View the latest FX Survey results

The cyber security threat to FX algos


Paul Golden
Published on:

Although processes are in place to limit the impact of rogue algorithms, there are further steps electronic FX trading networks can take to protect themselves from cybercriminal activity.

Given the kudos a hacker would receive for disrupting the world’s largest financial market, it is perhaps surprising that more effort has not been made to target the systems that support the trillions of dollars of FX trades made every day.

FX broker FXCM remains the only high profile victim to date.

Tom Higgins 2017-160x186

Tom Higgins, Gold-i

Gold-i CEO Tom Higgins says it would be difficult for someone to make a profit from attacking an electronic FX trading network, as all they could do is place trades with no guarantee they would make money from those trades.

However, he also accepts that a distributed denial of service attack – which would make the trading service unavailable – represents a considerable threat.

“The security behind trading networks at banks is extremely high,” he says. “Standard security mechanisms are very high quality, with strong levels of encryption and authentication, and ECNs and exchanges often use circuit breakers.

“However, as you get closer to the retail end of the markets, networks are less secure and there are very few controls in place. I am sure that an attack will happen at some point.”

Minimizing the protocols, interfaces and services that can be accessed make it harder for a hacker to attack an electronic FX trading network, but this is problematic since the ability to access services externally is a fundamental element of such networks.

In any case, explains James Furness, chief technology officer at MahiFX, even physically isolated systems can be breached by a highly sophisticated attack.

He says the solution is to implement multiple layers of security controls designed to detect and delay an external attack from someone targeting unauthorized algorithms at the network.

“Unauthorized access should be denied where possible via security controls such as cryptographic authentication, password authentication and firewalls to minimize opportunities for an attacker to impersonate another party and trade on their behalf,” says Furness.


Although credit limits will constrain a rogue algorithm’s trading, circuit breakers or velocity limits might also be in place to prevent unusually large bursts of trading activity before credit is exhausted. The downside is that these must also be lenient enough to permit normal trading patterns.

David Murray, Corvil

Another limitation of circuit breakers, explains David Murray, chief business development officer at Corvil, is that algorithms respond to data inputs, so anyone who is familiar with the algorithm and can modify the inputs will be able to manipulate the outcome. 

“A slight tweak to an algorithm in a finely tuned machine may not be significant enough to trigger controls such as circuit breakers, but can do substantial damage,” he suggests.

Monitoring and reporting should be in place to alert the network to unusual activity. This might be as simple as flagging access from unusual locations or could entail using a machine-learning algorithm to spot unusual trading patterns.

In May, Corvil launched a cybersecurity product that autonomously identifies vulnerabilities and possible attacks within trading environments, applying machine-learning algorithms to determine and benchmark normal behaviour on the network and running security analytics to detect patterns of compromise.


James Furness,

MahiFX’s Furness also recommends that trading systems are separated from internal networks, minimizing the area exposed to an attacker who has compromised the internal network.

“Intrusion detection systems can be leveraged on servers to identify compromises of internal systems and on network interfaces to detect suspicious traffic entering or leaving internal networks,” he explains.

One example of such a system is the enterprise compliance software developed by Behavox, which includes specific detection algorithms that flag up instances where people internally are sharing passwords or login details for systems or sending these details outside the company or to personal email addresses.

Real time

According to Corvil’s Murray, FX trading firms need real-time monitoring of employee activity, trading behaviours and connectivity patterns.

“When securing FX networks, it is important to deploy a solution that does not disrupt performance,” he adds. “Given the highly automated nature of trading networks, there is a high sensitivity to impact on trading speed.”

Nathan Swain, head of IT security for ADS Securities, describes self-assessment services such as the Bank of England’s CBEST framework – which enables companies to voluntarily test their defences using advanced threat intelligence and realistic attack simulations – as an option for benchmarking a network’s readiness.

“This is the key starting point in any serious cybersecurity operation in the FX trading space,” he says.

Gold-i uses digital signatures on all emails to mitigate the risk of social engineering attacks from attackers pretending to be a staff member.

“Digital signatures are not commonly used because they are complicated to set up,” concludes Gold-I’s Higgins. “However, I believe they should be mandatory for all financial institutions.”