Phishing, spear phishing (when an email appears to come from a familiar client or business partner but is another phishing attack) and social engineering continue to be issues for financial services firms trying to protect themselves from cyberattacks, according to David Kelley, surveillance director in the Financial Industry Regulatory Authority’s Kansas City office. Kelley participated in a cybersecurity panel at the Rocky Mountain Securities Conference on Friday, outlining the most common issues firms are dealing with.
In addition to the familiar cyberattacks above, ransomware and account takeover are increasingly common.
Establishing processes to recognize and remedy vulnerabilities on an ongoing basis are critical to firms’ cybersecurity efforts. The panelists at the conference shared ways to address the various risks — internal and external — that firms face.
Even at big firms, account takeover is “a big deal,” Kelley said. “That may be the thing we hear about most from a lot of firms,” he said. A client’s account credentials are stolen and the hacker tries to move the account to another institution.
Firms should take stock of what controls they have in place to prevent unauthorized changes to a client’s account.
“The losses from these kinds of schemes can be enormous,” David Glockner, regional director of the SEC’s Chicago office and moderator of the panel, said, referring to Ubiquiti Networks, which reported a $39 million loss last year from “what was essentially a business email compromise.”
Kelley said that in June, FINRA started seeing an increase in reports of distributed denial of service (DDoS) attacks, especially among small and medium-size firms, where hackers would shut down a firm’s website and extort them for bitcoin.
“Cybercriminals have determined how easy it is to make money,” panelist Kevin Witt, chief technology officer of Kestra Financial, said. “The old notion that cybersecurity was all about protecting your customers’ privacy and nothing else” is no longer accurate. “It’s also about protecting the availability of your systems and information, and the integrity of those systems.”
Stealing information is a difficult crime to monetize, he added. It may be easy to steal information, but it’s harder to find someone to sell it to. “It doesn’t take any sophistication at all to hold someone’s information for ransom. It’s a very scalable business model.”
Hackers don’t even have to understand the information they’re stealing, “but they can encrypt it and hold it hostage for $10,000,” Witt pointed out. Furthermore, bitcoin makes it easy to collect ransoms anonymously, he said.
Joseph Sansone, co-chief of the Securities and Exchange Commission Division of Enforcement’s market abuse unit, identified three types of cyberattacks. First is when hackers steal material nonpublic information to sell or to trade on.
He referred to a case the SEC brought in August against a Ukraine-based hacker ring that stole earnings information from newswires.
“There was a crucial window of opportunity the hackers and traders had to use this information, and they did on numerous instances and made over $100 million in illicit profits,” Sansone said.
Another source of attack is when employees steal information to conduct insider trading, Sansone said.
Cybercriminals may also attempt to manipulate markets by spreading misinformation to profit on the market reaction, he said.
The internet makes that very easy to do, he said, referring to a case in November 2015. James Allen Craig created fake Twitter accounts that resembled those of recognized research firms. He tweeted fake information “about different issuers, which was adjusted by the market and ended up causing rather large downward spikes in the price” of those issuers’ securities.
“The point here is we need to be very careful with analyzing what’s on the internet,” Sansone said. Telltale signs to look for include incorrect names for executives in filings, misspellings and other typos.
The good news is that the SEC has become “incredibly sophisticated in its ability to spot these patterns.” The bad news is it doesn’t matter. “The bad guys are not easily deterred,” Sansone said.
In fact, he warned that cybercriminals will work their way through a series of networks and “circle back to prior victims in subsequent years.”
“You can’t assume that once you’ve shut down the intrusion, it’s going to go away and you’re safe. You really have to stay on top of” cybersecurity efforts, he said.
Witt added that once firms are aware of a breach, “it’s extremely dangerous to come back online at that point.” Unless the firm has significant IT forensic tools, it “won’t know all that the bad actor did while they were inside.”
However, he did say that even without a “giant IT budget,” firms can “[compartmentalize] their enterprise” to limit different systems’ exposure to cyberattacks.
One technique that’s common in other industries, Witt said, is to set up “honeypots,” intentionally weak systems that attract hackers to allow firms to observe them. However, he said those types of defenses were uncommon in the financial services space.
Digital watermarks are another way to test whether a system is secure, Witt said. He described a firm he consulted with that suspected its network had been breached. It embedded a fake address with a P.O. box in its database; when mail appeared in the mailbox, it was clear the database had been breached.
