Cyber – Compliance Building

New SEC Cyber Enforcement Initiative

Now that the Securities and Exchange Commission has some first-hand experience with cybersecurity and getting hacked, it has launched a new initiatives to address cyber-based threats.

There is new Cyber Unit originating in the enforcement division. Robert A. Cohen will be Chief of the Cyber Unit, stepping away from being Co-Chief of the Market Abuse Unit. The cyber unit will focus on:

Market manipulation schemes involving false information spread through electronic and social media
Hacking to obtain material nonpublic information
Violations involving distributed ledger technology and initial coin offerings
Misconduct perpetrated using the dark web
Intrusions into retail brokerage accounts
Cyber-related threats to trading platforms and other critical market infrastructure

According to Francine McKenna, one hacking case may involve the SEC itself. According to Ms. McKenna, the enforcement lawyers had a case based on non-public information stolen from the SEC’s system. It was this case that forced them to tell SEC Chairman about the breach.

Sources:

When You Look And Find That You Are The Problem

Cybersecurity is hard. It’s nearly impossible to stop an attack. If someone really wants in, they can continue to attack and attack until they find a gap. It’s hard to know that you have been breached until well after the breach. It may be just as hard to figure out what was accessed and what damage has been done. It’s hard to know what the right response should be.

Of course, I could be talking about the enormous Equifax breach. But this time it’s the Securities and Exchange Commission.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. … Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

SEC Chair Clayton noted that the breach did not “result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

If that is the standard for cybersecurity, then that is what the SEC should also use in its enforcement against investment advisers and broker/dealers. Instead we have cases like the one against R.T. Jones where there was no resulting losses to its clients, only the potential loss of data.

As is typical with a company with bad news, it buries the bad news in a pile of other disclosures. The SEC did the same thing. It spent one paragraph revealing the breach in an eight-page statement chiding the industry to be better about cybersecurity and touting its own initiatives.

The SEC’s statement, like Equifax’s revelation, did not explain why there was a such a lengthy delay between the announcement and the discovery of the breach.

The likely result of the breach is that the hackers were able to access EDGAR filings before the general public and trade on that information before the general public.

Sources:

Statement on Cybersecurity by Chairman Jay Clayton
SEC reveals it was hacked, information may have been used for illegal stock trades by Renae Merle in the Washington Post
The SEC’s Cybersecurity Smackdown against R.T. Jones

Cybersecurity Wrap Up – Take Two

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a new Risk Alert this week on cybersecurity. The risk alert summaries observations from their phase 2 cybersecurity examinations conducted in 2015 and 2016. In phase 2, OCIE examined 75 firms, including broker-dealers, investment advisers, and registered funds.

The examinations focused on written policies and procedures regarding cybersecurity and testing the implementation of those procedures. The exams also sought to better understand how firms managed their cybersecurity preparedness by
focusing on

governance and risk assessment;
access rights and controls;
data loss prevention;
vendor management;
training; and
incident response.

What are firms doing right?

Conducting periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
Conducting penetration tests and vulnerability scans on systems that the firms considered to be critical
Using some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
Ensuring regular system maintenance, including the installation of software patches to address security
vulnerabilities.
Having business continuity plans and response plans.
Identifying cybersecurity roles and responsibilities for the firms’ workforce.
Verifying customer identification before transferring funds
Conducting vendor risk assessments

What are firms doing wrong?

Policies and procedures were not reasonably tailored to the organization.
Not conducting annual reviews
Not reviewing security protocols at least annually
Inconsistent instructions on remote access
Not making sure that all employees received cybersecurity training
Not fixing problems found in penetration tests

The risk alert finishes with the elements the OCIE sees as indicative of a firm implementing robust cybersecurity controls. I think most CCOs should grab a copy of the risk alert and sit down with their policies and CTOs to see how they stack up against those elements.

Sources:

We Have Seen The Enemy And It Is US

There was a massive cyberattack over the weekend that has afflicted 200,000 computers in more than 150 countries. The malware locks users out of their computers and threatens to destroy data if a ransom is not paid. It turns out that the the malicious software used in the cyberattack was originally been developed by the National Security Agency. It was then stolen by a hacking group known as the Shadow Brokers and converted into the ransom malware, WannaCrypt.

