We Have Seen The Enemy And It Is US

There was a massive cyberattack over the weekend that has afflicted 200,000 computers in more than 150 countries. The malware locks users out of their computers and threatens to destroy data if a ransom is not paid. It turns out that the the malicious software used in the cyberattack was originally been developed by the National Security Agency. It was then stolen by a hacking group known as the Shadow Brokers and converted into the ransom malware, WannaCrypt.

There was concern that there might be a second wave spread this morning as people return to work. So far that is not the case.

It turns out that WannaCrypt was especially effective in China. Probably because there is a lot more pirated versions of the Microsoft software on Chinese computers. Microsoft released a patch in March.

The scary news is that the US government is stockpiling malware. As pointed out in Countdown to Zero Day there is no US or international norms on the use of computer malware as weapons. We have the US government funding weaponized computer malware that can be released into the wild causing wanton destruction. We like to think that malware is being used to protect the US, but this is an example of the dangers of creating this malware.

Like any weapon, we should be concerned that it can’t fall into the wrong hands. In the case of WannaCrypt, it was stolen and put to evil use.

Thankfully a benevolent hacker found the weakness in WannaCrypt. There was a kill switch. If not, it could have done much more damage.

The malware attack was a good example of the need to keep software up to date.

Sources:

The SEC’s Cybersecurity Smackdown

Last week the Securities and Exchange Commission issued a new risk alert on cybersecurity and this week the SEC announced a new action for a cybersecurity breach. The action is just as bad as I thought it could be. It also shows that the SEC is misplaced in being a cybersecurity enforcer.

6870002408_abf6b5b6a8_z

R.T. Jones Capital Equities is a registered investment adviser with about 8400 clients. The firm discovered a breach in July 2013. According to the SEC order, the firm hired at least two cybersecurity firms to assess the breach. Neither cybersecurity firm could determine if Personally Identifiable Information was accessed or compromised during the breach.

According to the order, R.T. Jones has not learned that the breach resulted in any losses to its clients or that their accounts have been compromised. There is only the potential loss of data.

Even with no financial harm, the SEC decided to bring an action.

The cybersecurity firms did discover that the attack was based in mainland China and launched from multiple IP addresses. At every conference that I hear about cybersecurity, an expert will always point out that you cannot prevent an attack and an eventual breach. If there is concerted effort from a sponsored group, the hackers will find a way in.

The SEC cited its “safeguards rule”: Rule 30(a) of Regulation S-P (17 C.F.R.§248.30(a)) as the basis for the action.  According to a story by Nicholas Donato in Private Funds Management only in two other instances has the SEC cited this rule in enforcement action: PL Financial Corporation in 2008 and stock trading firm Commonwealth Equity in 2009.

The SEC also goes on to cite that the R.T. Jones compromised server had non-client PII on it. I’m not sure that Safeguards Rule applies to non-customer information.

In the end, R.T. Jones was cited for failing to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.

The SEC also fails to establish that adoption of those written policies and procedures would have prevented the breach. But even a non-computer expert like me thinks it was poor effort on the part of R.T. Jones for not having a firewall when there is PII on a public facing webserver. Perhaps the firm’s failing was egregious. The SEC does not state so.

The SEC does state that R.T. Jones had no written policies and procedures for PII. They were not inadequate. They just did not exist. That is one big takeaway from the action. Firms need to at least try to prevent the loss of PII and have the written policies and procedures to try and prevent a breach.

Sources:

Cybersecurity Exams Part II: More Governance

Last year, the Securities and Exchange Commission raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview in April it seems that initiative would continue into a phase 2. The SEC recently released its OCIE’s 2015 Cybersecurity Examination Initiative.

6870002408_abf6b5b6a8_z

According to the Risk Alert, the exams will focus on six areas:

  1. Governance and Risk Assessment
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Vendor Management
  5. Training
  6. Incident Response

As with Part I, the Risk Alert has a sample document request letter.

I will once again criticize the SEC’s approach to Cybersecurity.

Not because cybersecurity is not important. It is very important and a risk for all firms.

