By: Cliff Neve, COO & Managing Partner, MAD Security and Ellen McCarthy, Managing Director and Chief Compliance & Risk Officer, VMS, LLC.
This article highlights the criticality of effective cybersecurity programs in light of recent incidents and regulatory scrutiny by such entities as the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the New York State Department of Financial Services (NYDFS), among others.
In a very recent incident, between August 21, 2018 and September 5, 2018, a data breach occurred at British Airways. Cybercriminal hackers were able to gain access to British Airways systems, stealing names, email addresses, and credit card information (including credit card numbers, expiration dates, and card verification codes) relating to approximately 380,000 transactions in which British airways customers made or changed bookings on the British Airways website.
To combat such cybersecurity incidents, the SEC, FINRA, the NYDFS, and other regulators have undertaken the challenge of evaluating the readiness of regulated entities such as investment advisors, investment companies, broker-dealers, banks, insurance companies, trust companies, and transfer agents to prevent cyberattacks and mitigate cyber risk. The regulators have issued guidelines designed to help transfer agents and other companies guard against attack, mitigate financial and reputational risk, and avoid enforcement action and regulatory fines. For the last several years, the SEC and FINRA have included cybersecurity among their top five examination priorities. Further, the NYDFS enacted 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies, noting specifically:
“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”
As cybercriminals and hackers become more and more sophisticated, the types of cyber attacks and risk are becoming more and more varied. Current “hot button” cyber risk topics include the following:
- Phishing Emails: Phishing efforts are getting more targeted and are masquerading themselves in forms such as Adobe document signature requests, transmitted faxes, and Microsoft Office 360 cancelation notifications. Since a large percentage of users utilize Adobe and Office 365, and since many of us now receive faxes via email, these avenues can be highly effective for delivering malware.
- Ransomware: Criminals are able to access your files, encrypt them, and demand a ransom for the decrypting key, is evolving and becoming more “productized.” Criminals are able to purchase licenses from ransomware developers, and the process of encrypting the files continues to become more randomized and sophisticated. Developers have begun slowing down the process or creating ransomware that does not immediately activate in order to evade detection by mimicking potential human behavior.
- Sextortion: Criminals are sending emails demanding bitcoin payments or they will release the victim’s web surfing history (specifically questionable/pornographic websites) to their contact list and/or Facebook friends. Some of these emails even claim to have video of the victim as they are surfing these sites that they have obtained by hacking into their computer webcams. The criminals are getting users’ attention by including a password associated with the email account that they have obtained through a past breach. Many users, seeing a password that they indeed use or used, are ready to believe that they have in fact been compromised. If the criminal actually had videos, images, or other information, they would have included it in the email to ensure very quick payment; however, it is almost never the case that they actually have any information. A percentage of the population, though, is so thrown off by the inclusion of a legitimate password that they are inclined to pay the “ransom” and the payment is untraceable.
- Internet of Things (IoT): IOT continues to present new threat surfaces. A North American casino was hacked this year through a networked thermometer in an aquarium. The thermometer was exploited by hackers and allowed access to the casino network, including a database of gamblers.
OCIE has conducted two cybersecurity preparedness examinations to date, the most recent released in August 2017. The results indicate that while financial companies have improved their cybersecurity preparedness, the “vast majority” of entities examined by the SEC exhibited at least one un-remediated deficiency. OCIE noted several best practice elements of effective cybersecurity programs:
- Vetting and approval of cybersecurity programs by senior management.
- Mandatory cybersecurity training for all employees.
- Maintenance of a complete inventory of information, data, and vendors, including vendor due diligence.
- Policies and procedures for penetration tests, scheduled vulnerability testing, system auditing, security monitoring, access rights to data and systems, and reporting.
Implementing these best practices will go a long way toward combatting the cyber risks discussed above.
In addition, it is critical to build a culture that encourages strong cybersecurity awareness, including encouraging employees to report suspected phishing emails. It is recommended that organizations participate in DHS’s Cybersecurity Awareness Month in October of every year; resources to support your communications can be found on the DHS website at https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources.
VMS, LLC www.vmsconsulting.com offers a specialized portfolio of consulting and advisory services that provide end-to-end solutions for financial firms worldwide.