The bank engaged in an extensive review after being one of the banks affected by a Russian ransomware attack early in the year. The first casualty? Going digital.
It is a small section in UBS’s full second-quarter report, but a telling one. Buried on page 41 is a small but substantial tidbit. The bank has just finished a post-incident review after January's ION XTP ransomware attack.
To jog people’s memory given the constant diet of entirely unfamiliar names and acronyms from the criminal fringes of cyberspace, ION XTP is the one with derivatives. It paralyzed the trading operations at several banks although you wouldn’t know it from ION itself, characterizing the entire thing as a «cleared derivatives cyber event…contained to a specific environment».
UBS had told us about it in its first quarter report, saying the event had disrupted its exchange-traded derivatives clearing activities, although it managed to restore them after 36 hours with workarounds.
Going Old School
If nothing else, it made waves and caused a great deal of anxiety. A senior US Treasury Department official weighed in with a virtual «keep moving…there is nothing to see here» exercise over the cyber assault from Russian ransomware gang LockBit, according to a report from «Bloomberg» (paywall) at the time.
We've now arrived at the legendary financial institution post-incident review. A career killer to some and the unwelcome originator of dozens of findings and remedial actions for many others. UBS maintains it identified needed improvements to its framework and will «take actions» to enhance cyber-risk assessments and controls over third-party vendors.
That's unremarkable in most contexts, except this attack had very significant ramifications, a key one being that it seemingly chips away at a cherished cornerstone of UBS’s strategy under previous CEO Ralph Hamers - digital innovation.
The Reprioritization Dilemma
But don’t take my word for it. Let’s hear what the company says in its quarterly report.
«Although we are continuing our efforts regarding innovation and digitalization, to ensure there is the right focus during this initial period of integration we have reprioritized some UBS changes,» the bank wrote.
Turgid stuff indeed. You could make a case for switching a few clauses around for clarity. Still, it sounds pretty transparent and clear. I don’t know about you, but it doesn’t much sound like they're moving at quite the same speed with all of that stuff.