I criticize because the SEC has push cybersecurity as an anti-fraud requirement. SEC is saying that a failure to adequately address cybersecurity is effectively committing fraud on your investors. The big problem is that breaches cannot be prevented. We have seen that a dedicated hacker can get into any system given enough time. Cyber initiatives can only deter hacks. Once you are hacked, you’re not only facing the problems directly from the hack, but also the looming slap from the SEC that you defrauded your investors.

On top of that, the SEC is mostly accountants and lawyers and the compliance world is mostly accountants and lawyers. Cyber requires IT personnel. I suspect many SEC compliance personnel will stare at some of the items on the request letter and have little idea what the SEC is asking for.

Hand the request to your IT department and see what they can do with it.

Sources:

Anonymous Hacker by Brian Klug
CC BY SA

Cyber Insurance: A Pragmatic Approach to a Growing Necessity

Cybersecurity has become an increasing focus of financial regulators. Insurance companies are stepping up to help deal with the risk of cyber attacks.  Bruce Carton’s CyberSecurity Docket hosted a great webinar on cyber insurance. These are some of the highlights.

CD-large2.51

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach incident response and digital compliance firm. 

David R. Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities owns Kroll’s data breach response services. 

The industry has accumulated the actuarial data needed to underwrite the damages and likelihood of a cyberattack. But the market is still very new and evolving. There is no standard policy language.

One focus is what will be covered by the insurance. There are three areas of losses:

  1. liability (lawsuits from customers for the breach)
  2. breach response cost (notifying customers of the breach)
  3. government fines/penalties.

You also need to focus on what triggers the coverage: a lost laptop, internet intrusion, data sourced from the company.

The coverage will be based on some detailed reps and warranties. You need to make sure they are right and you understand them.

Here is an incident response workflow:

  1. Preserve. Assmble the team, unhook the infected machines
  2. Digital Forensic Analysis: figure out what happened to the machine
  3. Logging analysis: figure out how the machine was accessed
  4. Malware reverse engineering.
  5. Surveillance
  6. Remediation efforts
  7. Exfiltration analysis. Figure out what was taken.
  8. State regulatory analysis. There are 47 different regulatory schemes.
  9. Federal regulatory analysis. Everyone thinks they have jurisdiction.
  10. PCI Compliance, if credit card data was involved
  11. Law enforcement liaison.
  12. Customer notifications

It’s clear that every company is at risk for a cyber attack. If bad guys want to attack, you can’t stop them. Insurance may be able address some of the risk and damages.

Sources:

 

 

SEC Issues Cybersecurity Guidance

hacker

Last year, the SEC raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview last month it seems that initiative would continue into a phase 2. The SEC recently released its Cybersecurity Guidance that enunciates some steps investment advisers and fund managers can take to improve their ability to repel cyber threats.

1. Conduct a periodic assessment.

2. Create a strategy to prevent, detect and respond to cybersecurity threats.

3. Implement the strategy.

Of course, cybersecurity is important and all advisers and fund managers should take it seriously.

I do get hung up on the SEC’s statement that a firm’s initiative should be part of a compliance initiative “reasonable designed to prevent violations of the federal securities law.” I think the SEC is stretching the anti-fraud provisions of Section 206 beyond where they should go.

As the guidance point out, it is not possible to anticipate and prevent every cyber attack. If a bad actor wants to attack your systems, the bad actor can eventually get into your systems. Is that breach a compliance failure or not? The SEC’s guidance is setting complex security protocols as a legal compliance issue.

I’m skeptical that there are many people in the SEC’s IM division who understand cybersecurity protocols. I’m just as skeptical that there are many adviser/fund manager CCOs who understand cybersecurity protocols. But the SEC is insisting that cybersecurity protocols fall under the aegis of the the Section 206 anti-fraud provisions.

Sources:

Hacker by Dani Latore
CC BY SA
https://www.flickr.com/photos/dlato/6437570877/

For those of you getting this by email, you should see a slightly different look. I changed providers. Let me know if you encounter any problems.

 

Cybersecurity Sweep Phase 2

ia watch ia week

According to a story in IA Watch, advisers should expect a second phase of the SEC’s look at cybersecurity. In an interview with IA Watch on March 9, Jane Jarcho, OCIE’s national associate director of the Investment Adviser/Investment Company exam program, described the current thinking behind its “phase 2” initiative around cybersecurity.