There was concern that there might be a second wave spread this morning as people return to work. So far that is not the case.

It turns out that WannaCrypt was especially effective in China. Probably because there is a lot more pirated versions of the Microsoft software on Chinese computers. Microsoft released a patch in March.

The scary news is that the US government is stockpiling malware. As pointed out in Countdown to Zero Day there is no US or international norms on the use of computer malware as weapons. We have the US government funding weaponized computer malware that can be released into the wild causing wanton destruction. We like to think that malware is being used to protect the US, but this is an example of the dangers of creating this malware.

Like any weapon, we should be concerned that it can’t fall into the wrong hands. In the case of WannaCrypt, it was stolen and put to evil use.

Thankfully a benevolent hacker found the weakness in WannaCrypt. There was a kill switch. If not, it could have done much more damage.

The malware attack was a good example of the need to keep software up to date.

Sources:

The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack by Brad Smith
WannaCry: What is ransomware and how to avoid it
Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool by NICOLE PERLROTH and DAVID E. SANGER
Cyberattack Spreads in Asia, Though No ‘Second Wave’ Is Seen by GERRY MULLANY and PAUL MOZUR

Cyber Insurance: A Pragmatic Approach to a Growing Necessity

Cybersecurity has become an increasing focus of financial regulators. Insurance companies are stepping up to help deal with the risk of cyber attacks. Bruce Carton’s CyberSecurity Docket hosted a great webinar on cyber insurance. These are some of the highlights.

CD-large2.51

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach incident response and digital compliance firm.

David R. Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities owns Kroll’s data breach response services.

The industry has accumulated the actuarial data needed to underwrite the damages and likelihood of a cyberattack. But the market is still very new and evolving. There is no standard policy language.

One focus is what will be covered by the insurance. There are three areas of losses:

liability (lawsuits from customers for the breach)
breach response cost (notifying customers of the breach)
government fines/penalties.

You also need to focus on what triggers the coverage: a lost laptop, internet intrusion, data sourced from the company.

The coverage will be based on some detailed reps and warranties. You need to make sure they are right and you understand them.

Here is an incident response workflow:

Preserve. Assmble the team, unhook the infected machines
Digital Forensic Analysis: figure out what happened to the machine
Logging analysis: figure out how the machine was accessed
Malware reverse engineering.
Surveillance
Remediation efforts
Exfiltration analysis. Figure out what was taken.
State regulatory analysis. There are 47 different regulatory schemes.
Federal regulatory analysis. Everyone thinks they have jurisdiction.
PCI Compliance, if credit card data was involved
Law enforcement liaison.
Customer notifications

It’s clear that every company is at risk for a cyber attack. If bad guys want to attack, you can’t stop them. Insurance may be able address some of the risk and damages.

Sources:

Cybersecurity and Private Funds

hacker

The Securities and Exchange Commission has off-an-on expressed concerns about cybersecurity for broker-dealers and registered investment advisers. Now it’s officially concerned. The SEC’s Office of Compliance Inspections and Examinations has announced a new cybersecurity initiative. The Risk Alert follows the announcement of a technology element in OCIE’s 2014 examination priorities and the SEC’s March 26, 2014 Cybersecurity Roundtable.

As part of the initiative, OCIE will conduct cybersecurity examinations of registered investment advisers. These examinations will be conducted as a ”sweep exam” to assess cybersecurity risks. The Risk Alert states the sweep will be of more than 50 registered broker-dealer and registered investment advisers.

In anticipation of the sweep exams, the SEC included a sample request list for the Identification of Risks/Cybersecurity Governance.

I would anticipate that the sweep exam will be targeted at the big BDs and retail investment adviser shops and not be focused on private fund managers. However, I plan to sit down and go through the sample letter to make sure I can answer all of the questions.

References:

OCIE Cybersecurity Initiative
SEC to Launch Cybersecurity Exams of Investment Firms, Offers Sample Document Requests by Bruce Carton in Compliance Week
SEC Releases Cybersecurity Examination Roadmap by Debevoise & Plimpton LLP

Hacker is by Dani Latore
CC BY SA