Although some incidents are the result of employees actively stealing from their firm, sometimes employees open their firm to data theft through simple negligence, Kelley said, from throwing sensitive documents in an unguarded trash can or incautiously giving up their login credentials.
“You have to be vigilant about not just preventing access from the outside, but also careful about access that we give within the firm,” Sansone noted.
Witt said accidental employee conduct is a “huge issue” because cybercriminals know they can deliver malware into an enterprise by building extensions or apps that have a useful purpose “that an employee with good intentions will voluntarily install on their machine.”
Another weakness in firms is when employees use personal devices or unprotected Wi-Fi networks to access information. Witt suggested no employee have more access than they need. FINRA’s Kelley added that firms need to remember to revoke access from employees who leave a firm.
Rules and Best Practices for Cybersecurity
The difficulty for firms is that there isn’t one particular strategy that can protect them, either from cyberattackers or from regulators. Kelley said that one of the most important things they can do is to have processes and procedures established to mitigate the fallout when they are hacked.
“If they have that program in place, things are peachy,” Kelley said. If not they could face violations that fall under several rules, including:
- SEC Regulation SP, which requires that firms have written policies and procedures to protect customer records and information
- SEC Regulation SID, which requires that firms have written policies and procedures to address identity theft red flags
- SEC Market Access Rule, which requires that BDs with direct market access have adequate internal controls to prevent market disruption through erroneous orders
- SEC Regulation SCI, which requires certain market participants to have comprehensive policies and procedures to protect their technology infrastructure
- FINRA Rule 3110
Furthermore, many states have their own rules to address cybersecurity.
The rules aren’t meant to have a “hammer effect” right now, Kelley said. “Our whole goal is to get these firms to be protecting this information.” Cybersecurity is a new area for financial firms, he added. “Data security’s been around a long time, but now in the cybersecurity mindset, it’s not just that data security group’s role to protect that information. It’s everybody in the whole organization.”
Kelley said branch network security has become a big issue for firms due to the difficulty they have monitoring those systems.
White hat penetration testing is a best practice, but Kelley urged firms to have a follow-up process that addresses issues that testing uncovers, and to retest. “You could run those tests on an almost daily basis and find new [risks],” he said.
Witt said, “If you have one dollar to spend on cybersecurity, it should be on training.”
For example, email is so ubiquitous in our personal and professional lives that it’s easy to forget to protect it. Around 21% of email addresses in North America can’t receive email securely, he said. Regardless of a firm’s investment in securing its internal email, it doesn’t mean clients’ email is secure.
Firms that have an extra dollar for their cybersecurity budget should spend it on backing up any information or system they can’t do business without. For example, if a firm that keeps their most valuable files and information backed up suffers a ransomware attack, they don’t have to pay to unlock their information.
A stringent backup process includes ongoing monitoring to make sure the right information is being backed up and that the systems are working.
Kelley said there are more insurance products today than there were 10 years ago that are specifically designed to insure against cybersecurity risks. “It used to be you had to be a really big firm and able to absorb a really big deductible,” he said. Now firms may be able to find cybersecurity insurance deductibles that are only a couple of thousand dollars, he said.
Regulators’ Response to Cyber Incidents
FINRA conducted a cybersecurity sweep in 2014 that resulted in a cybersecurity report in February 2015 with areas that firms should focus on. The agency started hiring examiners last year specifically for cybersecurity exams, Kelley said.
“As we’re out there doing exams, they can really help these firms address the issues they’ve got,” he said.
The SEC has actively ramped up its cybersecurity efforts in the last couple of years, SEC’s Glockner said. In 2014, it conducted exams on firms of all sizes to understand what’s going on in the space “to spot issues and educate the exam program.”
OCIE released its cybersecurity focus in 2015, and the agency announced its second sweep of exams in September.
Glockner stressed that regulators aren’t “the reason you ought to be thinking of cybersecurity.” However, if firms aren’t willing to take adequate steps to protect their clients’ information, “we’re prepared to impose regulatory consequences. We’re trying very hard to be measured and recognize the complexity of the issue,” but it’s not an issue anyone can afford to ignore.
Glockner referred to R.T. Jones, a St. Louis-based investment advisor that was fined by the SEC in 2015 for failing to have cybersecurity processes in place when it was hacked.
“We don’t want people to get the impression that just because there was an incident, there was a failure,” Sansone said. “It’s possible for an incident to happen even when a firm has a very good system and a very reasonable system.”
— Read SEC Would Use Boost in Funds for Cybersecurity, Advisor Exams on ThinkAdvisor.