According to the story, OCIE plans to put out a sample document request letter or a list of focus areas for phase 2 using a risk alert, just as it did for phase 1. It sounds like phase 2 is still in the planning stages, but it’s likely to begin this summer.

Sources:

What Ever Happened to the SEC’s Cybersecurity Sweep?

univac

The Securities and Exchange Commission put the financial sector in a tizzy when it announced a sweep exam addressing cybersecurity last April. Along with the announcement came a detailed document request list that would make most compliance officers’ heads spin.

The problem with the cybersecurity sweep is that it seems to be coming from the wrong people and is addressed to the wrong people. When I think of the Securities and Exchange Commission I don’t think of hacking and data security. I think of lawyers and accountants. When I think of financial services compliance officers, I also think of lawyers and accountants.

Maybe that is overly specific. But I don’t think of cybersecurity experts in either case.

It’s not that cybersecurity is not important to the industry. It’s very important. Clients must have faith that their investments will not be stolen. Historically, the role of the SEC has been to make sure the financial professional is not stealing from its clients. Cybersecurity imposes a requirement that unknown hackers are not stealing from the financial professional’s clients.

The cybersecurity sweep went to 57 registered broker dealers and 49 registered investment advisers and looked at the legal, regulatory, and compliance issues.

The SEC’s Risk Alert on Cybersecurity details the findings.

I’m going to guess that that each bullet point is now a new standard that a firm will need to meet. The alert does not say so, but I’m going to use it as a blueprint for an additional review of cybersecurity.

Sources:

Cybersecurity and Private Funds

hacker

The Securities and Exchange Commission has off-an-on expressed concerns about cybersecurity for broker-dealers and registered investment advisers. Now it’s officially concerned. The SEC’s Office of Compliance Inspections and Examinations has announced a new cybersecurity initiative. The Risk Alert follows the announcement of a technology element in OCIE’s 2014 examination priorities and the SEC’s March 26, 2014 Cybersecurity Roundtable.

As part of the initiative, OCIE will conduct cybersecurity examinations of registered investment advisers. These examinations will be conducted as a ”sweep exam” to assess cybersecurity risks. The Risk Alert states the sweep will be of more than 50 registered broker-dealer and registered investment advisers.

In anticipation of the sweep exams, the SEC included a sample request list for the Identification of Risks/Cybersecurity Governance.

I would anticipate that the sweep exam will be targeted at the big BDs and retail investment adviser shops and not be focused on private fund managers. However, I plan to sit down and go through the sample letter to make sure I can answer all of the questions.

References:

Hacker is by Dani Latore
CC BY SA

Network Security, Compliance, and Out-Sourcing Your Job To China

made in china

You may have heard the story about the computer programmer who outsourced his work duties and sat in is office watching cat videos all day. “Bob” was an “inoffensive and quiet” programmer in his mid-40’s, with “a relatively long tenure with the company” and “someone you wouldn’t look at twice in an elevator.”

His company noticed some “anomalous activity” in their VPN logs and called in a consultant. Unfortunately for Bob, his company was a U.S. critical infrastructure company. That anomalous activity was traced back to a connection in China. Red flags were raised and security alarms went off in people’s minds. The company thought it was being hacked, spied on, or infected with spyware from an unknown force in China, putting US infrastructure at risk.

Two things caused the investigators to scratch their heads: (1) The company had a two-factor authentication for these VPN connection. That means you needed a rotating token RSA key fob for network access. (2) The developer whose credentials were being used was sitting at his desk in the office.  As a result, the VPN logs showed him logged in from China, yet the employee was sitting at his desk. Even worse, the VPN connection to China was shown to go back many months, before the company was even monitoring the VPN.

Fearing that Bob’s computer was infected with a trojan horse or other malware, the investigators cloned Bob’s desktop and searched its contents. Instead of nasty computer viruses, they found hundreds of .pdf invoices from a third party contractor in China.

It turned out that this was Bob’s typical day:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home

Bob had physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials. The contractor worked for a fifth of the cost of his salary. Bob pocketed the difference, surfed the internet, and managed his contractor.

Sources:

National Cyber Security Awareness Month

NCSAM

October is National Cyber Security Awareness Month.

Check out the top tips to keep you safe online: