is an area of high focus for senior management across the enterprise with progress closely monitored by the Risk Committee. |
Mitigating controls |
The Group seeks to mitigate and control this risk through the following: - a clearly delineated set of policies, standards and procedures; - a centralised, corporate group responsible for independent oversight and coordination of security protection efforts and responses to breaches; - periodic reviews by independent consultants, including penetration testing and application testing; - participation in industry-wide groups seeking to enhance the quality and rigour of collective cyber security efforts; - aggressive and timely patching; - monitoring of all incoming and outgoing data connections; - multi-factor authentication; and - staff training and awareness. |
External change risk |
The risk that NEX does not effectively respond to significant political and regulatory changes pertinent to its business. |
Nature of risk and appetite |
This risk applies to all NEX businesses. NEX businesses are either themselves regulated, or serving financial institutions that are. As such, developments in the regulatory environment have the potential to significantly affect NEX business. Over the past five years or so, the firm has needed to address substantial changes to the regulatory environment, most notably the implementation of the Dodd-Frank Act and MiFID II. The board's risk appetite provides for sufficient resources and expertise to be allocated to the identification, analysis, monitoring and response to such changes. |
Trend |
This risk has decreased somewhat, as the potential regulatory changes on the horizon appear less impactful than those that needed to be addressed in recent years. For example, MiFID II required major changes to certain of our businesses and the need for associated change management efforts, but the requirements are now in effect and we are operating on a business-as-usual basis. Similarly, while the UK's vote to leave the European Union continues to create a number of uncertainties for the financial services sector, we have in the past year identified Amsterdam as a future operating location for our affected businesses. This new location will permit us to continue to conduct our business in a properly licensed manner following Brexit, and as such we do not currently anticipate a material impact from this change. There are, however, upcoming changes which we are working to make sure we properly address. One is the implementation of GDPR, set to take effect in May 2018, which has required us to do a comprehensive review of our data privacy policies and processes and to put in place certain requirements specifically mandated by GDPR. While much of that work has been completed, additional work remains to ensure complete readiness and ongoing compliance. Another pending change is the implementation of the Senior Managers and Certification Regime for certain of our UK businesses. While not expected to take effect until 2019, we anticipate reviewing and preparing our businesses and executives for these new requirements. Lastly, in the US, while the bulk of regulatory change following the 2008 financial crisis has now occurred through the implementation of the Dodd-Frank Act, policymakers continue to consider potential reforms that could impact the firm. Certain government officials, for example, have called for further study of the evolving structure of the US Treasury market and whether its current regulation and infrastructure are appropriately designed. As a provider of one of the leading trading platforms for US Treasuries, any such changes could have an impact on the firm. |
Mitigating controls |
The Group seeks to mitigate and control this risk through the following: - maintenance of internal and external regulatory affairs advisors to provide updates on regulatory developments and convey the Group's perspective on legislative and regulatory issues to policymakers; - internal committees tasked with monitoring, analysing and implementing change necessitated by regulatory developments; and - regular reporting and discussion of key and emerging risks at the board Risk Committee. |
|
|
|
|